00001 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /inst.php?fff="; flow:to_server,established; http_uri; content:"/inst.php?fff=",nocase; content:"coid=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16924.html; classtype:trojan-activity; sid:16924; rev:5; service:http; )
00006 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious uri config.ini on 3322.org domain"; flow:to_server,established; http_uri; content:"/config.ini"; http_header; content:"3322|2E|org"; metadata:impact_flag red,policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f72abdad67d82e60386896efdbf84f2f7b560b54c161fb56033224882c51c220-1306543267; classtype:trojan-activity; sid:19493; rev:2; service:http; )
00008 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - pte.aspx?ver="; flow:established,to_server; http_uri; content:"/pte.aspx?ver=",nocase; content:"&rnd=",nocase; pcre:"/\/pte\.aspx\?ver=\d\.\d\.\d+\.\d\x26rnd=\d{5}/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=3e280159c7c84dd2fa1d93687c355faf4a4ca643f12b4921283104915b341bfc-1311850130; classtype:trojan-activity; sid:19622; rev:1; service:http; )
00009 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - vic.aspx?ver="; flow:established,to_server; http_uri; content:"/vic.aspx?ver=",nocase; content:"&rnd=",nocase; pcre:"/\/vic\.aspx\?ver=\d\.\d\.\d+\.\d\x26rnd=\d{5}/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=3e280159c7c84dd2fa1d93687c355faf4a4ca643f12b4921283104915b341bfc-1311850130; classtype:trojan-activity; sid:19623; rev:1; service:http; )
00010 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - .sys.php?getexe="; flow:established,to_server; http_uri; content:".sys.php?getexe=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=ba84f21b6f1879c2d6ce7c600cfb077cee4a172c8e0711e4ce67b32d1b315e82-1310972138; classtype:trojan-activity; sid:19625; rev:1; service:http; )
00011 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /setup_b.asp?prj="; flow:established,to_server; http_uri; content:"/setup_b.asp?prj=",nocase; content:"&pid=",nocase; content:"&mac=",nocase; pcre:"/\/setup_b\.asp\?prj=\d\x26pid=[^\r\n]*\x26mac=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f99c0b916ad6fea6888fb5029bbf9b7807d0879298efd896298e54f273234cbe-1311680767; classtype:trojan-activity; sid:19626; rev:2; service:http; )
00012 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /r_autoidcnt.asp?mer_seq="; flow:established,to_server; http_uri; content:"/r_autoidcnt.asp?mer_seq=",nocase; content:"&mac=",nocase; pcre:"/\/r_autoidcnt\.asp\?mer_seq=\d[^\r\n]*\x26mac=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=d8f85e320f2841da5319582ea1020f12e622def611728e5eb076477e3f0aa3b2-1311733307; classtype:trojan-activity; sid:19627; rev:2; service:http; )
00013 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /1cup/script.php"; flow:established,to_server; http_uri; content:"/1cup/script.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=93ae95010d79fbd56f59ee74db5758d2bef5cde451bbbfa7be80fee5023632b5-1310268536; classtype:trojan-activity; sid:19628; rev:1; service:http; )
00014 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - AnSSip="; flow:established,to_server; http_uri; content:"|26|AnSSip=",nocase; pcre:"/\/\?id=\d+\x26AnSSip=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=dd947d749f836851d8878b5d31dacb54110b4c4cafd7ebe8421dbe911a83d358-1309594430; classtype:trojan-activity; sid:19631; rev:1; service:http; )
00015 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /VertexNet/adduser.php?uid="; flow:established,to_server; http_uri; content:"/VertexNet/adduser.php?uid=|7B|",nocase; content:"cmpname=",nocase; pcre:"/\/VertexNet\/adduser\.php\?uid=\x7B[^\r\n]+\x7D\x26la[^\r\n]+\x26cmpname=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=0fa0ea73215d09048cb0245bd2c8e56135c86068e78332c482a1afc862688bb8-1311841310; classtype:trojan-activity; sid:19632; rev:1; service:http; )
00016 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /VertexNet/tasks.php?uid="; flow:established,to_server; http_uri; content:"/VertexNet/tasks.php?uid=|7B|",nocase; content:"cmpname=",nocase; pcre:"/\/VertexNet\/tasks\.php\?uid=\x7B[^\r\n]+\x7D\x26la[^\r\n]+\x26cmpname=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=0fa0ea73215d09048cb0245bd2c8e56135c86068e78332c482a1afc862688bb8-1311841310; classtype:trojan-activity; sid:19633; rev:1; service:http; )
00017 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /app/?prj="; flow:established,to_server; http_uri; content:"/app/?prj=",nocase; content:"&pid=",nocase; content:"&mac=",nocase; pcre:"/\/app\/\?prj=\d\x26pid=[^\r\n]+\x26mac=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=444383f00dfb73927bf8835d6c847aa2eba24fe6f0266f397e42fae186d53009-1311274513; classtype:trojan-activity; sid:19635; rev:1; service:http; )
00018 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /blog/images/3521.jpg?v"; flow:established,to_server; http_uri; content:"/blog/images/3521.jpg?v",nocase; content:"&tq=",nocase; pcre:"/\/blog/images/3521\.jpg\?v\d{2}=\d{2}\x26tq=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=adcf7ecf750059f9645dc9dc807f0d1f84df23f03096e41d018edcad725057b1-1311932651; classtype:trojan-activity; sid:19636; rev:2; service:http; )
00019 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /install.asp?mac="; flow:established,to_server; http_uri; content:"/install.asp?mac=",nocase; content:"&mode",nocase; pcre:"/\/install\.asp\?mac=[A-F\d]{12}\x26mode/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f0e9e420544f116948b8dfd3d1ed8d156d323684fa6bd58cc87c0ee49320a21c-1311748537; classtype:trojan-activity; sid:19637; rev:2; service:http; )
00020 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /kx4.txt"; flow:established,to_server; http_uri; content:"/kx4.txt",depth 8,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=1fba1aab5d68fea2d2f0386c63b108d389c2b93d0fbc08ff6071497bb7fb6e1d-1311866840; classtype:trojan-activity; sid:19638; rev:1; service:http; )
00022 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /games/java_trust.php?f="; flow:established,to_server; http_uri; content:"/games/java_trust.php?f="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blogs.paretologic.com/malwarediaries/index.php/tag/zeus-bot-canada/; classtype:trojan-activity; sid:19778; rev:2; service:http; )
00023 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /160.rar - Win32/Morto.A"; flow:to_server,established; http_uri; content:"/160.rar",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.f-secure.com/weblog/archives/00002227.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A; classtype:trojan-activity; sid:19882; rev:2; service:http; )
00024 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - optima/index.php"; flow:to_server,established; http_uri; content:"/optima/index.php",nocase; content:"uid=",distance 0,nocase; content:"ver=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=4f9ea5ce70a9a4cc132eb9635e0c5b7e6265ce94be1ff1e9cfd4198dbebd449b-1294138038; classtype:trojan-activity; sid:19913; rev:1; service:http; )
00076 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for runforestrun - JS.Runfore"; flow:to_server,established; http_uri; content:"/runforestrun?sid="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; reference:url,urlquery.net/search.php?q=runforestrun; classtype:trojan-activity; sid:23473; rev:1; service:http; )
00104 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/nt/th"; flow:to_server,established; http_uri; content:"/cgi-bin/nt/th"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25394; rev:1; service:http; )
00105 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/nt/sk"; flow:to_server,established; http_uri; content:"/cgi-bin/nt/sk"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25395; rev:1; service:http; )
00106 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/dllhost/ac"; flow:to_server,established; http_uri; content:"/cgi-bin/dllhost/ac"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25396; rev:1; service:http; )
00107 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/ms/check"; flow:to_server,established; http_uri; content:"/cgi-bin/ms/check"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25397; rev:1; service:http; )
00108 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/ms/flush"; flow:to_server,established; http_uri; content:"/cgi-bin/ms/flush"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25398; rev:1; service:http; )
00109 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/win/wcx"; flow:to_server,established; http_uri; content:"/cgi-bin/win/wcx"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25399; rev:1; service:http; )
00110 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/win/cab"; flow:to_server,established; http_uri; content:"/cgi-bin/win/cab"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25400; rev:1; service:http; )
00493 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".exe."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE [56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:bad-unknown; sid:26935; rev:2; service:http; )
00494 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".html."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE[56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:bad-unknown; sid:26936; rev:2; service:http; )
00495 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".bat."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE [56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:bad-unknown; sid:26937; rev:2; service:http; )
00673 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; http_uri; content:"?page="; pcre:"/\?page\=[a-f0-9]{16}/smi"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:impact_flag red,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:23849; rev:5; service:http; )
00678 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole landing page request - tkr"; flow:to_server,established; http_uri; content:".php?"; content:"src=",distance 0; content:"&gpr=",distance 0; content:"&tkr=",distance 0,fast_pattern; pcre:"/src=\d+&gpr=\d+&tkr[ib]?=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,urlquery.net/report.php?id=90530; classtype:trojan-activity; sid:23622; rev:4; service:http; )
00681 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; http_uri; content:"src.php?case="; pcre:"/src.php\?case\=[a-f0-9]{16}/smi"; flowbits:set,kit.blackhole; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:22949; rev:3; service:http; )
00687 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Landing Page Requested - /Index/index.php"; flow:to_server,established; http_uri; content:"/Index/index.php"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:trojan-activity; sid:21660; rev:4; service:http; )
00688 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Landing Page Requested - /Home/index.php"; flow:to_server,established; http_raw_uri; bufferlen:15; http_uri; content:"/Home/index.php"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21659; rev:4; service:http; )
00695 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole exploit kit pdf request"; flow:to_server,established; http_uri; content:"adp",fast_pattern; content:".php?",within 5,distance 1,nocase; pcre:"/adp\d?\.php\?[fe]=/"; flowbits:set,blackhole.pdf; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:suspicious-filename-detect; sid:21343; rev:5; service:http; )
00699 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT URI Nuclear Pack exploit kit binary download"; flow:to_server,established; http_uri; content:"/g/",depth 3; http_raw_uri; bufferlen:47; http_uri; pcre:"/g\/\d{9}\/[0-9a-f]{32}\/[0-9]$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection; reference:url,blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/; reference:url,labs.snort.org/docs/23157.txt; classtype:trojan-activity; sid:23157; rev:6; service:http; )
00700 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"EXPLOIT-KIT URI Nuclear Pack exploit kit landing page"; flow:to_server,established; http_uri; content:"/index.php?"; http_raw_uri; bufferlen:43; http_uri; pcre:"/index.php\?[0-9a-f]{32}$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection; reference:url,blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/; reference:url,labs.snort.org/docs/23156.txt; classtype:bad-unknown; sid:23156; rev:6; service:http; )
00701 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT URI possible Blackhole URL - search.php?page="; flow:to_server, established; http_uri; content:"/search.php?page="; pcre:"/search\.php\?page=[a-f0-9]{16}$/"; flowbits:set,kit.blackhole; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21348; rev:4; service:http; )
00706 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimepack exploit kit malicious pdf request"; flow:to_server, established; http_uri; content:"/pdf.php?pdf="; pcre:"/pdf\.php\?pdf=[0-9A-F]+&type=\d+&o=[^&]+&b=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:attempted-user; sid:21099; rev:4; service:http; )
00710 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT RedKit Repeated Exploit Request Pattern"; flow:to_server,established; http_uri; content:"images.php?t="; pcre:"/^images.php\?t=\d{2,7}$/"; detection_filter:track by_src, count 5, seconds 15; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,labs.snort.org/docs/23218.txt; classtype:trojan-activity; sid:23218; rev:7; service:http; )
00711 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit Java Exploit request to .class file"; flow:to_server,established; http_uri; content:".class"; pcre:"/^\/\w{1,2}\/\w{1,3}\.class$/"; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23219; rev:5; service:http; )
00712 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT RedKit Java Exploit Requested - 5 digit jar"; flow:to_server,established; http_raw_uri; bufferlen:10; http_uri; content:".jar"; pcre:"/^\/[0-9]{5}\.jar$/"; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23220; rev:4; service:http; )
00714 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT RedKit Landing Page Requested - 8Digit.html"; flow:to_server,established; http_raw_uri; bufferlen:14; http_uri; content:".html"; pcre:"/^\/[0-9]{8}\.html$/"; flowbits:set,kit.redkit; flowbits:noalert; metadata:service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23224; rev:5; service:http; )
00716 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-2008-2992"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21678; rev:3; service:http; )
00717 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call attempt"; flow:to_server,established; http_uri; content:".php?e=Adobe-2010-1297"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21679; rev:4; service:http; )
00718 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-2010-2884"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21680; rev:3; service:http; )
00719 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-80-2010-0188"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21681; rev:3; service:http; )
00720 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Adobe-90-2010-0188"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21682; rev:3; service:http; )
00721 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Java-2010-0842Helper"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21683; rev:3; service:http; )
00722 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Java-2010-0842"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21684; rev:3; service:http; )
00723 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=Java-2010-3552"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21685; rev:3; service:http; )
00724 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Bleeding Life exploit module call"; flow:to_server,established; http_uri; content:".php?e=JavaSignedApplet"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21686; rev:3; service:http; )
00726 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT URI request for known malicious URI /stat2.php"; flow:to_server,established; http_uri; content:"/stat2.php?w=",nocase; content:"i=",distance 0,nocase; pcre:"/stat2\.php\?w=\d+\x26i=[0-9a-f]{32}\x26a=\d+/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf; reference:url,www.virustotal.com/file-scan/report.html?id=567e2dcde3c182056ef6844ef305e1f64d4ce1bf3fa09d8cdc019cca5e73f373-1318617183; reference:url,www.virustotal.com/file/8380bd105559643c88c9eed02ac16aef82a16e62ef82b72d3fa85c47b5441dc7/analysis/; classtype:trojan-activity; sid:20558; rev:6; service:http; )
00727 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Eleanore exploit kit pdf exploit page request"; flow:to_server, established; http_header; content:"?spl=2"; http_uri; content:"/pdf.php"; http_header; pcre:"/\?spl=\d&br=[^&]+&vers=[^&]+&s=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21070; rev:3; service:http; )
00728 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Eleanore exploit kit post-exploit page request"; flow:to_server, established; http_uri; content:"load.php?spl="; pcre:"/load\.php\?spl=(Spreadsheet|DirectX_DS|MS09-002|MS06-006|mdac|RoxioCP v3\.2|wvf|flash|Opera_telnet|compareTo|jno|Font_FireFox|pdf_exp|aol|javad|ActiveX_pack)/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21071; rev:4; service:http; )
00730 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimepack exploit kit post-exploit download request"; flow:to_server, established; http_uri; content:"/load.php?spl="; pcre:"/^\/load\.php\?spl=[^&]+&b=[^&]+&o=[^&]+&i=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:successful-user; sid:21097; rev:3; service:http; )
00737 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; http_uri; content:"/cr1m3/"; content:"php?action=",nocase; content:"&h=",distance 0,nocase; pcre:"/\&h=\d{5}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24232; rev:3; service:http; )
00738 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; http_uri; content:"/cr1m3/"; content:"php?setup=",nocase; pcre:"/setup=[a-z]$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24233; rev:2; service:http; )
00739 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; http_uri; content:"/cr1m3/"; content:"php?setup=",nocase; content:"&s=",distance 0,nocase; content:"&r=",distance 0,nocase; pcre:"/setup=[a-z]\&s=\d\&r=\d{5}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24234; rev:3; service:http; )
00741 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole v2 fallback executable download"; flow:to_server,established; http_uri; content:"/adobe/update_flash_player.exe"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:24501; rev:2; service:http; )
00742 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole admin page inbound access attempt"; flow:to_server,established; http_uri; content:"/bhadmin.php"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24543; rev:2; service:http; )
00743 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole admin page outbound access attempt"; flow:to_server,established; http_uri; content:"/bhadmin.php"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24544; rev:2; service:http; )
00751 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 redirection successful"; flow:to_server,established; http_uri; content:"/forum/links/column.php"; http_header; content:".ru|3A|8080|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24638; rev:3; service:http; )
00756 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit possible redirection attempt"; flow:to_server,established; http_uri; content:"/i.php?token="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24785; rev:1; service:http; )
00759 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit PDF Exploit request structure"; flow:to_server,established; http_uri; content:"p3.php?t=u"; content:"&oh=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24788; rev:2; service:http; )
00761 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit Portable Executable request"; flow:to_server,established; http_uri; content:"load.php?e=u"; content:"&token=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24790; rev:2; service:http; )
00767 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Sibhost Exploit Kit outbound JAR download attempt"; flow:to_server,established; http_uri; content:"?s="; content:"&m=",within 3,distance 1; pcre:"/^\x2f[A-Za-z0-9]{33}\?s=\d\&m=\d$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:24841; rev:3; service:http; )
00775 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT ProPack Exploit Kit outbound connection attempt"; flow:to_server,established; http_uri; content:"/build2/serge/opafv.php"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,urlquery.net/search.php?q=build2%2Fserge&type=string&start=2012-11-22&end=2012-12-07&max=50; reference:url,www.malwaredomainlist.com/mdl.php?search=build2%2Fserge&colsearch=Domain&quantity=50&inactive=on; classtype:trojan-activity; sid:24977; rev:1; service:http; )
00776 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT ProPack Exploit Kit outbound payload request"; flow:to_server,established; http_uri; content:".php?j=1&k="; http_header; content:" Java/1"; http_uri; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/mdl.php?search=build%2Fagrde&colsearch=All&quantity=50&inactive=on; classtype:trojan-activity; sid:24978; rev:1; service:http; )
00777 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT ProPack Exploit Kit outbound connection"; flow:to_server,established; http_uri; content:"/build/agrde/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/mdl.php?search=build%2Fagrde&colsearch=All&quantity=50&inactive=on; classtype:trojan-activity; sid:24979; rev:1; service:http; )
00780 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 url structure detected"; flow:to_server,established; http_uri; content:".php?"; content:"|3A|",within 7,distance 2; content:"|3A|",within 1,distance 2; content:"|3A|",within 1,distance 2; content:"|3A|",within 1,distance 2; pkt_data; content:"&",distance 0; http_uri; pcre:"/\.php\?[a-z]{2,8}=[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\&[a-z]{2,8}=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25043; rev:1; service:http; )
00782 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Cool Exploit Kit requesting payload"; flow:to_server,established; http_uri; content:"/f.php?k="; pcre:"/\/f\.php\?k=\d/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/10/newcoolek.html; reference:url,malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html; classtype:trojan-activity; sid:25045; rev:2; service:http; )
00783 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit Java V6 exploit download"; flow:to_server,established; http_uri; content:"/j16.php?i="; http_header; content:" Java/1."; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25046; rev:2; service:http; )
00784 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit Java V7 exploit download"; flow:to_server,established; http_uri; content:"/j17.php?i="; http_header; content:" Java/1."; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25047; rev:2; service:http; )
00785 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit PDF Library exploit download"; flow:to_server,established; http_uri; content:"/lpdf.php?i="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25048; rev:2; service:http; )
00786 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx Exploit Kit plugin detection connection"; flow:to_server,established; http_raw_uri; bufferlen:86<>261; http_uri; content:"/pdfx.html"; pcre:"/\/pdfx\.html$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25136; rev:4; service:http; )
00787 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx Exploit Kit exe outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:>150; http_uri; content:"/getmyfile.exe?o=1&h="; pcre:"/\/[a-zA-Z0-9]{150,}\/getmyfile\.exe\?o=1\&h=11$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25140; rev:2; service:http; )
00797 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 redirection successful"; flow:to_server,established; http_uri; content:"/forum/links/public_version.php"; http_header; content:".ru|3A|8080|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25388; rev:1; service:http; )
00801 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Red Dot java retrieval attempt"; flow:to_server,established; http_raw_uri; bufferlen:6; http_uri; content:"/"; content:".jar",within 4,distance 1; pcre:"/\/\[fx]\.jar$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25539; rev:1; service:http; )
00802 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Red Dot executable retrieval attempt"; flow:to_server,established; http_uri; content:"/load.php?guid=",nocase; content:"&thread=",distance 0,nocase; content:"&exploit=",distance 0,nocase; content:"&version=",within 9,distance 1,nocase; pkt_data; content:"&rnd=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25540; rev:1; service:http; )
00804 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT JDB Exploit kit landing page retrieval"; flow:to_server,established; http_raw_uri; bufferlen:>33; http_uri; content:"/jdb/inf.php?id="; pcre:"/\/jdb\/inf\.php\?id=[a-f0-9]{32}$/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25559; rev:1; service:http; )
00807 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; flow:to_server,established; http_raw_uri; bufferlen:>32; http_uri; content:"/q.php"; pcre:"/\/[a-f0-9]{32}\/q\.php/"; http_header; content:!"siteadvisor.com"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25568; rev:3; service:http; )
00811 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 redirection successful"; flow:to_server,established; http_uri; content:"/forum/links/news.php"; http_header; content:".ru|3A|8080|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25611; rev:1; service:http; )
00814 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Whitehole exploit kit initial redirection successful"; flow:to_server,established; http_uri; content:"/?java="; pcre:"/\/\?java\=[0-9]{2,4}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25804; rev:2; service:http; )
00815 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Whitehole exploit kit Java exploit retrieval"; flow:to_server,established; http_uri; content:"/Java"; content:".jar?java="; pcre:"/\/Java([0-9]{1,2})?\.jar\?java=[0-9]{2}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25805; rev:2; service:http; )
00818 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit possible plugin detection attempt"; flow:to_server,established; http_uri; content:"/js/rdps.js"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25821; rev:1; service:http; )
00819 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit malicious PDF retrieval"; flow:to_server,established; http_uri; content:"/p5.php?t="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25822; rev:1; service:http; )
00820 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit Java V5 exploit download"; flow:to_server,established; http_uri; content:"/j15.php?i="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25823; rev:1; service:http; )
00821 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit malicious payload retrieval"; flow:to_server,established; http_uri; content:"/i8.php?jquery="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25824; rev:1; service:http; )
00822 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Cool Exploit Kit PDF exploit"; flow:to_server,established; http_uri; content:"/world/",depth 7,fast_pattern; content:".pdf",distance 0,nocase; http_header; content:"Referer|3A 20|"; http_uri; pcre:"/\/world\/[^\x2f]*\.pdf/i"; http_header; pcre:"/Referer\x3a[^\x0d\x0a]*\/world\//"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25857; rev:6; service:http; )
00834 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Sibhost exploit kit"; flow:to_server,established; http_uri; content:"yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.malwaresigs.com/2013/02/26/sport-cd-am-sibhost; classtype:trojan-activity; sid:26020; rev:3; service:http; )
00837 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - stats access"; flow:to_server,established; http_uri; content:".php?action=stats_access"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26034; rev:1; service:http; )
00838 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - java on"; flow:to_server,established; http_uri; content:".php?action=stats_javaon"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26035; rev:1; service:http; )
00839 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Java Exploit"; flow:to_server,established; http_uri; content:"/amor",fast_pattern; content:".jar",within 6; http_header; content:" Java/"; http_uri; pcre:"/^\/amor\d{0,2}\.jar/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-4681; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26036; rev:1; service:http; )
00841 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Java exploit download"; flow:to_server,established; http_uri; content:"/jhan.jar?r="; pcre:"/^\/jhan.jar?r=\d+/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0422; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26038; rev:1; service:http; )
00842 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Java exploit download"; flow:to_server,established; http_uri; content:"/jmx.jar?r="; pcre:"/^\/jmx.jar?r=\d+/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0422; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26039; rev:1; service:http; )
00843 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable executable download attempt"; flow:to_server,established; http_uri; content:"/Plugin.cpl"; http_header; content:" Java/1"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26040; rev:1; service:http; )
00844 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable executable download attempt"; flow:to_server,established; http_uri; content:"/x4.gif"; http_header; content:" Java/1"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26041; rev:1; service:http; )
00845 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - stats loaded"; flow:to_server,established; http_uri; content:".php?action=stats_loaded"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26042; rev:1; service:http; )
00846 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable executable download attempt"; flow:to_server,established; http_uri; content:"/Instal.jpg"; http_header; content:" Java/1"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26043; rev:1; service:http; )
00847 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - redirection attempt"; flow:to_server,established; http_uri; content:".php?action=jv&h="; pcre:"/\.php\?action=jv\&h=\d+/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26044; rev:1; service:http; )
00848 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Crimeboss exploit kit - setup"; flow:to_server,established; http_uri; content:".php?setup=d&s="; pcre:"/\.php\?setup=d\&s=\d+\&r=\d+/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26045; rev:2; service:http; )
00861 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; flow:to_server,established; http_raw_uri; bufferlen:>16; http_uri; content:"/q.php"; pcre:"/\/[a-f0-9]{16}\/q\.php/"; http_header; content:!"siteadvisor.com"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,unixfreaxjp.blogspot.jp/2013/03/ocjp-098-285blackhole-exploit-kit.html; classtype:trojan-activity; sid:26227; rev:2; service:http; )
00876 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval - ff.php"; flow:to_server,established; http_raw_uri; bufferlen:>16; http_uri; content:"/ff.php"; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/ff\.php/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,unixfreaxjp.blogspot.jp/2013/03/ocjp-098-285blackhole-exploit-kit.html; classtype:trojan-activity; sid:26339; rev:1; service:http; )
00881 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; http_raw_uri; bufferlen:18<>21; http_uri; content:".html?h="; pcre:"/\/[a-z]{4}\.html\?h\=\d{6,7}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26345; rev:3; service:http; )
00885 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit successful redirection"; flow:to_server,established; http_uri; content:"/count"; content:".php",within 4,distance 2; pcre:"/\/count\d{2}\.php$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26350; rev:2; service:http; )
00888 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; http_raw_uri; bufferlen:18<>21; http_uri; content:".html?i="; pcre:"/\/[a-z]{4}\.html\?i\=\d{6,7}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26383; rev:2; service:http; )
00889 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; http_raw_uri; bufferlen:18<>21; http_uri; content:".html?j="; pcre:"/\/[a-z]{4}\.html\?j\=\d{6,7}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26384; rev:2; service:http; )
00901 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt"; flow:to_server,established; http_uri; content:"/info/last/index.php"; http_header; pcre:"/^Host:\s*?[a-f0-9]{63,64}\./im"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26527; rev:1; service:http; )
00902 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Stamp Exploit Kit portable executable download"; flow:to_server,established; http_uri; content:"/elections.php?"; http_header; content:" Java/1."; http_uri; pcre:"/\/elections\.php\?([a-z0-9]+\x3d\d{1,3}\&){9}[a-z0-9]+\x3d\d{1,3}$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0431; classtype:trojan-activity; sid:26534; rev:1; service:http; )
00909 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Multiple Exploit kit successful redirection - jnlp bypass"; flow:to_server,established; http_uri; content:"php?jnlp="; pcre:"/php\?jnlp\=[a-f0-9]{10}($|\x2c)/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26541; rev:3; service:http; )
00918 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit short JNLP request"; flow:to_server,established; http_uri; content:".jnlp"; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26806; rev:1; service:http; )
00921 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign"; flow:to_server,established; http_uri; bufferlen:17; content:"/linkendorse.html"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26814; rev:1; service:http; )
00922 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Sweet Orange landing page in.php base64 uri"; flow:to_server,established; http_uri; content:"/in.php"; content:"&q=",distance 0; content:"==",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26834; rev:2; service:http; )
00923 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign"; flow:to_server,established; http_uri; content:"/natpay.html?"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26838; rev:1; service:http; )
00927 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit Java V6 exploit download"; flow:to_server,established; http_uri; content:"/j161.php?i="; http_header; content:" Java/1."; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26894; rev:1; service:http; )
00928 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit Java V7 exploit download"; flow:to_server,established; http_uri; content:"/j07.php?i="; http_header; content:" Java/1.7"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26895; rev:1; service:http; )
00929 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit Plugin detection response"; flow:to_server,established; http_uri; content:"/gate.php?ver="; content:"&p=",distance 0; content:"&j=",distance 0; content:"&f=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26896; rev:1; service:http; )
00930 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit malware download"; flow:to_server,established; http_uri; content:"/load.php?e="; content:"&ip=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26897; rev:1; service:http; )
00934 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; http_uri; content:"/?f=s"; content:"&k=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:26950; rev:4; service:http; )
00935 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT DotCachef/DotCache Exploit Kit Malvertising Campaign URI request"; flow:to_server,established; http_uri; content:"/.cache/?f=",fast_pattern; content:".jar"; pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html; classtype:trojan-activity; sid:26951; rev:2; service:http; )
00936 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 1"; flow:to_server,established; http_uri; content:".php?exp=byte&b="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26956; rev:1; service:http; )
00937 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 2"; flow:to_server,established; http_uri; content:".php?exp=lib&b="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26957; rev:1; service:http; )
00938 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 3"; flow:to_server,established; http_uri; content:".php?exp=atom&b="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26958; rev:1; service:http; )
00939 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 4"; flow:to_server,established; http_uri; content:".php?exp=rhino&b="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26959; rev:1; service:http; )
00943 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Rawin exploit kit outbound java retrieval"; flow:to_server,established; http_uri; content:".php?b="; content:"&v=1.",distance 0; pcre:"/\.php\?b=[A-F0-9]+&v=1\./"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26985; rev:1; service:http; )
00946 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx Exploit Kit plugin detection connection jorg"; flow:to_server,established; http_raw_uri; bufferlen:86<>261; http_uri; content:"/jorg.html"; pcre:"/\/jorg\.html$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27040; rev:1; service:http; )
00947 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx Exploit Kit plugin detection connection jlnp"; flow:to_server,established; http_raw_uri; bufferlen:86<>261; http_uri; content:"/jlnp.html"; pcre:"/\/jlnp\.html$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27041; rev:1; service:http; )
00948 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx Exploit Kit plugin detection connection jovf"; flow:to_server,established; http_raw_uri; bufferlen:86<>261; http_uri; content:"/jovf.html"; pcre:"/\/jovf\.html$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27042; rev:2; service:http; )
00952 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; flow:to_server,established; http_raw_uri; bufferlen:>16; http_uri; content:"/a.php"; pcre:"/\/[a-f0-9]{16}\/a\.php/"; http_header; content:!"siteadvisor.com"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27071; rev:1; service:http; )
00953 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; flow:to_server,established; http_raw_uri; bufferlen:>32; http_uri; content:"/a.php"; pcre:"/\/[a-f0-9]{32}\/a\.php/"; http_header; content:!"siteadvisor.com"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27072; rev:1; service:http; )
00956 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nailed exploit kit Firefox exploit download - autopwn"; flow:to_server,established; http_uri; content:"/ff_svg/1.bin"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0757; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27080; rev:1; service:http; )
00957 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nailed exploit kit Internet Explorer exploit download - autopwn"; flow:to_server,established; http_uri; content:"/ie_exec/2.html"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-4969; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27081; rev:1; service:http; )
00958 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nailed exploit kit flash remote code execution exploit download - autopwn"; flow:to_server,established; http_uri; content:"/flash_atf/",fast_pattern; content:".swf",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1535; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27082; rev:1; service:http; )
00959 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nailed exploit kit jmxbean remote code execution exploit download - autopwn"; flow:to_server,established; http_uri; content:"/jmxbean/1.jar"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0422; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27083; rev:1; service:http; )
00960 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nailed exploit kit rhino remote code execution exploit download - autopwn"; flow:to_server,established; http_uri; content:"/rhino/1.jar"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27084; rev:1; service:http; )
00968 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request"; flow:to_server,established; http_uri; content:"php?sf="; content:"&Ze=",distance 0; content:"&m=",distance 0; pcre:"/php\?sf=\d+\&Ze=\d+\&m=\d+/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27110; rev:1; service:http; )
00969 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; http_uri; content:"/?f=a"; content:"&k=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:27113; rev:1; service:http; )
00979 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit Java Exploit request structure"; flow:to_server,established; http_uri; content:"/rhino.php?hash="; http_header; content:"content-type"; content:"java-archive"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27274; rev:1; service:http; )
01033 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-FLASH Adobe Flash ActionScript getURL target null reference attempt"; flow:to_server,established; http_uri; content:".swf?",nocase; content:"&TARGET=",within 20,nocase; pcre:"/\x26TARGET\x3d\x5f(blank|parent|top)/si"; content:"&REDIR=javascript",distance 0,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http; reference:cve,2012-0772; reference:url,adobe.com/support/security/bulletins/apsb12-07.html; classtype:denial-of-service; sid:21653; rev:2; service:http; )
01085 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-FLASH Adobe Shockwave Flash Flex authoring tool XSS exploit attempt"; flow:to_server,established; http_uri; content:"/EncDecUtils.swf|3F|",fast_pattern; content:"resourceModuleURLs=",nocase; content:"http",within 4,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-2461; reference:url,www.adobe.com/support/security/bulletins/apsb11-25.html; classtype:attempted-admin; sid:20610; rev:4; service:http; )
01155 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY rmf file download request"; flow:to_server,established; http_uri; content:".rmf",nocase; pcre:"/\x2Ermf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.rmf; flowbits:set,file.realplayer; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:20518; rev:11; service:http; )
01158 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Works file download request"; flow:to_server,established; http_uri; content:".wps"; pcre:"/\x2ewps([\?\x5c\x2f]|$)/smi"; flowbits:set,file.works; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Microsoft_works; classtype:misc-activity; sid:13465; rev:13; service:http; )
01159 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Publisher file download request"; flow:to_server,established; http_uri; content:".pub"; pcre:"/\x2epub([\?\x5c\x2f]|$)/smi"; flowbits:set,file.pub; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Microsoft_publisher; classtype:misc-activity; sid:13473; rev:16; service:http; )
01161 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RTF file download request"; flow:to_server,established; http_uri; content:".rtf"; pcre:"/\x2ertf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.rtf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Rich_Text_Format; classtype:misc-activity; sid:13801; rev:16; service:http; )
01162 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY EPS file download request"; flow:to_server,established; http_uri; content:".eps"; pcre:"/\x2eeps([\?\x5c\x2f]|$)/smi"; flowbits:set,file.eps; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Encapsulated_PostScript; classtype:misc-activity; sid:13983; rev:12; service:http; )
01163 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PDF file download request"; flow:to_server,established; http_uri; content:".pdf"; pcre:"/\x2epdf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.pdf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Pdf; classtype:misc-activity; sid:15013; rev:12; service:http; )
01164 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY WAV file download request"; flow:to_server,established; http_uri; content:".wav"; pcre:"/\x2ewav([\?\x5c\x2f]|$)/smi"; flowbits:set,file.wav; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Wav; classtype:misc-activity; sid:15079; rev:9; service:http; )
01165 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XML Shareable Playlist Format file download request"; flow:to_server,established; http_uri; content:".xspf"; pcre:"/\x2exspf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xspf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Xspf; classtype:misc-activity; sid:15158; rev:10; service:http; )
01166 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Java .class file download request"; flow:to_server,established; http_uri; content:".class"; pcre:"/\x2eclass([\?\x5c\x2f]|$)/smi"; flowbits:set,file.class; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Java_class_file; classtype:misc-activity; sid:15237; rev:10; service:http; )
01167 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks RealMedia format file download request"; flow:to_server,established; http_uri; content:".rm"; pcre:"/\x2erm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realmedia; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Realmedia; classtype:misc-activity; sid:15239; rev:11; service:http; )
01168 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks RealMedia format file download request"; flow:to_server,established; http_uri; content:".rv"; pcre:"/\x2erv([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realmedia; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Realmedia; classtype:misc-activity; sid:15240; rev:11; service:http; )
01169 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Visio file download request"; flow:to_server,established; http_uri; content:".vsd"; pcre:"/\x2evsd([\?\x5c\x2f]|$)/smi"; flowbits:set,file.visio; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:15294; rev:14; service:http; )
01170 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office PowerPoint file download request"; flow:to_server,established; http_uri; content:".ppt"; pcre:"/\x2eppt([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ppt; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Microsoft_PowerPoint; classtype:misc-activity; sid:15586; rev:13; service:http; )
01171 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Word file download request"; flow:to_server,established; http_uri; content:".doc"; pcre:"/\x2edoc([\?\x5c\x2f]|$)/smi"; flowbits:set,file.doc; flowbits:set,file.rtf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Microsoft_word; classtype:misc-activity; sid:15587; rev:15; service:http; )
01172 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft multimedia format file download request"; flow:to_server,established; http_uri; content:".wma"; pcre:"/\x2ewma([\?\x5c\x2f]|$)/smi"; flowbits:set,file.wma&file.asx; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Windows_Media_Audio; classtype:misc-activity; sid:15921; rev:15; service:http; )
01173 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MP3 file download request"; flow:to_server,established; http_uri; content:".mp3"; pcre:"/\x2emp3([\?\x5c\x2f]|$)/smi"; flowbits:set,file.mp3; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp3; classtype:misc-activity; sid:15922; rev:13; service:http; )
01174 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY DXF file download request"; flow:to_server,established; http_uri; content:".dxf"; pcre:"/\x2edxf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.dxf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Dxf; classtype:misc-activity; sid:15987; rev:12; service:http; )
01175 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY X PixMap file download request"; flow:to_server,established; http_uri; content:".xpm"; pcre:"/\x2expm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xpm; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/X_PixMap; classtype:misc-activity; sid:16061; rev:13; service:http; )
01177 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY TrueType font file download request"; flow:to_server,established; http_uri; content:".ttf"; pcre:"/\x2ettf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ttf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/TrueType; classtype:misc-activity; sid:16286; rev:12; service:http; )
01178 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jpg"; pcre:"/\x2ejpg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16406; rev:10; service:http; )
01179 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jpeg"; pcre:"/\x2ejpeg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16407; rev:10; service:http; )
01180 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Movie Maker project file download request"; flow:to_server,established; http_uri; content:".mswmm"; pcre:"/\x2emswmm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.mswmm; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Windows_Movie_Maker; classtype:misc-activity; sid:16473; rev:11; service:http; )
01182 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".pjpeg"; pcre:"/\x2epjpeg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16529; rev:10; service:http; )
01183 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Media ASX file download request"; flow:to_server,established; http_uri; content:".asx"; pcre:"/\x2easx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Advanced_Stream_Redirector; classtype:misc-activity; sid:17116; rev:9; service:http; )
01186 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Media wmv file download request"; flow:to_server,established; http_uri; content:".wmv"; pcre:"/\x2ewmv([\?\x5c\x2f]|$)/smi"; flowbits:set,file.wmv; flowbits:set,file.asf; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:17241; rev:12; service:http; )
01188 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PNG file download request"; flow:to_server,established; http_uri; content:".png"; pcre:"/\x2epng([\?\x5c\x2f]|$)/smi"; flowbits:set,file.png; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:17380; rev:9; service:http; service:imap; service:pop3; )
01189 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY GIF file download request"; flow:to_server,established; http_uri; content:".gif"; pcre:"/\x2egif([\?\x5c\x2f]|$)/smi"; flowbits:set,file.gif; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:17394; rev:10; service:http; )
01190 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY LNK file download request"; flow:to_server,established; http_uri; content:".lnk"; pcre:"/\x2elnk([\?\x5c\x2f]|$)/smi"; flowbits:set,file.lnk; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:17441; rev:7; service:http; )
01191 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XML file download request"; flow:to_server,established; http_uri; content:".xml"; pcre:"/\x2exml([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xml; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:17733; rev:10; service:http; )
01192 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY OpenType Font file download request"; flow:to_server,established; http_uri; content:".otf"; pcre:"/\x2eotf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.otf; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:17751; rev:9; service:http; )
01193 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY QuickDraw/PICT file download request"; flow:to_server,established; http_uri; content:".pct",nocase; pcre:"/\x2epct([\?\x5c\x2f]|$)/smi"; flowbits:set,file.pct; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:18234; rev:7; service:http; )
01194 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Word file download request"; flow:to_server,established; http_uri; content:".wri"; pcre:"/\x2ewri([\?\x5c\x2f]|$)/smi"; flowbits:set,file.doc; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:18516; rev:9; service:http; )
01195 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY BitTorrent torrent file download request"; flow:to_server,established; http_uri; content:".torrent"; pcre:"/\x2etorrent([\?\x5c\x2f]|$)/smi"; flowbits:set,file.torrent; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:18593; rev:8; service:http; )
01196 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file download request"; flow:to_server,established; http_uri; content:".cpe"; pcre:"/\x2ecpe([\?\x5c\x2f]|$)/smi"; flowbits:set,file.cov; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:18675; rev:14; service:http; )
01198 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY ZIP archive file download request"; flow:to_server,established; http_uri; content:".zip"; pcre:"/\x2ezip([\?\x5c\x2f]|$)/smi"; flowbits:set,file.zip; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:19211; rev:12; service:http; )
01199 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file download request"; flow:to_server,established; http_uri; content:".cov"; pcre:"/\x2ecov([\?\x5c\x2f]|$)/smi"; flowbits:set,file.cov; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:19218; rev:14; service:http; )
01200 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY SMI file download request"; flow:to_server,established; http_uri; content:".smi"; pcre:"/\x2esmi([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:set,file.dmg; flowbits:noalert; metadata:service http; reference:bugtraq,49149; reference:url,en.wikipedia.org/wiki/SAMI; reference:url,osvdb.org/show/osvdb/74604; classtype:misc-activity; sid:20223; rev:13; service:http; )
01202 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft SYmbolic LinK file download request"; flow:to_server,established; http_uri; content:".slk"; pcre:"/\x2eslk([\?\x5c\x2f]|$)/smi"; flowbits:set,file.slk; flowbits:noalert; metadata:service http; reference:cve,2008-0112; reference:url,en.wikipedia.org/wiki/SYmbolic_LinK_(SYLK); reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:misc-activity; sid:13583; rev:18; service:http; )
01203 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Embedded Open Type Font file download request"; flow:to_server,established; http_uri; content:".eot"; pcre:"/\x2eeot([\?\x5c\x2f]|$)/smi"; flowbits:set,file.eot; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Embedded_OpenType; classtype:misc-activity; sid:15518; rev:11; service:http; )
01204 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XBM image file download request"; flow:to_server,established; http_uri; content:".xbm"; pcre:"/\x2exbm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xbm; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/XBM; classtype:misc-activity; sid:17359; rev:9; service:http; )
01205 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Apple disk image file download request"; flow:to_server, established; http_uri; content:".dmg"; pcre:"/\x2edmg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.dmg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Apple_Disk_Image; classtype:misc-activity; sid:17679; rev:8; service:http; )
01206 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY FlashPix file download request"; flow:to_server, established; http_uri; content:".fpx"; pcre:"/\x2efpx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.fpx; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Fpx; classtype:misc-activity; sid:17739; rev:7; service:http; )
01207 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe .pfb file download request"; flow:to_server, established; http_uri; content:".pfb"; pcre:"/\x2epfb([\?\x5c\x2f]|$)/smi"; metadata:service http; reference:cve,2008-1806; reference:cve,2008-1807; reference:url,en.wikipedia.org/wiki/Printer_Font_Binary#Printer_Font_Binary; classtype:misc-activity; sid:16552; rev:9; service:http; )
01208 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows .NET Manifest file download request"; flow:to_server,established; http_uri; content:".manifest"; pcre:"/\x2emanifest([\?\x5c\x2f]|$)/smi"; flowbits:set,file.manifest; flowbits:noalert; metadata:service http; reference:bugtraq,21688; reference:cve,2006-6696; reference:url,en.wikipedia.org/wiki/ASP.NET; classtype:misc-activity; sid:17509; rev:11; service:http; )
01209 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Visual Basic script file download request"; flow:to_server,established; http_uri; content:".vbs"; pcre:"/\x2evbs([\?\x5c\x2f]|$)/smi"; metadata:service http; reference:url,en.wikipedia.org/wiki/Vbs; classtype:misc-activity; sid:18758; rev:8; service:http; )
01212 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Cisco Webex wrf file download request"; flow:to_server,established; http_uri; content:".wrf"; pcre:"/\x2ewrf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.wrf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Webex; classtype:misc-activity; sid:19224; rev:12; service:http; )
01213 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY language.engtesselate.ln file download request"; flow:to_server,established; http_uri; content:"language.engtesselate.ln"; flowbits:set,file.engtesselate; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:19252; rev:8; service:http; )
01214 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request"; flow:to_server,established; http_uri; content:".ra"; pcre:"/\x2eram?([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community,service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2419; rev:21; service:http; )
01215 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request"; flow:to_server,established; http_uri; content:".rmp"; pcre:"/\x2ermp([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community,service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2420; rev:20; service:http; )
01216 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request"; flow:to_server,established; http_uri; content:".rt"; pcre:"/\x2ert([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community,service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2422; rev:22; service:http; )
01217 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request"; flow:to_server,established; http_uri; content:".rp"; pcre:"/\x2erp([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community,service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2423; rev:21; service:http; )
01219 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY SMIL file download request"; flow:to_server,established; http_uri; content:".smil"; pcre:"/\x2esmil([\?\x5c\x2f]|$)/smi"; flowbits:set,file.smil; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.smil; classtype:misc-activity; sid:17547; rev:10; service:http; )
01220 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Apple Quicktime qt file download request"; flow:to_server,established; http_uri; content:".qt"; pcre:"/\x2eqt([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.mov; classtype:misc-activity; sid:17809; rev:12; service:http; )
01221 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MPEG Layer 3 playlist file download request"; flow:to_server,established; http_uri; content:".m3u"; pcre:"/\x2em3u([\?\x5c\x2f]|$)/smi"; flowbits:set,file.m3u; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.m3u; classtype:misc-activity; sid:14017; rev:13; service:http; )
01222 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PLS multimedia playlist file download request"; flow:to_server,established; http_uri; content:".pls"; pcre:"/\x2epls([\?\x5c\x2f]|$)/smi"; flowbits:set,file.pls; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.pls; classtype:misc-activity; sid:14018; rev:13; service:http; )
01223 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Excel file download request"; flow:to_server,established; http_uri; content:".xls"; pcre:"/\x2exls([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xls; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.xlsFile_formats; classtype:misc-activity; sid:15463; rev:16; service:http; )
01224 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Excel file download request"; flow:to_server,established; http_uri; content:".xlw"; pcre:"/\x2exlw([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xls; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.xlsFile_formats; classtype:misc-activity; sid:15464; rev:18; service:http; )
01225 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; http_uri; content:".swf"; pcre:"/\x2eswf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:15483; rev:13; service:http; )
01226 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY AVI multimedia file download request"; flow:to_server,established; http_uri; content:".avi"; pcre:"/\x2eavi([\?\x5c\x2f]|$)/smi"; flowbits:set,file.avi; flowbits:set,file.avi.video; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.avi; classtype:misc-activity; sid:15516; rev:13; service:http; )
01227 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MP4 file download request"; flow:to_server,established; http_uri; content:".mp4"; pcre:"/\x2emp4([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:set,file.mp4; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:15865; rev:13; service:http; )
01228 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY 4XM file download request"; flow:to_server,established; http_uri; content:".4xm"; pcre:"/\x2e4xm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.4xm; flowbits:noalert; metadata:service http; reference:url,wiki.multimedia.cx/index.php?title=4xm_Format; classtype:misc-activity; sid:15870; rev:10; service:http; )
01229 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MOV file download request"; flow:to_server,established; http_uri; content:".mov"; pcre:"/\x2emov([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.mov; classtype:misc-activity; sid:17259; rev:11; service:http; )
01230 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Pagemaker file download request"; flow:to_server,established; http_uri; content:".pmd"; pcre:"/\x2epmd([\?\x5c\x2f]|$)/smi"; flowbits:set,file.pmd; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.pmd; classtype:misc-activity; sid:17552; rev:9; service:http; )
01231 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY TIFF file download request"; flow:to_server,established; http_uri; content:".tif"; pcre:"/\x2etif(f)?([\?\x5c\x2f]|$)/smi"; flowbits:set,file.tiff; flowbits:set,file.tiff.big; flowbits:set,file.tiff.little; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.tiff; classtype:misc-activity; sid:17732; rev:11; service:http; )
01232 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Visual Studio DISCO file download request"; flow:to_server,established; http_uri; content:".disco"; pcre:"/\x2edisco([\?\x5c\x2f]|$)/smi"; metadata:service http; reference:url,msdn.microsoft.com/en-us/library/8k0zafxb(v=vs.80).aspx; classtype:misc-activity; sid:19233; rev:9; service:http; )
01234 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY CHM file download request"; flow:to_server,established; http_uri; content:".chm"; pcre:"/\x2echm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.chm; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Microsoft_Compiled_HTML_Help; classtype:misc-activity; sid:3819; rev:17; service:http; )
01235 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file download request"; flow:to_server,established; http_uri; content:".wmf"; pcre:"/\x2ewmf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.wmf; flowbits:noalert; metadata:ruleset community,service http; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:2436; rev:22; service:http; )
01236 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY QCP file download request"; flow:to_server,established; http_uri; content:".qcp"; pcre:"/\x2eqcp([\?\x5c\x2f]|$)/smi"; flowbits:set,file.qcp; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.qcp; classtype:misc-activity; sid:20287; rev:8; service:http; )
01238 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Director Movie file download request"; flow:to_server,established; http_uri; content:".dcr"; pcre:"/\x2edcr([\?\x5c\x2f]|$)/smi"; flowbits:set,file.dir; flowbits:noalert; metadata:service http; reference:url,www.fileinfo.com/extension/dcr; classtype:misc-activity; sid:17802; rev:9; service:http; )
01239 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XUL file download request"; flow:to_server,established; http_uri; content:".xul"; pcre:"/\x2exul([\?\x5c\x2f]|$)/msi"; flowbits:set,file.xul; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.xul; classtype:misc-activity; sid:17600; rev:10; service:http; )
01240 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Portable Executable binary file download request"; flow:to_server,established; http_uri; content:".exe"; pcre:"/\x2eexe([\?\x5c\x2f]|$)/smi"; flowbits:set,file.exe; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.exe; classtype:misc-activity; sid:16425; rev:15; service:http; )
01241 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Director Movie file download request"; flow:to_server,established; http_uri; content:".dir"; pcre:"/\x2edir([\?\x5c\x2f]|$)/smi"; flowbits:set,file.dir; flowbits:noalert; metadata:service http; reference:url,www.fileinfo.com/extension/dir; classtype:misc-activity; sid:16219; rev:12; service:http; )
01245 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Flash Player FLV file download request"; flow:to_server,established; http_uri; content:".flv"; pcre:"/\x2eflv([\?\x5c\x2f]|$)/msi"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.flv; classtype:misc-activity; sid:20544; rev:7; service:http; )
01246 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY CDR file download request"; flow:to_server,established; http_uri; content:".cdr"; pcre:"/\x2ecdr([\?\x5c\x2f]|$)/smi"; flowbits:set,file.cdr; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/CorelDRAWCDR_file_format; classtype:misc-activity; sid:20588; rev:7; service:http; )
01248 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JAR file download request"; flow:to_server,established; http_uri; content:".jar"; pcre:"/\x2ejar([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jar; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:20621; rev:7; service:http; )
01258 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Video Spirit visprj download attempt"; flow:to_server,established; http_uri; content:".visprj",nocase; pcre:"/\x2evisprj([\?\x5c\x2f]|$)/smi"; flowbits:set,file.visprj; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:20888; rev:4; service:http; )
01277 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; http_uri; content:".f4v"; pcre:"/\x2ef4v([\?\x5c\x2f]|$)/smi"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:20937; rev:4; service:http; )
01278 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; http_uri; content:".f4p"; pcre:"/\x2ef4p([\?\x5c\x2f]|$)/smi"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:20938; rev:4; service:http; )
01279 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; http_uri; content:".f4a"; pcre:"/\x2ef4a([\?\x5c\x2f]|$)/smi"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:20939; rev:4; service:http; )
01280 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; http_uri; content:".f4b"; pcre:"/\x2ef4b([\?\x5c\x2f]|$)/smi"; flowbits:set,file.swf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.swf; classtype:misc-activity; sid:20940; rev:4; service:http; )
01299 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY TTE file download request"; flow:to_server,established; http_uri; content:".tte"; pcre:"/\x2ette([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ttf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/TrueType; classtype:misc-activity; sid:20961; rev:6; service:http; )
01300 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY OTF file download request"; flow:to_server,established; http_uri; content:".otf"; pcre:"/\x2eotf([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ttf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/TrueType; classtype:misc-activity; sid:20962; rev:6; service:http; )
01301 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY SAMI file download request"; flow:to_server,established; http_uri; content:".sami"; pcre:"/\x2esami([\?\x5c\x2f]|$)/smi"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/SAMI; classtype:misc-activity; sid:20964; rev:5; service:http; )
01302 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jpe"; pcre:"/\x2ejpe([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20965; rev:4; service:http; )
01303 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jif"; pcre:"/\x2ejif([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20966; rev:4; service:http; )
01304 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jfi"; pcre:"/\x2ejfif?([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20967; rev:4; service:http; )
01305 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Apple disk image file download request"; flow:to_server, established; http_uri; content:".img"; pcre:"/\x2eimg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.dmg; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Apple_Disk_Image; classtype:misc-activity; sid:20968; rev:4; service:http; )
01306 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY M4A file download request"; flow:to_server,established; http_uri; content:".m4a"; pcre:"/\x2em4a([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20969; rev:5; service:http; )
01307 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY M4P file download request"; flow:to_server,established; http_uri; content:".m4p"; pcre:"/\x2em4p([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20970; rev:5; service:http; )
01308 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY M4R file download request"; flow:to_server,established; http_uri; content:".m4r"; pcre:"/\x2em4r([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20971; rev:5; service:http; )
01309 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY M4V file magic request"; flow:to_server,established; http_uri; content:".m4v"; pcre:"/\x2em4v([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:set,file.m4v; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20972; rev:6; service:http; )
01310 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY M4B file download request"; flow:to_server,established; http_uri; content:".m4b"; pcre:"/\x2em4b([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20973; rev:5; service:http; )
01311 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY 3GP file download request"; flow:to_server,established; http_uri; content:".3gp"; pcre:"/\x2e3gp([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20974; rev:5; service:http; )
01312 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY 3G2 file download request"; flow:to_server,established; http_uri; content:".3g2"; pcre:"/\x2e3g2([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20975; rev:5; service:http; )
01313 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY K3G file download request"; flow:to_server,established; http_uri; content:".k3g"; pcre:"/\x2ek3g([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20976; rev:5; service:http; )
01314 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY SKM file download request"; flow:to_server,established; http_uri; content:".skm"; pcre:"/\x2eskm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/Mp4; classtype:misc-activity; sid:20977; rev:5; service:http; )
01325 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Media Player compressed skin download request"; flow:established,to_server; http_uri; content:".wmd",nocase; pcre:"/\x2ewmd([\?\x5c\x2f]|$)/smi"; metadata:service http; reference:bugtraq,25305; reference:cve,2007-3037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-047; classtype:policy-violation; sid:17546; rev:6; service:http; )
01331 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MPEG video stream file download request"; flow:to_server,established; http_uri; content:".mpeg"; pcre:"/\x2empeg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.mpeg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21109; rev:6; service:http; )
01336 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XSL file download request"; flow:to_server,established; http_uri; content:".xsl"; pcre:"/\x2exsl([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xml; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21282; rev:3; service:http; )
01339 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XSLT file download request"; flow:to_server,established; http_uri; content:".xslt"; pcre:"/\x2exslt([\?\x5c\x2f]|$)/smi"; flowbits:set,file.xml; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21285; rev:3; service:http; )
01343 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY paq8o file download request"; flow:to_server,established; http_uri; content:".paq8o"; pcre:"/\x2epaq8o([\?\x5c\x2f]|$)/smi"; flowbits:set,file.zip; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21410; rev:4; service:http; )
01353 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Media Player compressed skin download request"; flow:established,to_server; http_uri; content:".wmz",nocase; pcre:"/\x2ewmz([\?\x5c\x2f]|$)/smi"; metadata:service http; reference:bugtraq,25305; reference:cve,2007-3037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-047; classtype:misc-activity; sid:12278; rev:10; service:http; )
01362 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY QuickDraw/PICT file download request"; flow:to_server,established; http_uri; content:".pict"; pcre:"/\x2epict([\?\x5c\x2f]|$)/smi"; flowbits:set,file.pct; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21650; rev:3; service:http; )
01381 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PFA file download request"; flow:to_server,established; http_uri; content:".pfa"; pcre:"/\x2epfa([\?\x5c\x2f]|$)/smi"; flowbits:set,file.psfont; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21711; rev:2; service:http; )
01385 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PFB file download request"; flow:to_server,established; http_uri; content:".pfb"; pcre:"/\x2epfb([\?\x5c\x2f]|$)/smi"; flowbits:set,file.psfont; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21715; rev:2; service:http; )
01388 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PFM file download request"; flow:to_server,established; http_uri; content:".pfm"; pcre:"/\x2epfm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.psfont; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21718; rev:2; service:http; )
01391 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY AFM file download request"; flow:to_server,established; http_uri; content:".afm"; pcre:"/\x2eafm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.psfont; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21721; rev:2; service:http; )
01394 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY ANI file download request"; flow:to_server,established; http_uri; content:".ani"; pcre:"/\x2eani([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ani; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21724; rev:2; service:http; )
01418 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY HPJ file download request"; flow:to_server,established; http_uri; content:".hpj"; pcre:"/\x2ehpj([\?\x5c\x2f]|$)/smi"; flowbits:set,file.hpj; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21748; rev:2; service:http; )
01448 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Visual Studio VAP file download request"; flow:to_server,established; http_uri; content:".vap"; pcre:"/\x2evap([\?\x5c\x2f]|$)/smi"; flowbits:set,file.vap; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:22025; rev:2; service:http; )
01459 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MPG video stream file download request"; flow:to_server,established; http_uri; content:".mpg",nocase; pcre:"/\x2empg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.mpeg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23167; rev:4; service:http; )
01464 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; http_uri; content:".wmv",nocase; pcre:"/\x2ewmv([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23190; rev:2; service:http; )
01467 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; http_uri; content:".wm",nocase; pcre:"/\x2ewm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23193; rev:2; service:http; )
01470 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; http_uri; content:".wax",nocase; pcre:"/\x2ewax([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23196; rev:2; service:http; )
01473 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; http_uri; content:".wvx",nocase; pcre:"/\x2ewvx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23199; rev:2; service:http; )
01476 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; http_uri; content:".asx",nocase; pcre:"/\x2easx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23202; rev:2; service:http; )
01479 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; http_uri; content:".wmx",nocase; pcre:"/\x2ewmx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23205; rev:2; service:http; )
01565 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY MP3 file download request"; flow:to_server,established; http_uri; content:".mp3"; pcre:"/\x2emp3([\?\x5c\x2f]|$)/smi"; flowbits:set,file.mp3; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:24074; rev:2; service:http; )
01589 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Computer Graphics Metafile file download request"; flow:to_server,established; http_uri; content:".cgm",fast_pattern,nocase; pcre:"/\x2ecgm([\?\x5c\x2f]|$)/smi"; flowbits:set,file.cgm; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:24820; rev:1; service:http; )
01592 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JNLP file download request"; flow:to_server,established; http_uri; content:".jnlp"; pcre:"/\x2ejnlp([\?\x5c\x2f]|$)/smi"; flowbits:set,file.jnlp; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:24901; rev:1; service:http; )
01596 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Apple Quicktime Targa Image file download request"; flow:to_server,established; http_uri; content:".tga",fast_pattern,nocase; pcre:"/\x2etga([\?\x5c\x2f]|$)/smi"; flowbits:set,file.tga; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25373; rev:1; service:http; )
01603 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Csound audio file file download request"; flow:to_server,established; http_uri; content:".csd"; pcre:"/\x2ecsd([\?\x5c\x2f]|$)/smi"; flowbits:set,file.csd; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25604; rev:1; service:http; )
01606 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; http_uri; content:".ogg",fast_pattern,nocase; pcre:"/\x2eogg([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ogg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25928; rev:1; service:http; )
01609 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; http_uri; content:".ogv",fast_pattern,nocase; pcre:"/\x2eogv([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ogg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25931; rev:1; service:http; )
01612 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; http_uri; content:".oga",fast_pattern,nocase; pcre:"/\x2eoga([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ogg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25934; rev:1; service:http; )
01615 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; http_uri; content:".ogx",fast_pattern,nocase; pcre:"/\x2eogx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ogg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25937; rev:1; service:http; )
01618 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; http_uri; content:".spx",fast_pattern,nocase; pcre:"/\x2espx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ogg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25940; rev:1; service:http; )
01621 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Ogg file download request"; flow:to_server,established; http_uri; content:".opus",fast_pattern,nocase; pcre:"/\x2eopus([\?\x5c\x2f]|$)/smi"; flowbits:set,file.ogg; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25943; rev:1; service:http; )
01626 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Internet Explorer HTML Component file download request"; flow:to_server,established; http_uri; content:".htc",fast_pattern,nocase; pcre:"/\x2ehtc([\?\x5c\x2f]|$)/smi"; flowbits:set,file.htc; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:26126; rev:1; service:http; )
01634 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Metalink File file download request"; flow:to_server,established; http_uri; content:".metalink"; pcre:"/\x2emetalink([\?\x5c\x2f]|$)/smi"; flowbits:set,file.metalink; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:26424; rev:1; service:http; )
01638 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY maplet file download attempt"; flow:to_server,established; http_uri; content:"|2E|maplet"; pcre:"/\x2Emaplet([\?\x5c\x2f]|$)/smi"; flowbits:set,file.maplet; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:26514; rev:2; service:http; )
01641 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY maplet bin file download attempt"; flow:to_server,established; http_uri; content:"|2E|bin"; pcre:"/\x2Ebin([\?\x5c\x2f]|$)/smi"; flowbits:set,file.maplet.bin; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:26517; rev:2; service:http; )
01644 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Android APK download request"; flow:to_server,established; http_uri; content:".apk"; pcre:"/\x2eapk([\?\x5c\x2f]|$)/smi"; flowbits:set,file.apk; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:26902; rev:1; service:http; )
01649 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Trimble SketchUp file download request"; flow:to_server,established; http_uri; content:".skp"; pcre:"/\x2eskp([\?\x5c\x2f]|$)/smi"; flowbits:set,file.skp; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:27277; rev:1; service:http; )
01727 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-JAVA Oracle Java Web Start BasicServiceImpl security policy bypass attempt"; flow:to_server,established; http_uri; content:"java.security.policy"; pcre:"/jnlp\x22\x09\x22-J-Djava\.security\.policy/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43999; reference:cve,2010-3563; classtype:attempted-user; sid:20430; rev:4; service:http; )
01999 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt"; flow:to_server,established; http_uri; content:".ppt",nocase; pcre:"/[^\x5C\x2F\x3A\x2A\x3F\x22\x3C\x3E\x7C\x3D\s]{256}\x2Eppt($|\x3f)/i"; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2010-0029; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:16409; rev:7; service:http; )
02245 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-OTHER Adobe Premiere Pro ibfs32.dll dll-load exploit attempt"; flow:to_server,established; http_uri; content:"ibfs32.dll",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3150; reference:url,osvdb.org/show/osvdb/67554; classtype:attempted-user; sid:18529; rev:3; service:http; )
02406 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Wordpress Request for html file in fgallery directory"; flow:to_server,established; http_uri; content:"wp-content/uploads/fgallery"; pcre:"/wp-content\/uploads\/fgallery\/.+\x2ehtml?(\?|$)/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:web-application-attack; sid:23171; rev:2; service:http; )
02407 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Wordpress Request for php file in fgallery directory"; flow:to_server,established; http_uri; content:"wp-content/uploads/fgallery"; pcre:"/wp-content\/uploads\/fgallery\/.+\x2ephp(\?|$)/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:web-application-attack; sid:21941; rev:3; service:http; )
02426 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Java user-agent request to svchost.jpg"; flow:to_server,established; http_uri; content:"/svchost.jpg"; http_header; content:"Java/1."; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1493; classtype:trojan-activity; sid:26025; rev:1; service:http; )
02429 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirected URI attempt"; flow:to_server,established; http_uri; bufferlen:>150; content:"/index.php?"; http_header; content:"Host:",nocase; pcre:"/^Host:\s*?[a-f0-9]{16}\./im"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26530; rev:2; service:http; )
02433 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation"; flow:established,to_server; http_method; content:"POST"; http_uri; content:"CHAR(",nocase; pcre:"/[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:13989; rev:7; service:http; )
02464 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation"; flow:established,to_server; http_method; content:"GET"; http_uri; content:"CHAR(",nocase; pcre:"/[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:25783; rev:1; service:http; )
02523 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR ToolsPack PHP Backdoor access"; flow:to_server,established; http_uri; content:"plugins/ToolsPack/ToolsPack.php"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html; classtype:web-application-attack; sid:21550; rev:2; service:http; )
02540 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"/AES",fast_pattern,nocase; pcre:"/\/AES\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24115; rev:2; service:http; )
02542 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"/ZES",fast_pattern,nocase; pcre:"/\/ZES\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24117; rev:2; service:http; )
02544 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"/SUS",fast_pattern,nocase; pcre:"/\/SUS\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24119; rev:2; service:http; )
02546 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"/DES",fast_pattern,nocase; pcre:"/\/DES\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24121; rev:2; service:http; )
02548 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Trojan.Ransomlock runtime detection"; flow:to_server,established; http_uri; content:"?id="; content:"&cmd=img",within 8,distance 20; pcre:"/\?id=[A-Z0-9]{20}&cmd=img/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/f9aafe67d4afe9526c1033fbfc861484105be3f09bdef92d911311f96ed05e4b/analysis; classtype:trojan-activity; sid:24530; rev:1; service:http; )
02553 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Trojan.GGDoor.22 outbound connection"; flow:to_server,established; http_uri; content:"/appsvc/appmsg4.asp?fmnumber="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=050df1a6cfafab164c7d8c10dd38c6a72145bedde19551a34ae02c0cdde607f1-1243543347; classtype:trojan-activity; sid:19747; rev:8; service:http; )
02565 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Zbot variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:39; http_uri; content:"/?xclzve_"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/e11901864208c8468be6433b76f4d038cd298f387c9d61ffeadf5ea9e7402367/analysis/; classtype:trojan-activity; sid:23972; rev:2; service:http; )
02566 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Crisis outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"|2F|stats|2E|asp|3F|site|3D|actual"; http_header; content:"Content-Length|3A| 112"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C093B72CC249C07725EC3C2EEB1842FE56C8A27358F03778BF5464EBEDDBD43C/analysis/; classtype:trojan-activity; sid:23968; rev:4; service:http; )
02569 alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.DistTrack command and control traffic"; flow:to_server,established; http_uri; content:"/ajax_modal/modal/data.asp",nocase; content:"&state=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory-W32-DistTrack.pdf; classtype:trojan-activity; sid:23893; rev:4; service:http; )
02570 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Gauss malware check-in"; flow:to_server,established; http_uri; content:"/userhome.php?sid=",nocase; content:"&uid=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23824; rev:2; service:http; )
02571 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Bublik variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/was/vas.php"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/73B6C213C7F5621A760936B5071A3FA43EFA66A94EBF05200D990229F210F0A1/analysis/; classtype:trojan-activity; sid:23778; rev:2; service:http; )
02572 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Gozi trojan checkin"; flow:to_server,established; http_uri; content:"/viewtopic.php?f=",nocase; http_client_body; content:"user_id=",nocase; content:"version_id=",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/a6b6642b2cc6386d71c90c0a6bb27f873e13fa940f8bd568515515471f74b152/analysis/; classtype:trojan-activity; sid:23635; rev:2; service:http; )
02573 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kegotip variant report to cnc-server"; flow:to_server,established; http_uri; content:"index_get.php"; content:"action=ADD_FTP"; content:"&ftp_host"; content:"&ftp_login"; content:"&ftp_pass"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/CC7913E43487D6D3F5373B103441AC76534D7AD611A6E9F8DA45678CD993DBD5/analysis/; classtype:trojan-activity; sid:23633; rev:4; service:http; )
02574 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Pincav variant outbound connection"; flow:to_server,established; http_uri; content:"/Adminweb/news.asp?id=ZGlja3lA"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/73a97de02fb822dcde3e431e89d7458fd241ee8b80e6b907abd5a44c3fea3d39/analysis/; classtype:trojan-activity; sid:23628; rev:4; service:http; )
02578 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.SpyEye outbound connection"; flow:to_server,established; http_uri; content:"/dataSafer3er/"; http_method; content:"POST"; http_client_body; content:"|8C 69 69 B2|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/09478bf4833505d3d7b66d4f30ccce6b9fde3ea51b9ccf6fdeadc008efba43d8/analysis/; classtype:trojan-activity; sid:23382; rev:4; service:http; )
02579 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"media/system/js/wp-env.php"; content:"nomepc=",nocase; content:"osName=",nocase; content:"netCard=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/B25052ADA8C0B52DBA31993E8FB6DE3609C74D54B262EEC48AC440B4D678ABC7/analysis/; classtype:trojan-activity; sid:23342; rev:4; service:http; )
02580 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Swisyn outbound connection"; flow:to_server,established; http_uri; content:"?act=login&ver="; content:"&born=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b162604f44fd37bf77b1c043a1b35d7bedde8ff907df4be9276a6d77f36d6242/analysis/; classtype:trojan-activity; sid:23335; rev:4; service:http; )
02582 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dishigy outbound connection"; flow:established, to_server; http_method; content:"POST",nocase; http_uri; content:"/bot/diwar.php"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:23332; rev:5; service:http; )
02583 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Dropper connect to server"; flow:to_server,established; http_uri; content:"gate.php"; http_client_body; content:"{",depth 1; content:"-",within 1,distance 8; content:"-",within 1,distance 4; content:"-",within 1,distance 4; content:"-",within 1,distance 4; content:"}|15 00 00 00 00|",within 6,distance 12; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C021D80C29933C2EF636B765206C83AAFF36CA307F777F09CC26FE864B204ACE/analysis/; classtype:trojan-activity; sid:23307; rev:4; service:http; )
02586 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Delf.CL variant outbound connection"; flow:to_server,established; http_uri; content:"/support3/script.php"; pcre:"/hwinfo=\x7b[a-f0-9]{8}\x2d[a-f0-9]{4}\x2d[a-f0-9]{4}\x2d[a-f0-9]{4}\x2d[a-f0-9]{12}\x7d/smi"; http_client_body; content:"name=|22|pwdata|22|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/4195B3B362342BFA48916C2E9F04C76E0A3B65456D2CAC384128C298E5A7A009/analysis/; classtype:trojan-activity; sid:23254; rev:5; service:http; )
02587 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Downloader variant outbound connection"; flow:to_server,established; http_uri; content:"asp?device_t="; content:"&key=",distance 0; content:"&device_id=",distance 0; content:"&cv=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/B96DFE55BEF7B1CC30430A1E3F5AE826EE02DDF63582539215E4F634FA6508B9/analysis/; classtype:trojan-activity; sid:23245; rev:3; service:http; )
02588 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kuluoz variant outbound connection"; flow:to_server,established; http_uri; content:"/index.php?r=gate&",nocase; content:"&group=",distance 0,nocase; content:"&debug=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,spamalysis.wordpress.com/2012/04/27/contact-to-the-nearest-post-office/; reference:url,www.virustotal.com/file/1d4e30379346cc784cb29620fbc459d117a0e5221dbbb8ec0873d06a67d57b20/analysis/; reference:url,www.virustotal.com/file/6f87ceaeed3474c0747c5a7da0531459813b4a6fc71d16599917bafbf3386c38/analysis/; reference:url,www.virustotal.com/file/bc26fab87bb48d9e911e0a4557b2a6a1b984e09490baab51aa72ad7576b625af/analysis/; reference:url,www.virustotal.com/file/c398224e76d2c3234765eafd2336d1c9e5f91f3f2abdbfe69f9148d5798a4655/analysis/; classtype:trojan-activity; sid:23244; rev:4; service:http; )
02589 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker.boxg connect to cnc server"; flow:to_server,established; http_uri; content:"/msn/xbox/info.php",nocase; http_client_body; content:"login=cpf",depth 9,nocase; content:"&senha",within 6,distance 30,nocase; content:"Codigo",nocase; content:"Compara",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/415401612cc2261081b8541763d29ccb9ab57bb12f7b35974c33f2352071656e/analysis/; classtype:trojan-activity; sid:23242; rev:4; service:http; )
02591 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Scar variant outbound connection"; flow:to_server,established; http_uri; content:"/ddos?uid=",nocase; content:"&ver=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/6317bf0843703c2356243b58a961b82ba2ffbbcb1d744402c17c94c139d3ea5b/analysis/; classtype:trojan-activity; sid:23104; rev:4; service:http; )
02593 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Flame malware connection - /view.php"; flow:to_server,established; http_uri; content:"/view.php?mp=1&",nocase; content:"&pr=1&ec=0&ov=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23057; rev:2; service:http; )
02594 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kbot variant outbound connection"; flow:to_server,established; http_uri; content:"s_get_host.php?ver="; pkt_data; content:"HTTP/1.0"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/5f281de6faf1793f622f049f2359e09fd4fbd744f43e3fd0fdb0cbcc812fa3af/analysis/; classtype:trojan-activity; sid:22058; rev:4; service:http; )
02595 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Midhos variant outbound connection"; flow:to_server,established; http_uri; content:"/file/id=AQA"; content:"AAEA",within 4,distance 1; content:"rLhtgiZvmW8",distance 0; content:"&rt=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/1671d64f146e97b3ce2a58514f99f91b83214af6f1c679b27f98aa277d909dbd/analysis/; classtype:trojan-activity; sid:22100; rev:2; service:http; )
02596 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Piroxcc variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/sedo.php"; http_client_body; content:"id=",depth 3; content:"&s5_uidx=",distance 0; content:"&os=",distance 0; content:"&s5=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/349C1AAD74E43C9814CB895B3001FAD5106FBE6450D30B727E9BB7070FDA0D7B/analysis/; classtype:trojan-activity; sid:22099; rev:2; service:http; )
02597 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Fepgul outbound connection"; flow:to_server,established; http_uri; content:"/SkypeClient.exe"; http_header; content:"skype.tom.com"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/CCCE38CDBE10DCEE205334E58C218B3816787EF80F86A1BA95E0BD719165EFF9/analysis/; classtype:trojan-activity; sid:22060; rev:2; service:http; )
02598 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Downloader variant outbound connection"; flow:to_server,established; http_uri; content:"/service.php?kind="; content:"pid=",distance 0; content:"prog=",distance 0; content:"addresses=",distance 0; content:"progkind=",distance 0; content:"wv=",distance 0; content:"ee=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/734CF749D5B31EF5AB97374E02B528E0072D86ACD143E69762A9141B08E4D069/analysis/; classtype:trojan-activity; sid:22059; rev:2; service:http; )
02599 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Prorat variant outbound connection"; flow:to_server,established; http_uri; content:"/mo3tazjordan/server.exe"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3CDE092BD99DF7AAD5A44697E199AF3A90C60DCD15CDA589E5BE75CA1D48B25E/analysis/; classtype:trojan-activity; sid:22054; rev:3; service:http; )
02601 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX Flashback malware outbound connection"; flow:to_server,established; http_uri; content:"/auupdate/",fast_pattern; http_header; content:"User-Agent|3A|"; base64_decode:relative; base64_data; pkt_data; content:"|7C|x86_64|7C|10."; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:22034; rev:3; service:http; )
02602 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX Flashback malware outbound connection"; flow:to_server,established; http_uri; content:"/auupdate/",fast_pattern; http_header; content:"User-Agent|3A|"; base64_decode:relative; base64_data; pkt_data; content:"|7C|i386|7C|10."; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:22033; rev:3; service:http; )
02604 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.BamCompiled variant outbound connection"; flow:to_server,established; http_uri; content:"/Admin/FunctionsClient/"; pcre:"/\x2fAdmin\x2fFunctionsClient\x2f(check.txt|Select.php|Update.php)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/7cc3fa3197a5efd486d64483855cb55801e32ecd1e51a9b5e4cdf64f454874dc/analysis/; classtype:trojan-activity; sid:21983; rev:2; service:http; )
02606 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Aldi variant outbound connection C&C checkin"; flow:to_server,established; http_uri; content:"gate.php?hwid="; content:"pc=",distance 0; content:"localip=",distance 0; content:"winver=",distance 0; pcre:"/hwid=[^\x0a\x26]+?\x26pc=[^\x0a\x26]+?\x26localip=[^\x0a\x26]+?\x26winver=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,ddos.arbornetworks.com/2011/10/ddos-aldi-bot/; classtype:trojan-activity; sid:21911; rev:2; service:http; )
02612 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX.Flashback variant outbound connection"; flow:to_server,established; http_uri; content:"/stat_d/"; pcre:"/\/stat_d\/$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,www.virustotal.com/file/8ff99e6fc29349d5550ee3c721c180d938de2642c5a3c318cf4ccf5839ba214d/analysis/; classtype:trojan-activity; sid:21758; rev:4; service:http; )
02613 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX.Flashback variant outbound connection"; flow:to_server,established; http_uri; content:"/stat_svc/"; pcre:"/\/stat_svc\/$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,www.virustotal.com/file/8ff99e6fc29349d5550ee3c721c180d938de2642c5a3c318cf4ccf5839ba214d/analysis/; classtype:trojan-activity; sid:21757; rev:4; service:http; )
02614 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX.Flashback variant outbound connection"; flow:to_server,established; http_uri; content:"/stat_n/"; pcre:"/\/stat_n\/$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,www.virustotal.com/file/8ff99e6fc29349d5550ee3c721c180d938de2642c5a3c318cf4ccf5839ba214d/analysis/; classtype:trojan-activity; sid:21756; rev:4; service:http; )
02615 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX.Flashback variant outbound connection"; flow:to_server,established; http_uri; content:"/stat_u/"; pcre:"/\/stat_u\/$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,www.virustotal.com/file/8ff99e6fc29349d5550ee3c721c180d938de2642c5a3c318cf4ccf5839ba214d/analysis/; classtype:trojan-activity; sid:21755; rev:4; service:http; )
02616 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Aluereon TDSS infection variant outbound connection"; flow:to_server,established; http_uri; content:".php?i=",fast_pattern; content:"&a=",distance 0; content:"&f=",distance 0; content:"&x64=",distance 0; content:"&os=",distance 0; http_header; content:!"User-Agent"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/1cc3d8345af514e2ea0fb3a2abdd82c8c5567e5ddd934d5eb458cca3acea4b09/analysis/1332706994/; classtype:trojan-activity; sid:21638; rev:2; service:http; )
02619 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Georbot variant outbound connection"; flow:to_server,established; http_uri; content:".php?ver="; content:"&cam=",distance 0; content:"&p=bot123",distance 1; content:"&id=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.eset.com/wp-content/media_files/ESET_win32georbot_analysis_final.pdf; classtype:trojan-activity; sid:21622; rev:3; service:http; )
02620 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Dropper-23836 outbound connection"; flow:to_server,established; http_uri; content:"php?net=gnutella2&get=1&client=RAZA2."; http_header; content:"User-Agent|3A 20|Shareaza"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/77c5acc4209778042fe21829a6728815249026d459e7622cf62b113b2f76d553/analysis/; classtype:misc-activity; sid:21593; rev:2; service:http; )
02621 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kelihos variant outbound connection"; flow:to_server,established; http_uri; content:"/wsouth1.exe"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.abuse.ch/?p=3658; reference:url,www.virustotal.com/file/bdec740dcbda605694bfa2bc9f463bec4e401f331d1452a5437222cf53b9d5d0/analysis/; classtype:trojan-activity; sid:21565; rev:2; service:http; )
02622 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kelihos variant outbound connection"; flow:to_server,established; http_uri; content:"/jucheck.exe"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.abuse.ch/?p=3658; reference:url,www.virustotal.com/latest-report.html?resource=B49BCE1778F76F7D59909790B93CBB86; classtype:trojan-activity; sid:21564; rev:2; service:http; )
02625 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kahn variant outbound connection"; flow:to_server,established; http_uri; content:"/panda/?u="; pcre:"/\x2fpanda\x2f\x3fu\x3d[a-z0-9]{32}/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,ddos.arbornetworks.com/2012/03/kahn/; reference:url,www.virustotal.com/file/3e37577f8bd7d4d248d414ec65b1c339e491d0d7c096c92e602c639faec7626f/analysis/; classtype:trojan-activity; sid:21552; rev:2; service:http; )
02628 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; http_uri; content:"/getcmd.php?id="; content:"&traff=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/c31f47dddc4d15dacecb47408248b4f12e2ad5c829299d7223eb36f7ecbc6db3/analysis/; classtype:trojan-activity; sid:21547; rev:4; service:http; )
02630 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Downloader variant outbound connection"; flow:to_server,established; http_uri; content:"/UpdateInfo2.xml",fast_pattern; http_header; content:"User-Agent|3A 20|Mozilla/3.0|20 28|compatible|3B 20|Indy Library|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3303912ce4dd35cb0fefe2d6fbc75a887c2734d42e5edd622609a2c8bedd0dae/analysis/; classtype:trojan-activity; sid:21525; rev:4; service:http; )
02646 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.QQFish variant outbound connection"; flow:to_server,established; http_uri; content:"AddSetup|2E|asp|3F|id|3D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=d8ea9a2f510ed38a95690bca1ae536d2f8f9bda4fd2715ebba261274a5837528-1286946878; classtype:trojan-activity; sid:19056; rev:7; service:http; )
02652 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Delf variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/?ini="; http_client_body; content:"data=",depth 5; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/9fd42ddde9f50512f9611da187232bb17b8ded18e2ba5833203e025281cc575f/analysis/; classtype:trojan-activity; sid:21441; rev:3; service:http; )
02656 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Mentor outbound connection"; flow:to_server,established; http_uri; content:"/updates.ini"; http_header; content:!"Referer"; flowbits:set,trojan.mentor; flowbits:noalert; metadata:service http; reference:url,www.virustotal.com/file/e7b27ac6d0268b4170a428fdec827078d36723e2abace1fc521cc6e5c6310e54/analysis/; classtype:trojan-activity; sid:21434; rev:5; service:http; )
02658 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Trojan.Generic-24 outbound connection"; flow:to_server,established; http_uri; content:".php?email="; content:"&lici=",distance 0; content:"&ver=",distance 0; http_header; content:!"User-Agent|3A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/633b96e0c60187b5c583686e75eddabe1cb635d46b794d335ceb81a3944a0806/analysis/; classtype:trojan-activity; sid:21428; rev:3; service:http; )
02659 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Trojan.Delf variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/update.aspx",fast_pattern; http_header; content:"Accept-Language|3A 20|zh-cn|0D 0A|"; http_client_body; content:"a=",depth 2; content:"&v=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:21427; rev:4; service:http; )
02664 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Dofoil variant outbound connection"; flow:to_server,established; http_uri; content:"/send/log.php"; http_client_body; content:"id="; content:"link=",distance 0; content:"password=",distance 0; content:"debug=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.trendmicro.com/malware-uses-sendspace-to-store-stolen-documents/; reference:url,www.virustotal.com/file/3cf5e228deffb924d84ffbc8975f9cf1f62837078793bced52be6a3adf2d6d47/analysis/; classtype:trojan-activity; sid:21311; rev:2; service:http; )
02666 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Cycbot variant outbound connection"; flow:to_server,established; http_uri; content:"?sv=",fast_pattern; content:"&tq=",distance 0; http_header; content:"User-Agent|3A 20|chrome/9.0|0D 0A|"; http_uri; pcre:"/\x3fsv\x3d\d{1,3}\x26tq\x3d/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b9231471a9af849ccf3690ebc12cdc7ac4d942f6e417ba7261e7a4414bf1e329/analysis/; classtype:trojan-activity; sid:21269; rev:2; service:http; )
02667 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MsUpdater outbound connection"; flow:to_server,established; http_uri; content:"/redirect.php?id="; content:"&u=",distance 0; content:"&cv=",distance 0; content:"&sv=",distance 0; content:"&os=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/735fd8ce66e6f0e412f18242d37c12fb38f26f471051eac2f0fe2df89d0e4966/analysis/; classtype:trojan-activity; sid:21242; rev:6; service:http; )
02670 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Kazy variant outbound connection"; flow:to_server,established; http_uri; content:"/logo.png?"; content:"&tq=",distance 0; content:"gSoSEU",distance 0; pcre:"/logo\.png\x3f(sv\x3d\d{1,3})?\x26tq\x3d.*?SoSEU/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b9231471a9af849ccf3690ebc12cdc7ac4d942f6e417ba7261e7a4414bf1e329/analysis/; classtype:trojan-activity; sid:21239; rev:3; service:http; )
02671 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Spyeye-207 outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/rec.php",nocase; http_client_body; content:"data="; http_uri; pcre:"/rec\.php$/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=7595cde4ead4c3ad0015a2797fd5f9e6217bad2bf6e2d78576c924978c83b0cc-1323385736; classtype:trojan-activity; sid:20927; rev:4; service:http; )
02672 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Spyeye-206 outbound connection"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:!"vcs="; http_uri; content:"/gate.php"; http_client_body; content:"data=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,spyeyetracker.abuse.ch; classtype:trojan-activity; sid:20763; rev:3; service:http; )
02677 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Virut-3 outbound connection"; flow:to_server,established; http_uri; content:"default.php?qry="; content:"tgt=",distance 0; content:"searchKey=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=67a4a0ad409127cee7d4b384b500b6e88ca6b8ec95c8c1132adb8834604f4ad2-1313199983; classtype:trojan-activity; sid:20754; rev:3; service:http; )
02680 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; http_uri; content:"auth=",nocase; content:"version=",distance 0,nocase; content:"port25=",distance 0,nocase; content:"architecture=",distance 0,nocase; content:"rights=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=a33c348c55ba2bddce89a7c51cac117a; classtype:trojan-activity; sid:20280; rev:4; service:http; )
02681 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Cycbot outbound connection"; flow:to_server,established; http_uri; content:"&tq=g"; pcre:"/\x2e(jpg|png|gif)\x3fs?v.*?&tq=g[A-Z0-9]{2}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=01fabe4ad1552f4d61b614a319c90b33a6b6b48c5da63965924b687e3f251ca8-1316273623; classtype:trojan-activity; sid:20232; rev:7; service:http; )
02683 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Hupigon variant outbound connection"; flow:to_server,established; http_uri; content:"/ip.txt",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|"; pkt_data; content:!"Referer"; http_header; pcre:"/^User-Agent\x3a\x20[A-Z]{9}\x0d\x0a/m"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=d72cf20f79da69781b0a7decdd9dfb1ffa2d62f75576861327eb0efd5da228d9-1314752283; classtype:trojan-activity; sid:20228; rev:4; service:http; )
02686 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Taidoor outbound connection"; flow:to_server,established; content:".php?id=0",nocase; http_uri; content:"111D30",fast_pattern,nocase; pcre:"/^\/[a-z]{5}\.php\?id=0\d{5}111D30[a-zA-Z0-9]{6}$/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0611; reference:url,contagiodump.blogspot.com/2011/06/jun-22-cve-2011-0611-pdf-swf-fruits-of.html; reference:url,www.virustotal.com/file-scan/report.html?id=145d64f38564eafa4fb5da0722c0e7348168024d32ada5cfb37a49f5811cb6b8-1315612892; classtype:trojan-activity; sid:20204; rev:4; service:http; )
02687 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX.Revir-1 outbound connection"; flow:to_server,established; http_uri; content:"/cdmax",nocase; pcre:"/^\/cdmax$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=b1e52289977e72ef905e07cbec8a7fbb72706fd2450aadb90acaf5377c0be8ef-1317048445; classtype:trojan-activity; sid:20202; rev:5; service:http; )
02688 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Downloader.Win32.Yakes.cbi outbound connection"; flow:to_server,established; http_uri; content:"/gate.php?v=",nocase; content:"|26|b|3D|",distance 0,nocase; content:"|26|r|3D|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=5deaa7b46f1820c7776339bf975b9b8ac5fa50ceb36967989c06b03a3e980e33-1314937203; classtype:trojan-activity; sid:20081; rev:3; service:http; )
02691 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.DelfInject.gen!X outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/account?mode=auth",nocase; http_client_body; content:"user=",nocase; content:"pss=",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=90dab78d3ce340823d736c11b7b6e20b7566d7e545efdac8527c6786e86d3506-1310995856; classtype:trojan-activity; sid:19912; rev:2; service:http; )
02692 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Bobax botnet variant outbound connection"; flow:to_server,established; http_uri; content:"&wr="; content:"/reg?"; pcre:"/\x26tv\x3d\d\.\d\.\d{4}\.\d{4}/smi"; pcre:"/u=[\dA-Fa-f]{8}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,threatexpert.com/report.aspx?md5=89f6a4c3973f54c2bee9f50f62428278; classtype:trojan-activity; sid:16489; rev:6; service:http; )
02693 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Tracur variant outbound connection"; flow:to_server,established; http_uri; content:"fQ_fQ_fQ_fQ"; pcre:"/mJKV[^\s\x0D\x0A]+1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=9a0b76500490d528b60e6a5662bf2d41; classtype:trojan-activity; sid:19801; rev:4; service:http; )
02697 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker.BXF outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/aviso_c1.php",fast_pattern; http_client_body; content:"rotina|3D|",nocase; content:"maquina|3D|",distance 0,nocase; content:"instalado|3D|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=14ff9539ab76ab0f555dc4664c260709a576eb49fdb625784ee2e3ff0b1bfe07-1312898593; classtype:trojan-activity; sid:19765; rev:5; service:http; )
02698 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Ftpharvxqq.A outbound connection"; flow:to_server,established; http_uri; content:"/hole.php"; http_client_body; content:"num=",nocase; content:"&buffer=",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=595eea79c7a5e3c26650e9a1cbf780bf; classtype:trojan-activity; sid:19761; rev:5; service:http; )
02700 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Darkwebot.A outbound connection"; flow:to_server,established; http_uri; content:"/getcmd.php?uid=",nocase; content:"&ver=",nocase; content:"&traff=",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=819550132c76f9ccaa51e87a332f0bace159ac47dc45932afd517e74ba692ed5-1311881202; classtype:trojan-activity; sid:19731; rev:3; service:http; )
02702 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Pherbot.A outbound connection"; flow:to_server,established; http_uri; content:"bot.php?hwid="; content:"&pcname=",distance 0,nocase; content:"&antwort=",distance 5,nocase; content:"&os=",distance 5,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=40e7e0697fc7ae87d98497cbef5a4891f9d98eb36b609ce18f8b871a41168490-1311358921; classtype:trojan-activity; sid:19723; rev:3; service:http; )
02703 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Poshtroper.A outbound connection"; flow:to_server,established; http_uri; content:"/multireport/shop.php?fol=",nocase; content:"&ac=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=960e08967210caa1cf7587c7a25673f4fb611dbe575f0d437ba0b764b97e1461-1311016826; classtype:trojan-activity; sid:19722; rev:5; service:http; )
02704 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Downloader W32.Genome.gen outbound connection"; flow:to_server,established; http_uri; content:"php?praquem=",nocase; content:"titulo=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=9b4c0118c802c3fc79c90764e9bf7c70e7efb8f04726785eb4f7f75f9785e61b-1307526633; classtype:trojan-activity; sid:19712; rev:3; service:http; )
02706 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent.cer outbound connection"; flow:to_server,established; http_uri; content:"/com_plugin.php",nocase; http_client_body; content:"subject|3D|",nocase; content:"|26|message|3D|",distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f0adcc846220d1fbcbba69929f48ce928650228e6216d3211b9a116111154f9d-1307493565; classtype:trojan-activity; sid:19706; rev:5; service:http; )
02711 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MCnovogic.A outbound connection"; flow:to_server,established; http_uri; content:"/Default.asp?usuario=",nocase; content:"|26|x=",within 5; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=438d0355c3203af924166453db66ad8b0ff7aee611848b4dda43a9068bf14958-1309764834; classtype:trojan-activity; sid:19658; rev:5; service:http; )
02716 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Thinkpoint fake antivirus - user display"; flow:to_server,established; http_uri; content:"index_new.php",nocase; content:"id=roger",fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-090610-2408-99; classtype:trojan-activity; sid:17815; rev:4; service:http; )
02717 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Rogue AV download/update attempt"; flow:to_server,established; http_uri; content:"|2F 3F|b|3D|1s1",fast_pattern,nocase; http_header; content:"Mozilla",nocase; pcre:"/^User\x2DAgent\x3A\s*Mozilla\x0d?$/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/analisis/2063df10f553afa6b1257e576fbf88cf98093ec1ae15c079e947994a96fbfadd-1274312088; classtype:trojan-activity; sid:16695; rev:5; service:http; )
02720 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Koobface worm executable download"; flow:to_server,established; http_uri; content:"|2E|sys|2F 3F|getexe|3D|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/analisis/c55e2acfed1996ddbd17ddd4cba57530dd34c207be9f9b327fa3fdbb10cdaa7c-1270750352; classtype:trojan-activity; sid:16670; rev:4; service:http; )
02721 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Spyeye bot variant outbound connection"; flow:to_server,established; http_uri; content:"|2E|php|3F|guid|3D|",nocase; content:"ccrc|3D|",fast_pattern,nocase; content:"ver|3D|",nocase; content:"stat|3D|",nocase; content:"cpu|3D|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=84714c100d2dfc88629531f6456b8276; classtype:trojan-activity; sid:16669; rev:5; service:http; )
02723 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker.bkhu outbound connection"; flow:to_server,established; http_uri; content:".php?codigo="; content:"id=",distance 0,nocase; content:"computador=",distance 0,nocase; content:"usuario_windows=",distance 0,fast_pattern,nocase; http_header; content:"User-Agent|3A 20|HTTP Client",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=77d739bbceea4008e90b6431d9836fbe643ef4c47788b4fd9fc82d7f07f22889-1303135417; classtype:trojan-activity; sid:19353; rev:5; service:http; )
02724 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.SpyEye outbound connection"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/_cp/gate.php"; http_header; content:!"Referrer",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=d77c78e2072153e437f854aa3d677d8b985680d1b58fa48089a93889befac0c2-1304606417; classtype:trojan-activity; sid:19164; rev:6; service:http; )
02725 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC MacBack Win.Trojan.outbound connection"; flow:to_server, established; http_uri; content:"/cgi-mac/2wmcheckdir.cgi",fast_pattern; http_method; content:"POST"; http_header; content:"User-Agent|3A 20|0PERA|3A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f78f399d4c2328be8992bc1c02334f7acea99f3db418a983591670109de49186-1305514984; classtype:trojan-activity; sid:19019; rev:6; service:http; )
02726 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC MacBack Win.Trojan.outbound connection"; flow:to_server, established; http_uri; content:"/cgi-mac/whatismyip.cgi"; http_header; content:!"User-Agent"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f78f399d4c2328be8992bc1c02334f7acea99f3db418a983591670109de49186-1305514984; classtype:trojan-activity; sid:19018; rev:7; service:http; )
02727 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC MacBack Win.Trojan.outbound connection"; flow:to_server, established; http_uri; content:"/CurlUpload"; http_header; content:!"User-Agent"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f78f399d4c2328be8992bc1c02334f7acea99f3db418a983591670109de49186-1305514984; classtype:trojan-activity; sid:19017; rev:7; service:http; )
02729 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Bredolab bot variant outbound connection"; flow:to_server,established; http_uri; content:"controller|2E|php|3F|action|3D|",nocase; content:"entity_list|3D|",distance 0,nocase; content:"rnd|3D|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=b5a530185d35ea8305d3742e2ee5669f; classtype:trojan-activity; sid:16144; rev:10; service:http; )
02730 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/getcfg.php"; http_method; content:"POST"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=cc2f69011f7d5b0e1cf578c76a24ab7ced949cebc9960f1374ad275cb18ca092-1304106070; reference:url,www.virustotal.com/file-scan/report.html?id=f0317f48f1dfd0a9a9008985493f3bf310871dc6e2767b18aef8310328e007c2-1264118955; reference:url,www.virustotal.com/file/ad007bcb943baf5365f9c4bb3ef378e5ec83847aabed33544dd013fabc535482/analysis/; classtype:trojan-activity; sid:18939; rev:6; service:http; )
02735 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Koobface request for captcha"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/cap/temp/",nocase; pcre:"/^\x2Fcap\x2Ftemp\x2F[A-Za-z0-9]+\x2Ejpg/mi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,threatexpert.com/report.aspx?md5=efbc47d5e8f3ed68a13968cda586d68d; classtype:trojan-activity; sid:16485; rev:8; service:http; )
02736 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Koobface variant outbound connection"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/cap/?a=get&i=",nocase; pkt_data; pcre:"/\d+&/miR"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,threatexpert.com/report.aspx?md5=efbc47d5e8f3ed68a13968cda586d68d; classtype:trojan-activity; sid:16484; rev:9; service:http; )
02737 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Zbot malware config file download request"; flow:to_server,established; http_uri; content:"/reklam/config",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=2a2419d34c7990297d9a2f7413a9af2a; classtype:trojan-activity; sid:16528; rev:5; service:http; )
02738 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Zbot malware config file download request"; flow:to_server,established; http_uri; content:"/dofyru.bmp",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=4cc069b84270be48bd84b7068dc3bf1a; classtype:trojan-activity; sid:16527; rev:5; service:http; )
02741 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Gozi Win.Trojan.connection to C&C"; flow:to_server; http_uri; content:"user_id=",nocase; content:"version_id=",nocase; content:"passphrase="; content:"socks=",nocase; content:"version=",nocase; content:"crc=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/de/analisis/02e2428657cc20c9206b92474157e59e64d348b47d69dd320cb5e909e9150b99-1264446753; classtype:trojan-activity; sid:16391; rev:8; service:http; )
02751 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Sality virus HTTP GET request"; flow:to_server,established; http_uri; content:"/mrow_pin/?id",nocase; pkt_data; pcre:"/\x2Fmrow\x5Fpin\x2F\x3Fid\d+[a-z]{5,}\d{5}\x26rnd\x3D\d+/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=b61aaef4d4dfbddbd8126c987fb77374; classtype:trojan-activity; sid:15553; rev:5; service:http; )
02753 alert tcp $HOME_NET any -> 85.17.3.250 80 ( msg:"MALWARE-CNC Trojan.Duntek Checkin GET Request"; flow:to_server,established; http_uri; content:"cmp=dun_tek",nocase; metadata:impact_flag red,policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99&tabid=2; classtype:trojan-activity; sid:10403; rev:9; service:http; )
02757 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/ping.txt?u=",nocase; content:"pg=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16833.html; classtype:trojan-activity; sid:16833; rev:6; service:http; )
02758 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/LockIeHome/?mac=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16832.html; classtype:trojan-activity; sid:16832; rev:6; service:http; )
02759 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/indeh.php",nocase; content:"&v=5&z=com&s=f01",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16828.html; classtype:trojan-activity; sid:16828; rev:6; service:http; )
02760 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/code/pop_data3.asp?f=48843&t=a",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16827.html; classtype:trojan-activity; sid:16827; rev:6; service:http; )
02761 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/p6.asp?MAC=",nocase; content:"Publicer=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16826.html; classtype:trojan-activity; sid:16826; rev:6; service:http; )
02762 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/bar/v16-106/c1/jsc/fmr.js?c=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16824.html; classtype:trojan-activity; sid:16824; rev:6; service:http; )
02764 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/clcount/ip.asp?action=install&mac=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16822.html; classtype:trojan-activity; sid:16822; rev:6; service:http; )
02765 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:".php?ini=v22M",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16820.html; classtype:trojan-activity; sid:16820; rev:7; service:http; )
02766 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/ll.php?v=3",nocase; content:"wm_id=acc00",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16817.html; classtype:trojan-activity; sid:16817; rev:6; service:http; )
02767 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/ue000/38sw.e?uid=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16816.html; classtype:trojan-activity; sid:16816; rev:6; service:http; )
02768 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/vscript/vercheck.psc?pcrc=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16812.html; classtype:trojan-activity; sid:16812; rev:6; service:http; )
02769 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/perce/",nocase; content:"qwerce.gif",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16811.html; classtype:trojan-activity; sid:16811; rev:6; service:http; )
02770 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"/werber/",nocase; content:"217.gif",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16810.html; classtype:trojan-activity; sid:16810; rev:6; service:http; )
02771 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; http_uri; content:"borders.php",nocase; http_client_body; content:"data=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16809.html; classtype:trojan-activity; sid:16809; rev:7; service:http; )
02777 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Httpbot.qdc variant outbound connection"; flow:to_server,established; http_uri; content:"|2E|php|3F|getCmd|26|id|3D|",nocase; http_header; content:!"|0A|Accept|3A|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=baa26783d7e5af6e3336a20e83d5a018737971a322807936a3f8d5ee48fb261c-1286289927; classtype:trojan-activity; sid:19052; rev:4; service:http; )
02780 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gosik.A registration"; flow:to_server,established; http_uri; content:"|2F|connect|2E|php|3F|action|3D|getcomm|26|",nocase; http_header; content:!"|0A|Accept|3A|",nocase; content:!"|0A|User-Agent|3A|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=95c5614d629f06ca58e1743ccede027bc16c028344a8d004b4a48a4c3a9382dd-1287167398; classtype:trojan-activity; sid:19055; rev:5; service:http; )
02785 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Proxy Win.Trojan.Dosenjo.C Runtime Detection"; flow:to_server,established; http_uri; content:"/l.php"; content:"cashingDeny=",distance 0; content:"winver=",distance 0,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=22e5542569911f89a87f010b4219a59e84fd9855bafd41a7e0cc3c391cd0aaa4-1260727906; classtype:trojan-activity; sid:19429; rev:4; service:http; )
02791 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Clicker Win.Trojan.Hatigh.C outbound connection"; flow:to_server,established; http_uri; content:"/tmp/sh.php"; http_header; content:"quikup|2E|info"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=30c6c5561d610ccbd22e88b8265aaa4bd7e17a8e139c7e9aedc645c85ef40910-1259851653; classtype:trojan-activity; sid:19351; rev:5; service:http; )
02792 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Worm Win.Trojan.Sohanad.ila outbound connection"; flow:to_server,established; http_uri; content:"/poojasharma/setting.ini"; http_header; content:"User-Agent|3A 20|AutoIt"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=ec3aeafcc48aa50ef2a2f51ce9d50bd3a8d0989dca85966a20552527540cc5ac-1296912342; classtype:trojan-activity; sid:19357; rev:4; service:http; )
02796 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Pushdo client communication"; flow:to_server,established; http_uri; content:"/40e800",depth 7,nocase; pcre:"/^\x2F40e800[0-9A-F]{30,}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.eweek.com/c/a/Security/Inside-a-Modern-Malware-Distribution-System/; classtype:trojan-activity; sid:15165; rev:4; service:http; )
02802 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC RAT update protocol connection"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/update?id="; http_header; content:"X-Session:",nocase; content:"X-Status:",nocase; content:"X-Size:",nocase; content:"X-Sn:",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:24211; rev:1; service:http; )
02803 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Seveto variant outbound connection"; flow:to_server,established; http_uri; content:"/svcs.php"; content:"m|3D|"; content:"v|3D|"; content:"s|3D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/f7da52bf05bfd32f503ee653a1e1b22ad5a6b00597ebbe172158db12c9a75ff2/analysis/; classtype:trojan-activity; sid:24214; rev:2; service:http; )
02804 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; http_uri; content:"/index_post.php"; http_client_body; content:"tipo|3D|",nocase; content:"XP|3D|",nocase; content:"OUTROS|3D|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/e82b4000b71c4b01f361556422bafbdc8f148072fe74e2a1667e85a7ae94cb5a/analysis/; classtype:trojan-activity; sid:24215; rev:3; service:http; )
02807 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeroaccess variant outbound communication"; flow:to_server,established; http_uri; content:"/counter.img?theme=",nocase; content:"&digits=10&siteId=",distance 0,fast_pattern,nocase; pcre:"/counter.img\?theme\=\d+\&digits\=10\&siteId\=\d+$/i"; http_header; content:"User-Agent|3A 20|Opera/9 (Win"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx; classtype:trojan-activity; sid:24224; rev:2; service:http; )
02808 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Wuwo initial infection outbound connection"; flow:to_server,established; http_uri; content:"/AES",depth 4,fast_pattern; content:".jsp?",distance 0; pcre:"/\/AES\d{9}O\d{4,5}\x2ejsp/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/69C8178F867C9CF75D813285A9D80B5CCB73D46F99D54FA7043794190D2C7685/analysis/; classtype:trojan-activity; sid:24235; rev:1; service:http; )
02809 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Wuwo post infection outbound connection"; flow:to_server,established; http_uri; content:"/DES",depth 4,fast_pattern; content:".jsp?",distance 0; pcre:"/\/DES\d{9}O\d{4,5}\x2ejsp/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/69C8178F867C9CF75D813285A9D80B5CCB73D46F99D54FA7043794190D2C7685/analysis/; classtype:trojan-activity; sid:24236; rev:1; service:http; )
02810 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Sality logo.gif URLs"; flow:to_server,established; http_uri; content:"/logo.gif?"; pcre:"/\x2Flogo\.gif\x3F[0-9a-f]{5,7}=\d{5,7}/i"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Virus%3aWin32%2fSality.AT; classtype:trojan-activity; sid:24255; rev:3; service:http; )
02812 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gozi.Prinimalka variant outbound connection"; flow:to_server,established; http_uri; content:"/system/prinimalka.py/"; content:"user_id="; content:"version_id="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/39009996a0f1c9deca07bd63c53741e7c2081820fbc8b84e0f6375b5f529fae7/analysis/; classtype:trojan-activity; sid:24361; rev:2; service:http; )
02816 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection"; flow:to_server,established; http_uri; content:"/cgi-bin/feed.cgi"; http_header; content:"Host:",nocase; pcre:"/^Host\x3a\s*(cache.dyndns.info|flashcenter.info|flashrider.org|webapp.serveftp.com|web.autoflash.info|webupdate.dyndns.info|webupdate.hopto.org|web.velocitycache.com)/smi"; flowbits:set,malware.miniflame; metadata:impact_flag red,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24406; rev:3; service:http; )
02817 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection"; flow:to_server,established; http_uri; content:"/cgi-bin/counter.cgi"; http_header; content:"Host:",nocase; pcre:"/^Host\x3a\s*(194.192.14.125|202.75.58.179|flashupdates.info|nvidiadrivers.info|nvidiasoft.info|nvidiastream.info|rendercodec.info|syncstream.info|videosync.info)/smi"; flowbits:set,malware.miniflame; metadata:impact_flag red,policy security-ips drop,service http; reference:url,www.virustotal.com/file/741c49af3dbc11c14327bb7447dbade53f15cd59b17f1d359162d9ddbfdc1191/analysis/; classtype:trojan-activity; sid:24407; rev:3; service:http; )
02819 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Chif variant outbound connection"; flow:to_server,established; http_uri; content:"/?f=ZnRwOi8v"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3d5f26b36d57268e01c60ad1fd0d6b36bd4fdc3b2e83cea231b1f9ff635a6f50/analysis; classtype:trojan-activity; sid:24482; rev:4; service:http; )
02820 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo redirection landing page pre-infection"; flow:to_server,established; http_uri; content:"/cgi-bin/r.cgi",depth 14,nocase; content:"?p=",distance 0,nocase; content:"&m=",distance 0,nocase; content:"&h=",distance 32,nocase; content:"&u=",distance 0,nocase; content:"&q=",distance 0,nocase; content:"&t=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www9.dyndns-server.com:8080/pub/botnet-links.html; classtype:attempted-user; sid:24491; rev:4; service:http; )
02821 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/se/",nocase; isdataat:100,relative; pcre:"/\/se\/[a-f0-9]{100,200}\/[a-f0-9]{6,9}\/[A-Z0-9_]{4,200}\.com/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:bad-unknown; sid:24492; rev:2; service:http; )
02822 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/html/license_",nocase; isdataat:550,relative; pcre:"/\/html\/license_[0-9A-F]{550,}\.html$/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:24493; rev:2; service:http; )
02824 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; http_uri; content:"/cgi-bin/rokfeller3.cgi?v=11"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:24495; rev:3; service:http; )
02825 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/cgi-bin/shopping3.cgi?a="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:24496; rev:4; service:http; )
02826 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/cgi-bin/unshopping3.cgi?b="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:24497; rev:4; service:http; )
02827 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.VB variant outbound connection"; flow:to_server,established; http_uri; content:"/omerta/Mail/Mail1.3.php?"; content:"OS=Windows",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/f7eff299783ff52a27fb25f479868eebb4e838ef8a5af0b123d316a712b522e8/analysis/; classtype:trojan-activity; sid:24504; rev:2; service:http; )
02832 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; http_uri; content:"/~monducci/email.php"; http_client_body; content:"remetente"; content:"assunto=Infect"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/c984c3077daffeaf19cecda6d0ca6eac5102af9dd0e9cfd93867fd22d47cac49/analysis/; classtype:trojan-activity; sid:24533; rev:2; service:http; )
02835 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Jorik variant outbound connection"; flow:to_server,established; http_uri; content:"/adduser.php?uid=",nocase; content:"&lan=",distance 0,nocase; content:"&cmpname=",distance 0,nocase; content:"&country=",distance 0,nocase; content:"&ver=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/CE3FCBDCB255109126530E343DCAF7E6E13C3E9A2B2DD088BBF089E16E83FC0E/analysis/; classtype:trojan-activity; sid:24566; rev:1; service:http; )
02838 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Worm.Win32.Nusump.A outbound connection"; flow:to_server,established; http_uri; content:"|2F|index|2E|php|3F|",nocase; content:"|26|co|3D|",nocase; content:"|26|us|3D|",nocase; content:"|26|dt|3D|",nocase; http_header; content:!"|0A|Accept",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=42c5002aefb925a00093f764ceb41ecdea814382f94525ec7a662956dff35620-1281716324; classtype:trojan-activity; sid:19053; rev:3; service:http; )
02839 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC VBMania mass mailing worm activity"; flow:to_server,established; http_uri; content:"SendEmail|2E|iq"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=fedb7b404754cf85737fb7e50f33324b84eb4c0b98024c7d3302039a901b04b7-1284133892; classtype:trojan-activity; sid:17234; rev:2; service:http; )
02841 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Klovbot variant outbound connection"; flow:to_server,established; http_uri; content:"/bots.php"; http_client_body; content:"iName=",depth 6; content:"&STLftps=",within 128,distance 4; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/56517C442332FC29324078ADC310AEF075B53B33F7B0E94685A1548C3A5F1F9E/analysis/; classtype:trojan-activity; sid:24630; rev:1; service:http; )
02845 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dorkbot outbound connection"; flow:to_server,established; http_uri; content:".php?ip="; content:"&os=",distance 0; content:"&name=",distance 0; content:"&id=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/c425af6875dff2c0627421086f66b7e058f51d22939478529702d193837c6cfe/analysis/; classtype:trojan-activity; sid:24886; rev:2; service:http; )
02848 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Jorik.Kolilks outbound connection"; flow:to_server,established; http_uri; content:"/kills.txt?"; pcre:"/\x2fkills\x2etxt\x3f(t\d|p)\x3d\d{6}$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/24a892d90f819cea79dfe6f8acd007bad920dbf55c1bfdaffc984cb8efa32527/analysis/; classtype:trojan-activity; sid:25049; rev:1; service:http; )
02850 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Injector variant outbound connection"; flow:to_server,established; http_uri; content:".php?s=",nocase; content:"g=nb.Install"; content:"m=",nocase; content:"ml=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/cbcc6536ebb20f9d936d88e20a29c1c1d9a55555623bf74ee6908d9c7c7af9b9/analysis/; classtype:trojan-activity; sid:25070; rev:2; service:http; )
02852 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dulom variant outbound connection"; flow:to_server,established; http_uri; content:"/services.php"; content:"get=",nocase; content:"ver=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:25072; rev:3; service:http; )
02860 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rombrast outbound connection"; flow:to_server,established; http_uri; content:"/file.aspx?file="; http_header; content:"ksp/WS"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/af1ffe831112cbb34866fe1a65ed18613578039b002ca221757b791a5006894d/analysis/; classtype:trojan-activity; sid:25258; rev:3; service:http; )
02863 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Buzus outbound connection"; flow:to_server,established; http_uri; content:"/default.aspx?ver="; content:"&uid=",distance 0; http_header; content:"|3B 20|MRA|20|5.10|20|"; http_uri; pcre:"/\x26uid\x3d[a-f0-9]{16}($|\x26)/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:25271; rev:2; service:http; )
02864 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Ruskill variant outbound connection"; flow:to_server,established; http_uri; content:"/rssnews.php"; http_client_body; content:"id=",nocase; content:"varname=",nocase; content:"comp=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb/analysis/; classtype:trojan-activity; sid:25371; rev:1; service:http; )
02865 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Downloader variant outbound connection"; flow:to_server,established; http_uri; content:"/new/iistart.html"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b2a59c329413ac9527e78ac791f96e81113426f57027c335c1dd96ce820a115d/analysis/; classtype:trojan-activity; sid:25465; rev:1; service:http; )
02866 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Pushdo Spiral Traffic"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:39; http_uri; content:"/?ptrxcz_"; pcre:"/^\x2f\x3fptrxcz\x5f[a-zA-Z0-9]{30}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,updates.atomicorp.com/channels/rules/delayed/modsec/10_asl_antimalware.conf; classtype:trojan-activity; sid:25471; rev:3; service:http; )
02867 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Necurs Rootkit sba.cgi"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:16; http_uri; content:"/cgi-bin/sba.cgi"; http_client_body; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25503; rev:2; service:http; )
02868 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Necurs Rootkit op.cgi"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:15; http_uri; content:"/cgi-bin/op.cgi"; http_client_body; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25504; rev:2; service:http; )
02870 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC SpyForms malware call home attempt"; flow:to_server,established; http_uri; content:"/evil/services/bid_register.php?BID="; pcre:"/\x2Fevil\x2Fservices\x2Fbid_register\x2Ephp\x3FBID\x3D[A-Za-z]{6}\x26IP\x3D\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x26cipher\x3D[A-Za-z]{9}/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,threatexpert.com/report.aspx?md5=acf30e13cbcf7eafc8475e976f7af3ec; classtype:trojan-activity; sid:16362; rev:4; service:http; )
02871 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Sigly variant outbound connection"; flow:to_server,established; http_uri; content:"/kiss.php"; http_client_body; content:"|4D 61 CA 19 62 C9 58 BB|",depth 8; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/a24be7092e231bd309e2a5accffa0faccb9b0bdbeca3c176f2548e8f3704b616/analysis/; classtype:trojan-activity; sid:25541; rev:1; service:http; )
02872 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Printlove variant outbound connection"; flow:to_server,established; http_uri; content:"/ldrcfg.php"; http_client_body; content:"id=x",nocase; content:"cn=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/36aefe98416471a97e36f8e9e0ba36e5588a7b83eb776c0e62cfc9d55779380f/analysis/; classtype:trojan-activity; sid:25545; rev:1; service:http; )
02873 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dexter variant outbound connection"; flow:to_server,established; http_uri; content:"/gateway.php"; http_client_body; content:"page=",depth 5; content:"&unm=",within 384; content:"&query=",within 128; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/CAE3CDAAA1EC224843E1C3EFB78505B2E0781D70502BEDFF5715DC0E9B561785/analysis/; classtype:trojan-activity; sid:25553; rev:2; service:http; )
02874 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Medialabs outbound connection"; flow:to_server,established; http_uri; content:"/?act="; content:"&lang=",distance 0; content:"&wmid=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/949F178D9A4B771CA8A4B517298EF00BEC3C4C08016CE9445C093BF444EB05FE/analysis/; classtype:trojan-activity; sid:25570; rev:1; service:http; )
02875 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Medialabs outbound connection"; flow:to_server,established; http_uri; content:"/?ping="; content:"&instid=",distance 0; content:"&step=",distance 0; content:"&vermini=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/949F178D9A4B771CA8A4B517298EF00BEC3C4C08016CE9445C093BF444EB05FE/analysis/; classtype:trojan-activity; sid:25571; rev:1; service:http; )
02877 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Rootkit.Necurs possible URI with encrypted POST"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:15; http_uri; content:"/admin/host.php"; http_client_body; pcre:"/[^\x0d\x0a\x09\x20-\x7e]{4}/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/98fb9778208cb74c11a71afd065ae64e562ded1ae477ad42e392fe3711170319/analysis/; classtype:trojan-activity; sid:25577; rev:2; service:http; )
02878 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Dilavtor variant outbound connection"; flow:to_server,established; http_uri; content:"&a=aff_3556"; content:"?i=",nocase; content:"&u=",distance 0,nocase; content:"&l=",distance 0,nocase; content:"&f=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3116E49F16D0C789975DF51F1C103B3F30A60BE08FFE30D3BBC629FAC9C3AF67/analysis/; classtype:trojan-activity; sid:25600; rev:1; service:http; )
02879 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; http_uri; content:"/insert.php"; pkt_data; content:"nome_pc=",nocase; content:"opcao=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:25609; rev:1; service:http; )
02880 alert tcp $HOME_NET any -> $EXTERNAL_NET 8899 ( msg:"MALWARE-CNC Win.Trojan.Daws variant outbound connection"; flow:to_server,established; http_uri; content:"/log_it.php"; content:"t=",nocase; content:"m=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/9dd38d5e29d0249e04f09eb41e7163fc31395fbefc142f9031817ebb6b3014f0/analysis/; classtype:trojan-activity; sid:25625; rev:1; service:http; )
02881 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; http_uri; content:"/dudley.php"; http_client_body; content:"remetente=",nocase; content:"destino=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/e48184401b7c4f83b91079b56eec44f2f4f53311d8ac69a6380aa809458620fd/analysis/; classtype:trojan-activity; sid:25626; rev:1; service:http; )
02885 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Buzus variant outbound connection"; flow:to_server,established; http_uri; content:"/bots.php"; content:"name=",nocase; content:"so=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/339640de61e725c495c2404565ffb1afb9b89c516306bf09697ca9a058eb98d5/analysis/; classtype:trojan-activity; sid:25661; rev:1; service:http; )
02886 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Chowspy variant outbound connection"; flow:to_server,established; http_uri; content:"/check_counter.php"; content:"pid=",nocase; content:"mac=",nocase; content:"kind=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/ba3a5098f80acc4cc3fd02a8765306f724b7d41c06285e74795ba109e63d32bd/analysis/; classtype:trojan-activity; sid:25662; rev:1; service:http; )
02887 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rimod variant outbound connection"; flow:to_server,established; http_uri; content:"/webserver"; content:"uptime=",nocase; content:"ping=",nocase; content:"hits=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/ee5e100e94f2484d896eb6f04f7541f706cc6b6e1871d4e9a75cb465ba8895f6/analysis/; classtype:trojan-activity; sid:25663; rev:1; service:http; )
02888 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Selasloot variant outbound connection"; flow:to_server,established; http_uri; content:"/snwd.php"; content:"tp="; content:"&tg=",within 12,distance 1; content:"&ts=Microsoft"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3026B25C0B76E9341CF894F275F5222462B799C6439A1920555D09E97B92760A/analysis/; classtype:trojan-activity; sid:25669; rev:2; service:http; )
02891 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; http_uri; content:"/cmd.php?cmd="; content:"arq=",distance 0; content:"cmd2=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fBancos; classtype:trojan-activity; sid:25766; rev:2; service:http; )
02893 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Sality logos.gif URLs"; flow:to_server,established; http_uri; content:"/logos.gif?"; pcre:"/\x2Flogos\.gif\x3F[0-9a-f]+=\x2d?\d+/i"; http_header; content:!"|0A|Referer|3A|"; content:!"|0A|Cookie|3A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/79416e894ee7040e88f9918802db4d473140d45e45d945abebe820a1841ec5ba/analysis/; classtype:trojan-activity; sid:25809; rev:3; service:http; )
02894 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan Banker FTC variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:18; http_uri; content:"/listas/out/si.php"; pkt_data; content:"HTTP/1.0|0D 0A|",depth 10,offset 24; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Banker-FTC/detailed-analysis.aspx; classtype:trojan-activity; sid:25829; rev:2; service:http; )
02897 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Boolflot variant outbound connection"; flow:to_server,established; http_uri; content:"/bot/reg.php?guid=",depth 18; content:"&os=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/DEDC949773B39A6CFAE20249CA90F07B222C8431CA8E652A4C1344BE49E0C655/analysis/; classtype:trojan-activity; sid:25973; rev:1; service:http; )
02899 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bredo variant outbound connection"; flow:to_server,established; http_uri; content:"/forum/images.php?id="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.spyware-techie.com/malbredo-q-removal-guide; classtype:trojan-activity; sid:26019; rev:2; service:http; )
02901 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Wecod variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:20; http_uri; content:"/b/n/winrar/tudo.rar"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/22e0300501e6bbb7f46c2fb5aed12e4c0d23385cc6319d430cd4faed5241f362/analysis/; classtype:trojan-activity; sid:26024; rev:2; service:http; )
02902 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Locati variant outbound connection attempt"; flow:to_server,established; http_uri; content:"/home/index.asp?typeid="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/130411FDD36046693E5CB49BBEE9CCD628BCB4CFB1E581D03E7787D298136F73/analysis/; classtype:trojan-activity; sid:26072; rev:1; service:http; )
02907 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"/chkupdt.asp"; http_client_body; content:"ver=",depth 4; http_header; content:!"User-Agent:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/A8C1E66889E9760B80C9849385BC7F833996EB7823FCC36812413833CAB85C6B/analysis/; classtype:trojan-activity; sid:26119; rev:2; service:http; )
02912 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Dapato banking Trojan outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:21; http_uri; content:"/pics/_vti_cnf/00.inf"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/ebcff32473d032041bd69e9599fbff4ad295128003f76d1f452ba7cb6e2d20d4/analysis/1364314446/; classtype:trojan-activity; sid:26264; rev:1; service:http; )
02915 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC FBI Ransom Trojan variant outbound connection"; flow:to_server,established; http_uri; content:"/nosignal.jpg?"; pcre:"/^\x2fnosignal\.jpg\?\d\.\d+$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26335; rev:2; service:http; )
02920 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent"; flow:to_server,established; http_uri; content:"/images/m.php?id="; http_header; content:"|3B 20|MSIE 6.0|3B 20|"; content:!"Referer|3A 20|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojan-activity; sid:26578; rev:1; service:http; )
02921 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent"; flow:to_server,established; http_uri; content:"/ccbill/m.php?id="; http_header; content:"|3B 20|MSIE 6.0|3B 20|"; content:!"Referer|3A 20|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojan-activity; sid:26579; rev:1; service:http; )
02928 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Medfos Trojan outbound connection"; flow:to_server,established; http_uri; content:"/feed?req=http"; http_header; content:"|3B| MSIE "; content:!"|0D 0A|Accept-Language:"; content:!"|0D 0A|Referer:"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r?\n/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/5bad5a2e4497f866291813aed264b5dc3c9fad4e56796306842c7b50b553ae11/analysis/; classtype:trojan-activity; sid:26613; rev:1; service:http; )
02929 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Travnet Botnet data upload"; flow:to_server,established; http_uri; content:"hostid="; content:"|26|hostname="; content:"|26|hostip="; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/F7E9A1A4FC4766ABD799B517AD70CD5FA234C8ACC10D96CA51ECF9CF227B94E8/analysis/; classtype:trojan-activity; sid:26656; rev:1; service:http; )
02940 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Namihno Trojan CnC Request"; flow:to_server,established; http_uri; content:"/windows/update/search?hl="; content:"&q=",distance 0; content:"&meta=",distance 0; content:"&id=",distance 0; metadata:policy balanced-ips alert,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26695; rev:3; service:http; )
02948 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kbot variant outbound connection"; flow:to_server,established; http_uri; content:"s_alive.php?id="; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.avast.com/2013/05/22/grum-lives/; classtype:trojan-activity; sid:26719; rev:1; service:http; )
02949 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kbot variant outbound connection"; flow:to_server,established; http_uri; content:"s_task.php?id="; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.avast.com/2013/05/22/grum-lives/; classtype:trojan-activity; sid:26720; rev:1; service:http; )
02950 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Pushdo Spiral Traffic"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:39; http_uri; content:"/?xclve_"; pcre:"/^\x2f\x3fxclve\x5f[a-zA-Z0-9]{30}$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,updates.atomicorp.com/channels/rules/delayed/modsec/10_asl_antimalware.conf; classtype:trojan-activity; sid:26721; rev:1; service:http; )
02980 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Worm.Luder outbound connection"; flow:to_server,established; http_uri; content:"/loader.cpl"; pcre:"/\/loader\.cpl$/"; http_header; content:"|3B 20|MSIE|20|"; content:!"|0D 0A|Accept-Language:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/6077fd6cbb44c78a16d66fedb10492c7776127dc76ee071b051970971212bae8/analysis/; classtype:trojan-activity; sid:26774; rev:1; service:http; )
02983 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; http_uri; content:"/m/IbQ"; http_header; content:!"PacketShaper"; http_uri; pcre:"/\/m\/ibq(?!c)[a-p]/ims"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/787b20ee10650cc3bd0df34f210000e771e7d5d1d902ffbbd9f6786c46fd5e0b/analysis/; classtype:trojan-activity; sid:26777; rev:3; service:http; )
02986 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Nivdort variant outbound connection"; flow:to_server,established; http_uri; content:"/forum/search.php?method=",nocase; content:"&mode=",distance 0,nocase; content:"&v=",distance 0,nocase; content:"&sox=",distance 0,nocase; http_header; content:!"User-Agent|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/0fecc5c3d6a3ffe4230fb9575f835cee02945a0fcbf93df784570aaeaa9d7135/analysis/; classtype:trojan-activity; sid:26784; rev:1; service:http; )
02987 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vbula variant outbound connection"; flow:to_server,established; http_uri; content:"/miragem/comunic.php"; http_client_body; content:"ext=",nocase; content:"cliente=",distance 0,nocase; content:"mensagem=",distance 0,nocase; content:"tipo=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/1E934A08D506428B133C3123F501656C92D23A1D741F324FD73D3FF3EFB2CB23/analysis/; classtype:trojan-activity; sid:26792; rev:1; service:http; )
02988 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vbula variant initial CNC contact"; flow:to_server,established; http_uri; content:"/novinha/imgjpgcnf"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/1E934A08D506428B133C3123F501656C92D23A1D741F324FD73D3FF3EFB2CB23/analysis/; classtype:trojan-activity; sid:26793; rev:1; service:http; )
02989 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Tomvode variant outbound connection"; flow:to_server,established; http_uri; content:"/Default.asp?uid=",fast_pattern,nocase; content:"&do=",distance 0,nocase; content:"&view=",distance 0,nocase; content:"&_lgmode=",distance 0,nocase; content:"&from=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/D5FC378AB31019F99F613BDBABD5AA63D97A3CD0031E90265427DB912D744F88/analysis/; classtype:trojan-activity; sid:26809; rev:1; service:http; )
02990 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC XP Fake Antivirus Payment Page Request"; flow:to_server,established; http_raw_uri; bufferlen:23; http_uri; content:"/content/img/awards.jpg"; http_header; pcre:"/\r\nReferer\x3A\x20http\x3A\x2F\x2f[a-z0-9\x2d\x2e]+\x2F\x3Fdo\x3Dpayment\x26ver\x3D\d+\x26sid\x3D\d+\x26sn\x3D\d+\r\n/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26811; rev:1; service:http; )
02992 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Dapato CMS spambot check-in"; flow:to_server,established; http_uri; content:"/seek.cgi?lin=",nocase; content:"&db=",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.deependresearch.org/2013/05/under-this-rock-vulnerable.html; classtype:trojan-activity; sid:26813; rev:1; service:http; )
02997 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Spy.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"?action=add&a="; content:"&c=",within 12,distance 1; content:"&l=&p="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/D1F5B9540046E59B18069343D0A2E7A4A1AA0894C1913F737FBE3AEDC9B595A1/analysis/; classtype:trojan-activity; sid:26840; rev:1; service:http; )
02998 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Spy.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"?action=add&a="; content:"&c=",within 12,distance 1; content:"&l=Microsoft"; content:"Windows",within 12; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/D1F5B9540046E59B18069343D0A2E7A4A1AA0894C1913F737FBE3AEDC9B595A1/analysis/; classtype:trojan-activity; sid:26841; rev:1; service:http; )
02999 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound communication"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/info.php?act="; pcre:"/^\/info\.php\?act\x3d(list|online)/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26911; rev:1; service:http; )
03001 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus outbound connection"; flow:to_server,established; http_uri; content:"/images/"; content:".php?id=",distance 1; pcre:"/\/images\/[a-zA-Z]\.php\?id\=[0-9]{2,3}(\.\d)?$/i"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26923; rev:1; service:http; )
03003 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeroaccess outbound connection"; flow:to_server,established; http_uri; content:"/form.php?mode="; content:"&UID=",distance 0; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26930; rev:1; service:http; )
03004 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeroaccess outbound connection"; flow:to_server,established; http_uri; content:"/links.php?mode=1"; http_header; content:!"Referer"; content:!"Cookie"; content:!"Content-Length"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26931; rev:1; service:http; )
03007 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.PipCreat RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:"/adminweb/news.asp?id="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cyberengineeringservices.com/login-exe-analysis-trojan-pipcreat/; classtype:trojan-activity; sid:26942; rev:1; service:http; )
03008 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Post_Show RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:"/jp/admin.asp"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26943; rev:1; service:http; )
03009 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Post_Show RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:"/post_show.asp?"; content:"123456789"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26944; rev:1; service:http; )
03010 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Bisonal RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_uri; content:".asp?id=",nocase; content:"host:",distance 0,nocase; content:"user:",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26945; rev:1; service:http; )
03011 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Uptime RAT beacon attempt"; flow:to_server,established; http_uri; content:".asp?id="; content:"|44 00 61 00 79|",distance 0; content:"|48 00 6F 00 75 00 72|"; content:"|4D 00 69 00 6E|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26946; rev:1; service:http; )
03012 alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,88] ( msg:"MALWARE-CNC Win.Trojan.Orcim variant outbound connection"; flow:to_server,established; http_uri; content:"/u_get.asp?smac="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/3d370477b9c041a2a8b0877c69a0742db5fa789671a0a6d869c7610c1d8ec98c/analysis/; classtype:trojan-activity; sid:26952; rev:2; service:http; )
03014 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Win32 Facebook Secure Cryptor C2"; flow:to_server,established; http_uri; content:"/forum/search.php?email="; content:"&method=",distance 0; http_header; content:!"Referer"; content:!"Accept-"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured; classtype:trojan-activity; sid:26965; rev:1; service:http; )
03015 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; http_raw_uri; bufferlen:8; http_uri; content:"//u5.htm"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:2; service:http; )
03016 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kuluoz variant outbound connection"; flow:to_server,established; http_uri; content:"/img/get.php?d_info="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.soleranetworks.com/blogs/kuluoz-spam-uses-a-lot-of-stolen-web-servers/; classtype:trojan-activity; sid:26967; rev:1; service:http; )
03017 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Injector Info Stealer Trojan outbound connection"; flow:to_server,established; http_uri; content:"/xgi-bin/",depth 9; content:".php?",within 5,distance 1; http_header; content:"|3B| MSIE "; content:!"Accept-Language:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD0246F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity; sid:26984; rev:2; service:http; )
03021 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Chinoxy variant outbound connection"; flow:to_server,established; http_uri; content:"new/f21312a",fast_pattern; http_header; content:"baidu.com"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/ad424e0a59135e4d2b1b1ac984bc8a4c1566e147478064d9d5c0fe5031cf6433/analysis; classtype:trojan-activity; sid:26999; rev:1; service:http; )
03023 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Zbot outbound connection"; flow:to_server,established; http_uri; content:"/col/cfg.bin"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27007; rev:1; service:http; )
03024 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Zbot outbound connection"; flow:to_server,established; http_uri; content:"/col/gate.php"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27008; rev:1; service:http; )
03026 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Phoenot variant outbound connection"; flow:to_server,established; http_uri; content:"mylogs.php"; pkt_data; content:"&username="; content:"&os="; content:"logs="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/f2ad0b3639f89dcbe53f7c5917a95e61e53c4e83c54b71c545d277c5a8790404/analysis/; classtype:trojan-activity; sid:27012; rev:1; service:http; )
03030 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.OnlineGameHack variant outbound connection"; flow:to_server,established; http_uri; content:"/get.asp?mac="; content:"&os=",within 36; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,image.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.39_Eng.pdf; classtype:trojan-activity; sid:27039; rev:1; service:http; )
03032 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Yakes outbound connection"; flow:to_server,established; http_client_body; content:"=qgAAAAgA"; http_uri; content:"/report.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/f0c7b3c9dfc89a45b4131974ea5a6ab0/analysis/; classtype:trojan-activity; sid:27054; rev:1; service:http; )
03034 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC OSX.Trojan.HackBack outbound connection"; flow:to_server,established; http_uri; content:"/ADMac/up.php?cname="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/172d54f2ed2c422ab063c57d00c8ed44fcb2f18aa068a289308a1207d79de42d/analysis/; classtype:trojan-activity; sid:27058; rev:1; service:http; )
03035 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Medfos variant outbound connection"; flow:to_server,established; http_uri; content:"/uploading/id="; content:"&u=",distance 0; content:"==",distance 0; http_header; content:!"Referer"; http_uri; pcre:"/^\/uploading/id=\d+\&u=.*\=\=$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27093; rev:1; service:http; )
03036 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection attempt"; flow:to_server,established; http_uri; content:"/minzhu0906/article/54726977"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/e6e009755ab37fa41e92059f29c25518f47ab09dbc881c30c96415ee1048241b/analysis; classtype:trojan-activity; sid:27120; rev:1; service:http; )
03037 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Atezag variant outbound connection"; flow:to_server,established; http_uri; content:"/carga1/recept.php"; http_client_body; content:"condicao=",nocase; content:"arq=",distance 0,nocase; content:"texto=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/2d85447bc2634a2620ad76be2a5eb331f5a06276e5b597d36ba26643850d4dcb/analysis/; classtype:trojan-activity; sid:27169; rev:1; service:http; )
03041 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Janicab outbound communication"; flow:to_server,established; http_uri; content:"/watch?v=DZZ3tTTBiTs"; http_header; content:"youtube.com",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27545; rev:2; service:http; )
03042 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Janicab outbound communication"; flow:to_server,established; http_uri; content:"/watch?v=ky4M9kxUM7Y"; http_header; content:"youtube.com",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27546; rev:2; service:http; )
03043 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Janicab outbound communication"; flow:to_server,established; http_header; content:"hjdullink.nl"; http_uri; content:"/images/re.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27547; rev:2; service:http; )
03044 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Lorapu variant outbound connection"; flow:to_server,established; http_uri; content:"/v12/kkrasxuparola/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/23de6502fbdb613dd9de4c7cdf68f00170cd53e8130af39623b5d9cac3807c92/analysis/; classtype:trojan-activity; sid:27551; rev:1; service:http; )
03049 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Malvertising redirection campaign - blackmuscat"; flow:to_server,established; http_uri; content:"/blackmuscat"; pcre:"/\x2fblackmuscats?\x3f\d/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:23833; rev:3; service:http; )
03050 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Possible malicious redirect - rebots.php"; flow:to_server,established; http_uri; content:"/rebots.php"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.sucuri.net/2012/08/rebots-php-javascript-malware-being-actively-injected.html; reference:url,labs.sucuri.net/db/malware/mwjs-include-rebots; classtype:misc-activity; sid:24017; rev:4; service:http; )
03053 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Horde javascript.php href backdoor"; flow:to_server,established; http_uri; content:"/horde/services/javascript.php",fast_pattern; http_cookie; content:"href="; http_client_body; content:"file=open_calendar.js"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0209; reference:url,eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/; classtype:trojan-activity; sid:21555; rev:2; service:http; )
03054 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Malvertising redirection attempt"; flow:to_server,established; http_uri; content:".ru/",nocase; content:"/?",distance 0; content:"|0D 0A|",within 2,distance 1; pcre:"/\x2eru/\w+\?\d$/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:24099; rev:2; service:http; )
03059 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER malicious redirection attempt"; flow:to_server,established; http_uri; content:"a=YWZmaWQ9MDUyODg"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html; classtype:bad-unknown; sid:24225; rev:2; service:http; )
03085 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Trackware myway speedbar runtime detection - switch engines"; flow:to_server,established; http_uri; content:"PG=SPEEDBAR",nocase; pcre:"/\.(jsp|html)\?[^\r\n]*PG=SPEEDBAR/i"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips drop,service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5805; rev:13; service:http; )
03134 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Request for a non-legit postal receipt"; flow:to_server,established; http_uri; content:".php?php=receipt"; pcre:"/\x2f[a-z0-9]+\.php\?php\x3dreceipt$/i"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,urlquery.net/search.php?q=.php%3Fphp%3Dreceipt&type=string; classtype:misc-activity; sid:25277; rev:2; service:http; )
03149 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER TDS Sutra - request hi.cgi"; flow:to_server,established; http_uri; content:"/hi.cgi"; metadata:impact_flag red,policy security-ips drop,ruleset community,service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21850; rev:6; service:http; )
03156 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER ANDR.Trojan.ZertSecurity encrypted information leak"; flow:to_server,established; http_uri; content:"/sms/d_m009.php"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.lookout.com/blog/2013/05/06/zertsecurity; classtype:trojan-activity; sid:26796; rev:2; service:http; )
03159 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Clickserver ad harvesting redirection attempt"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:"/?id=##1"; metadata:policy balanced-ips alert,policy security-ips drop,service http; classtype:misc-activity; sid:26933; rev:3; service:http; )
03160 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Clickserver ad harvesting redirection attempt"; flow:to_server,established; http_uri; content:"/?q="; content:"##1"; pcre:"/^\/\?q=[^&]*##1$/"; metadata:policy balanced-ips alert,policy security-ips drop,service http; classtype:misc-activity; sid:26934; rev:4; service:http; )
03175 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-TOOLS JavaScript LOIC attack"; flow:to_server,established; http_uri; content:"/?id=",nocase; content:"&msg=",within 5,distance 13,nocase; detection_filter:track by_src, count 100, seconds 5; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; classtype:attempted-dos; sid:21092; rev:2; service:http; )
03217 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Fakedoc device information leakage"; flow:to_server, established; http_uri; content:"&locale_source_term_network_sim="; content:"network=",nocase; content:"&did=",nocase; content:"&model=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/85c4f3066b76671aab7148b98766e6b904c83cd0920187ec4bbd5af8c9e9c970/analysis/; classtype:trojan-activity; sid:26768; rev:2; service:http; )
03227 alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 ( msg:"OS-MOBILE Android Ksapp device registration"; flow:to_server,established; http_uri; content:"/kspp/do?imei="; content:"&wid=",nocase; content:"&type=&step=0",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-091722-4052-99; classtype:trojan-activity; sid:26291; rev:3; service:http; )
03230 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android CruseWind imei leakage"; flow:to_server,established; http_uri; content:"/flash/test.xml?imei="; content:"&time=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-070301-5702-99&tabid=2; classtype:trojan-activity; sid:26192; rev:2; service:http; )
03231 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android YZHC device registration"; flow:to_server,established; http_uri; content:"action=domregbycode&"; content:"channe="; content:"imsi="; content:"code="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.csc.ncsu.edu/faculty/jiang/YZHCSMS/; classtype:trojan-activity; sid:26190; rev:2; service:http; )
03233 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Zitmo trojan intercepted sms upload"; flow:to_server,established; http_uri; content:"/security.jsp",nocase; http_client_body; content:"f0=",nocase; content:"&b0=",nocase; content:"&pid=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:trojan-activity; sid:26114; rev:2; service:http; )
03234 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android KMin imei imsi leakage"; flow:to_server,established; http_uri; content:"/portal/m/c",nocase; content:".ashx?",nocase; content:"&nt2=",nocase; content:"&tp=2",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99&tabid=2; classtype:trojan-activity; sid:26104; rev:2; service:http; )
03235 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android GoldDream device registration"; flow:to_server,established; http_uri; content:"/zj/RegistUid.aspx?pid=",nocase; content:"&imsi=",nocase; content:"&imei=",nocase; content:"&sim=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cs.ncsu.edu/faculty/jiang/GoldDream/; classtype:trojan-activity; sid:26102; rev:2; service:http; )
03237 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android GGTracker installation call out"; flow:to_server,established; http_uri; content:"/SM",nocase; content:"|3F|device_id=",nocase; content:"|26|adv_sub=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.lookout.com/blog/2011/06/20/security-alert-android-trojan-ggtracker-charges-victims-premium-rate-sms-messages/; classtype:trojan-activity; sid:26018; rev:2; service:http; )
03238 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android GGTracker leak of device phone number"; flow:to_server,established; http_uri; content:"notif.php?phone=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.lookout.com/blog/2011/06/20/security-alert-android-trojan-ggtracker-charges-victims-premium-rate-sms-messages/; classtype:trojan-activity; sid:26017; rev:2; service:http; )
03240 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Lovetrap initial connection"; flow:to_server,established; http_uri; content:"positionrecorder.asmx",nocase; content:"imsi=",nocase; content:"appid=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99&tabid=2; classtype:trojan-activity; sid:26015; rev:2; service:http; )
03248 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android AnserverBot initial contact"; flow:to_server,established; http_uri; content:"/jk.action?a="; content:"&key=",nocase; content:"&g1=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.csc.ncsu.edu/faculty/jiang/AnserverBot/; classtype:trojan-activity; sid:27016; rev:2; service:http; )
03249 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Satfi device information leakage"; flow:to_server, established; http_uri; content:"confabcode="; content:"msisdn=",distance 0,nocase; content:"imsi=",distance 0,nocase; content:"operator=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/C149AC741A3A1336193D355A7F59A4911D9B6FC8F88307F8EC86C85C10C9059A/analysis/; classtype:trojan-activity; sid:27031; rev:1; service:http; )
03257 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ANDR.Trojan.SMSSilence unsolicited sms attempt"; flow:to_server,established; http_uri; content:"/Android_SMS/receiving.php",nocase; http_header; content:"|28|Linux|3B| U|3B| Android 2."; http_client_body; content:"mobile=",depth 7,nocase; content:"&revsms=",within 8,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/d36afc56bffe3716565bd9a7a82e3bb80dfd67eb5267ee531d19ba85b37916de/analysis/; classtype:trojan-activity; sid:27098; rev:1; service:http; )
03258 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ANDR.Trojan.SMSSilence device information disclosure attempt"; flow:to_server,established; http_uri; content:"/Android_SMS/installing.php",nocase; http_header; content:"|28|Linux|3B| U|3B| Android 2."; content:"Content-Length: 18",nocase; http_client_body; content:"mobile=",depth 7,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/d36afc56bffe3716565bd9a7a82e3bb80dfd67eb5267ee531d19ba85b37916de/analysis/; classtype:trojan-activity; sid:27099; rev:1; service:http; )
03263 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-OTHER DLink IP camera remote command execution vulnerability - access to vulnerable rtpd.cgi"; flow:to_server,established; http_uri; content:"/cgi-bin/rtpd.cgi?"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1599; reference:url,seclists.org/fulldisclosure/2013/Apr/253; classtype:attempted-admin; sid:26559; rev:1; service:http; )
03274 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Microsoft Windows ISA Server cross-site scripting attempt"; flow:to_server,established; http_uri; content:"CookieAuth.dll",nocase; content:"GetLogonRedir",distance 0,fast_pattern,nocase; content:"formdir=",distance 0,nocase; content:"reason=",nocase; pcre:"/reason=[^\r\n\x26]+(alert|script|onclick|onload|onmouseover|[\x22\x27\x3c\x3e\x28\x29])/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0237; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-016; classtype:attempted-user; sid:15475; rev:8; service:http; )
03276 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Microsoft Windows Forefront UAG URL XSS attempt"; flow:to_server, established; http_uri; content:"|2F|m|2F|default|2E|aspx",fast_pattern,nocase; content:"orig_url=",nocase; pcre:"/orig_url=[^\x26]*[\x22\x27\x28\x29\x3C\x3E]/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-2734; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-089; classtype:attempted-admin; sid:18074; rev:6; service:http; )
03328 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"scc.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24137; rev:3; service:http; service:imap; service:pop3; )
03329 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"diff.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24136; rev:3; service:http; service:imap; service:pop3; )
03330 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"view.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24135; rev:3; service:http; service:imap; service:pop3; )
03331 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"ann.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24134; rev:3; service:http; service:imap; service:pop3; )
03332 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"QE.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24133; rev:3; service:http; service:imap; service:pop3; )
03333 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"build.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24132; rev:3; service:http; service:imap; service:pop3; )
03334 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Visual Studio Team Web Access console cross site scripting attempt"; flow:to_server,established; http_uri; content:"Q.aspx",nocase; content:"name=",distance 0,nocase; pcre:"/[?&]name=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-061; classtype:web-application-attack; sid:24131; rev:3; service:http; service:imap; service:pop3; )
03343 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Microsoft Forefront UAG URL XSS alternate attempt"; flow:to_server, established; http_uri; content:"signurl|2E|asp",fast_pattern,nocase; content:"SignUrl=",nocase; pcre:"/SignUrl=[^\x26\s]*[\x22\x27\x28\x29\x3C\x3E]/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3936; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-089; classtype:attempted-admin; sid:18076; rev:6; service:http; )
03347 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-WINDOWS Microsoft Report Viewer reflect XSS attempt"; flow:to_server,established; http_uri; content:"ReportID|3D|",nocase; content:"ControlID|3D|",nocase; content:"TimerMethod|3D|",nocase; pcre:"/TimerMethod\x3D[^\x26]*[\x3C\x28\x22\x27]/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1976; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-067; classtype:attempted-user; sid:19681; rev:3; service:http; )
03352 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"POLICY-OTHER HP Universal CMDB server axis2 service upload attempt"; flow:established,to_server; http_method; content:"POST",nocase; http_uri; content:"/axis2/axis2-admin/upload"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,secunia.com/advisories/42763/; classtype:attempted-admin; sid:19158; rev:4; service:http; )
03353 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"POLICY-OTHER CA ARCserve Axis2 default credential login attempt"; flow:to_server,established; http_uri; content:"/axis2-admin/login"; http_client_body; content:"userName=admin",nocase; content:"password=",nocase; pkt_data; pcre:"/^(admin|axis2)/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,45625; reference:cve,2010-0219; classtype:default-login-attempt; sid:18985; rev:5; service:http; )
03357 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-SPAM local user attempted to fill out paypal phishing form"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/logindo.php"; http_client_body; content:"partner=",nocase; content:"&login=",distance 0,nocase; content:"&user=",distance 0,nocase; content:"&pass=",distance 0,nocase; content:"&submit=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:suspicious-login; sid:21637; rev:3; service:http; )
03398 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware.AdultAds outbound connection"; flow:to_server,established; http_uri; content:"/AdPuller/adult_mature/adult_mature.xmls"; http_header; content:"User-Agent|3A 20|Mozilla/2.0"; content:"AdTools",within 7,distance 14; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/E37DAAB60FE414E8EBFA83A80BBE11877072EC09663DD5F3651FE4DDEB187A82/analysis/; classtype:trojan-activity; sid:24086; rev:2; service:http; )
03400 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware.Downware variant outbound connection attempt"; flow:to_server,established; http_uri; content:"/action.php?channel=",nocase; content:"&detected_products=",distance 0,nocase; content:"&offered=",distance 0,nocase; content:"&funnel",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/ae97f53b9f7dcbfa450b391d33b63eb21e4eada1325bea4083894b62d1bb15fe/analysis/; classtype:trojan-activity; sid:21924; rev:2; service:http; )
03403 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware cashbar runtime detection - stats track"; flow:to_server,established; http_uri; content:"/cgi-bin/connect.cgi?",nocase; content:"usr=",nocase; content:"url=",nocase; content:"title=CashSurfers",fast_pattern,nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5932; rev:13; service:http; )
03404 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware cashbar runtime detection - pop-up ad 2"; flow:to_server,established; http_uri; content:"/asp/offers.asp?url=http|3A|/cashsurfers.metareward.com",nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5930; rev:14; service:http; )
03405 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware desktopmedia runtime detection - surf monitoring"; flow:to_server,established; http_uri; content:"/script/judge/judge.html",fast_pattern,nocase; content:"mid=",nocase; content:"type=",nocase; content:"uid=",nocase; http_header; content:"Host|3A|",nocase; content:"cojud.dmcast.com",nocase; pcre:"/^Host\x3a[^\r\n]*cojud\x2Edmcast\x2Ecom/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156; classtype:misc-activity; sid:8354; rev:10; service:http; )
03406 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware desktopmedia runtime detection - auto update"; flow:to_server,established; http_uri; content:"/script/update.asp",fast_pattern,nocase; content:"version=",nocase; content:"ownerversion=",nocase; content:"uid=",nocase; http_header; content:"Host|3A|",nocase; content:"dcww.dmcast.com",nocase; pcre:"/^Host\x3a[^\r\n]*dcww\x2Edmcast\x2Ecom/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156; classtype:misc-activity; sid:8353; rev:10; service:http; )
03408 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware download accelerator plus runtime detection - update"; flow:to_server,established; http_uri; content:"/cgi-bin/update.dll?",fast_pattern,nocase; http_header; content:"User-Agent|3A| dapupd",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5906; rev:11; service:http; )
03409 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware download accelerator plus runtime detection - games center request"; flow:to_server,established; http_uri; content:"/GamesTab_realarcade.asp",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5905; rev:10; service:http; )
03410 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware download accelerator plus runtime detection - download files"; flow:to_server,established; http_uri; content:"/cgi-bin/MirrorSearch.dll?",fast_pattern,nocase; http_header; content:"User-Agent|3A| DA",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5904; rev:11; service:http; )
03411 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware download accelerator plus runtime detection - get ads"; flow:to_server,established; http_uri; content:"/cgi-bin/ads9.dll?",fast_pattern,nocase; content:"HTML=",nocase; content:"DAUI=",nocase; content:"INC=",nocase; content:"DL=",nocase; content:"CX=",nocase; content:"CY=",nocase; content:"IIA=",nocase; content:"IIG=",nocase; content:"IIP=",nocase; content:"III=",nocase; content:"V=",nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5903; rev:11; service:http; )
03413 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE 888Poker install outbound connection attempt"; flow:to_server,established; http_uri; content:"/setups/888poker/",nocase; content:"/SetupFiles/GIB/SDL/",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:21934; rev:2; service:http; )
03414 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker shopnav outbound connection - ie auto search hijack"; flow:to_server,established; http_uri; content:"/searchcat.jsp?p=",fast_pattern,nocase; content:"appid=",nocase; content:"id=",nocase; content:"url=",nocase; content:"type=",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5888; rev:9; service:http; )
03416 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker yok supersearch outbound connection - target website display"; flow:to_server,established; http_uri; content:"/related_bottom_v2.php",fast_pattern,nocase; content:"key=",nocase; content:"No="; pkt_data; content:"Host|3A|",nocase; content:"related.yok.com",distance 0,nocase; pcre:"/^Host\x3a[^\r\n]*related\x2Eyok\x2Ecom/smi"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Yok.SuperSearch&threatid=44407; classtype:misc-activity; sid:8359; rev:12; service:http; )
03425 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker shopnav outbound connection - ie search assistant hijack"; flow:to_server,established; http_uri; content:"/9899/search/results.php?",fast_pattern,nocase; content:"source=",nocase; content:"pa=",nocase; content:"keywords=",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5887; rev:9; service:http; )
03426 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Other-Technologies saria 1.0 outbound connection - send user information"; flow:to_server,established; http_uri; content:"op=",nocase; content:"vic=",nocase; content:"ip=",nocase; content:"port=",fast_pattern,nocase; content:"pass=",nocase; pcre:"/pass=(YAHOO|(XP\s+)?MSN|PALTALK)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080923; classtype:misc-activity; sid:5883; rev:10; service:http; )
03428 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE PC Antispyware 2010 FakeAV download/update attempt"; flow:to_server,established; http_uri; content:"/files",nocase; content:"|29|.|28|t|29|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=37fa737aab25dd0d90cd0821538fae15; classtype:trojan-activity; sid:16498; rev:7; service:http; )
03429 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE FakeAV landing page request"; flow:to_server,established; http_uri; content:"/payform/?k="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,urlquery.net/report.php?id=91654; classtype:trojan-activity; sid:23472; rev:2; service:http; )
03430 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Wajam Monitizer outbound connection - post install"; flow:to_server,established; http_uri; content:"/download/Wajam_5402.exe"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/AFE8CA9124F6CC84B8FEC64723531297653A419AE39710A64BCB4143F66215AB/analysis/; classtype:trojan-activity; sid:23247; rev:4; service:http; )
03431 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Wajam Monitizer url outbound connection - post install"; flow:to_server,established; http_uri; content:"php?v="; content:"&unique_id=",distance 0; content:"&aid=",distance 0; content:"&r=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/AFE8CA9124F6CC84B8FEC64723531297653A419AE39710A64BCB4143F66215AB/analysis/; classtype:trojan-activity; sid:23246; rev:4; service:http; )
03432 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE OnlineGames download attempt"; flow:to_server,established; http_uri; content:"/nbok01/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=6f489b3bd2ccbbf4ff8ad0c744f7be34; classtype:trojan-activity; sid:16365; rev:7; service:http; )
03433 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Cutwail spambot server communication attempt"; flow:to_server,established; http_uri; content:"spm/page.php?"; content:"id=",nocase; content:"tick=",nocase; content:"ver=",nocase; content:"smtp=",nocase; content:"task=",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,threatexpert.com/report.aspx?md5=0ecab7ac6e393be442cd834f9573622b; classtype:trojan-activity; sid:16494; rev:3; service:http; )
03434 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Martuz HTTP GET request attempt"; flow:to_server,established; http_uri; content:"/martuz.cn",nocase; pkt_data; pcre:"/\x2Fmartuz\x2Ecn\x2Fvid\x2F\x3Fid\x3D\d+/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.us-cert.gov/current/archive/2009/06/01/archive.html; classtype:trojan-activity; sid:15567; rev:7; service:http; )
03435 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Gumblar HTTP GET request attempt"; flow:to_server,established; http_uri; content:"/gumblar.cn",nocase; pkt_data; pcre:"/\x2Fgumblar\x2Ecn\x2Frss\x2F\x3Fid\x3D\d+/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.us-cert.gov/current/archive/2009/06/01/archive.html; classtype:trojan-activity; sid:15566; rev:7; service:http; )
03436 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker shop at home select merchant redirect in progress"; flow:to_server,established; http_uri; content:"/frameset3.asp",fast_pattern,nocase; content:"MID=",nocase; content:"ruleID=",nocase; content:"popupID=",nocase; content:"doPopup=",nocase; content:"version=",nocase; content:"requested=",nocase; content:"CustomerID=",nocase; content:"owner=",nocase; content:"refer=",nocase; content:"LastPrefs="; content:"GUID=",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:misc-activity; sid:5809; rev:9; service:http; )
03437 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PUA-ADWARE Win.Adware.BProtector browser hijacker dll list download attempt"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/builds/",nocase; content:"fflists.txt",nocase; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:misc-activity; sid:26553; rev:2; service:http; )
03450 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Hijacker morpheus toolbar runtime detection - get cfg info"; flow:to_server,established; http_uri; content:"/ms162cfg.jsp?",nocase; pcre:"/\x2fms162cfg\x2ejsp\x3f([sverlcfan]\x3d[^\x26\s]*\x26){8}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.sophos.com/security/analyses/morpheustoolbar.html; classtype:misc-activity; sid:12293; rev:8; service:http; )
03451 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Trackware supreme toolbar runtime detection - get cfg"; flow:to_server,established; http_uri; content:"/desktop/",nocase; content:"/toolbar/supremetb",fast_pattern,nocase; content:".cfg",nocase; pcre:"/\x2Fdesktop\x2F\d+\x2Ftoolbar\x2Fsupremetb\d+\.cfg/i"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097530; classtype:successful-recon-limited; sid:5939; rev:11; service:http; )
03453 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Hijacker copernic meta toolbar runtime detection - ie autosearch & search assistant hijack"; flow:to_server,established; http_uri; content:"/copern.light/redirs_all.htm?",fast_pattern,nocase; content:"pgtarg=",nocase; content:"qcat=",nocase; content:"qkw=",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5885; rev:9; service:http; )
03454 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Hijacker copernic meta toolbar runtime detection - check toolbar & category info"; flow:to_server,established; http_uri; content:"/software/meta/Update/VersionCheckInfo.ini?c=",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5884; rev:10; service:http; )
03455 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Trackware myway speedbar / mywebsearch toolbar runtime detection - collect information"; flow:to_server,established; http_uri; content:"/images/nocache/tr/gca/m.gif?",fast_pattern,nocase; content:"rand=",nocase; content:"a=",nocase; content:"u=",nocase; content:"r=",nocase; content:"w=",nocase; content:"myway.com",nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5803; rev:12; service:http; )
03457 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts OGNL parameter interception bypass command execution attempt"; flow:to_server,established; http_uri; content:"xwork.MethodAccessor.denyMethodExecution",nocase; content:"u0023",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,41592; reference:cve,2010-1870; classtype:attempted-admin; sid:18931; rev:3; service:http; )
03458 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts Information Disclosure Attempt"; flow:to_server,established; http_uri; content:"/struts",nocase; http_raw_uri; content:"..|25|252f"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32104; reference:cve,2008-6505; classtype:attempted-recon; sid:17533; rev:6; service:http; )
03469 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt - POST parameter"; flow:to_server,established; http_uri; content:".action"; http_client_body; content:"new",nocase; pcre:"/new(\s|%20)(java|org)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0391; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-admin; sid:23631; rev:3; service:http; )
03470 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt ParametersInterceptor"; flow:to_server,established; http_uri; content:".action?",nocase; content:"new java.io.FileWriter",distance 0,nocase; pcre:"/[\x26\x3f](\w+)=([A-Z]\x3a\x2f|\x2e{2}?\x2f)[^\x26]*?\x2e[a-z0-9\x2e]{1,6}\x26[^\x26]*?FileWriter\x28\s*\1\s*\x29/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0393; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-user; sid:21656; rev:2; service:http; )
03471 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt - DebuggingInterceptor"; flow:to_server,established; http_uri; content:".action?",nocase; content:"debug=command",distance 0,nocase; content:"Runtime|28 29|.exec",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0394; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-user; sid:21075; rev:2; service:http; )
03472 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt - CookieInterceptor"; flow:to_server,established; http_uri; content:".action"; http_cookie; content:"|28|",depth 1; pcre:"/^\x28[^\x3D]+?\x29\x3D/m"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0392; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-user; sid:21074; rev:3; service:http; )
03473 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt - ExceptionDelegator alternate"; flow:to_server,established; http_uri; content:".action?",nocase; content:"=|27|",distance 0; content:"allowStaticMethodAccess",distance 0,nocase; content:"Runtime|28 29|.exec",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0391; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-user; sid:21073; rev:2; service:http; )
03474 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts remote code execution attempt - ExceptionDelegator"; flow:to_server,established; http_uri; content:".action?",nocase; content:"=|27|",distance 0; content:"new ",distance 0,nocase; pcre:"/new (javax?|org)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0391; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-user; sid:21072; rev:2; service:http; )
03477 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts2 blacklisted method redirectAction"; flow:to_server,established; http_uri; content:".action?redirectAction|3A|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2013-2248; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; reference:url,struts.apache.org/release/2.3.x/docs/s2-017.html; classtype:web-application-attack; sid:27243; rev:4; service:http; )
03478 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts2 blacklisted method redirect"; flow:to_server,established; http_uri; content:".action?redirect|3A|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2013-2248; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; reference:url,struts.apache.org/release/2.3.x/docs/s2-017.html; classtype:web-application-attack; sid:27244; rev:4; service:http; )
03479 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts2 remote code execution attempt"; flow:to_server,established; http_uri; content:".action?action|3A 7B|",nocase; content:".start|28 29|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:web-application-attack; sid:27245; rev:2; service:http; )
03480 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Struts OGNL getRuntime.exec static method access attempt"; flow:to_server,established; http_uri; content:"(@java.lang.Runtime@getRuntime()).exec("; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,60345; reference:bugtraq,60346; reference:cve,2013-2134; reference:cve,2013-2135; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; reference:url,osvdb.org/show/osvdb/93969; classtype:attempted-admin; sid:27574; rev:2; service:http; )
03490 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS multiple extension code execution attempt"; flow:to_server,established; http_uri; content:".asp|3B|.",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-4444; classtype:web-application-attack; sid:16356; rev:10; service:http; )
03492 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS cmd.exe access"; flow:to_server,established; http_uri; content:"cmd.exe",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service http; classtype:web-application-attack; sid:1002; rev:17; service:http; )
03493 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS cmd32.exe access"; flow:to_server,established; http_uri; content:"cmd32.exe",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service http; classtype:web-application-attack; sid:1661; rev:14; service:http; )
03494 alert tcp $EXTERNAL_NET any -> $HOME_NET 7000 ( msg:"SERVER-IIS Microsoft Windows Server 2012 IIS OData protocol nested replace filter dos attempt"; flow:to_server,established; http_uri; content:"replace|28|replace|28|replace|28|replace|28|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0005; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-007; classtype:attempted-dos; sid:25274; rev:2; service:http; )
03515 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-MSSQL Microsoft SQL Server Reporting Services cross site scripting attempt"; flow:established,to_server; http_uri; content:"/Reports/Pages/Report.aspx"; content:"SelectedSubTabId=",nocase; pcre:"/[?&]SelectedSubTabId=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-2552; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-070; classtype:web-application-attack; sid:24355; rev:3; service:http; )
03549 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Secure Backup Administration server authentication bypass attempt"; flow:to_server,established; http_uri; content:"login.php",nocase; http_client_body; content:"attempt=",nocase; content:"uname=",nocase; pcre:"/uname=[^&]*(%3[CE]|-)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35672; reference:bugtraq,41596; reference:cve,2009-1977; reference:cve,2010-0904; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html; classtype:attempted-admin; sid:16192; rev:7; service:http; )
03553 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Secure Backup administration server login.php cookies command injection attempt"; flow:to_server,established; http_uri; content:"button=Logout"; content:"login.php?"; content:!"clear=yes"; content:"ora_osb_bgcookie"; pcre:"/ora_osb_bgcookie=[^\w\d\-]+?/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33177; reference:cve,2008-4006; classtype:attempted-admin; sid:17638; rev:4; service:http; )
03569 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE Application Server Forms Arbitrary System Command Execution Attempt"; flow:to_server,established; http_uri; content:"f90servlet?form=",nocase; pcre:"/form=[cde]\x3a(\x5C|\x2F)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,14319; reference:cve,2005-2372; classtype:attempted-user; sid:17350; rev:2; service:http; )
03583 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Oracle Application Server Portal cross site scripting attempt"; flow:to_server,established; http_uri; content:"/sso/jsp/login.jsp"; content:"site2pstoretoken",nocase; pcre:"/[?&]site2pstoretoken=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,secunia.com/advisories/33761; classtype:attempted-user; sid:16215; rev:3; service:http; )
03584 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Oracle Secure Backup Administration server authentication bypass attempt - via GET"; flow:to_server,established; http_uri; content:"login.php?",nocase; content:"attempt=",nocase; content:"uname=",nocase; pcre:"/uname\x3d[^\x26]*[\x3c\x3e]/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35672; reference:cve,2009-1977; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html; classtype:attempted-admin; sid:16191; rev:3; service:http; )
03585 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Oracle Secure Backup Administration server property_box.php command injection attempt"; flow:to_server,established; http_uri; content:"property_box.php?"; content:"type=Sections"; content:"other="; pcre:"/other=[^\x26]*[\x21-\x24\x27\x28-\x2a\x2d\x2f\x3b\x3c\x3e\x3f\x40\x5b-\x5d\x7b-\x7e]/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35678; reference:cve,2009-1978; classtype:attempted-admin; sid:16190; rev:3; service:http; )
03593 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-ORACLE Secure Backup exec_qr command injection attempt"; flow:to_server,established; http_uri; content:"button=Logout"; content:"login.php?"; content:!"clear=yes"; content:"ora_osb_bgcookie"; content:"rbtool"; pcre:"/(ora_osb_bgcookie|rbtool)=[^\x20\x26\x3b]{1}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33177; reference:cve,2008-5448; classtype:attempted-user; sid:15261; rev:4; service:http; )
03594 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Secure Backup login.php variable based command injection attempt"; flow:to_server,established; http_uri; content:"login.php"; content:"rbtool="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-5449; classtype:attempted-admin; sid:15258; rev:4; service:http; )
03595 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Secure Backup common.php variable based command injection attempt"; flow:to_server,established; http_uri; content:"common.php"; content:"rbtool="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4006; classtype:attempted-admin; sid:15257; rev:4; service:http; )
03596 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-ORACLE BPEL process manager XSS injection attempt"; flow:to_server,established; http_uri; content:"/BPELConsole/default/activities.jsp?",nocase; content:"'",distance 0; metadata:policy balanced-ips drop,service http; reference:cve,2008-4014; reference:url,www.securityfocus.com/archive/1/500060; classtype:web-application-attack; sid:15256; rev:4; service:http; )
03612 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER HP OpenView Network Node Manager ovlaunch host field overflow attempt"; flow:to_server,established; http_uri; content:"ovlaunch.exe",nocase; pkt_data; content:"host|3A|",nocase; isdataat:300,relative; pcre:"/^host\x3a\s*[^\r\n]{300}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33668; reference:cve,2008-4562; classtype:attempted-user; sid:16204; rev:3; service:http; )
03613 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER HP OpenView CGI parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"|2F|OvCgi|2F|",nocase; isdataat:1024; pcre:"/^\x2FOvCgi\x2F[^\x2E]*?\x2Eexe[^\h]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26741; reference:cve,2007-6204; reference:cve,2008-0067; classtype:attempted-user; sid:13161; rev:8; service:http; )
03694 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Adobe ColdFusion Admin API arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/CFIDE/adminapi/administrator.cfc"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2013-0625; reference:cve,2013-0629; reference:cve,2013-0631; reference:url,forums.adobe.com/message/4962104; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; reference:url,www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat; classtype:attempted-user; sid:25266; rev:2; service:http; )
03695 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Adobe ColdFusion Admin API arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/CFIDE/Administrator/scheduler/scheduleedit.cfm"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2013-0625; reference:cve,2013-0629; reference:cve,2013-0631; reference:url,forums.adobe.com/message/4962104; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; reference:url,www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat; classtype:attempted-user; sid:25267; rev:2; service:http; )
03714 alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS ( msg:"SERVER-OTHER Coppermine Photo Gallery picEditor.php command execution attempt"; flow:to_server,established; http_uri; content:"picEditor.php"; http_method; content:"POST"; http_client_body; content:"angle="; content:"newimage="; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-0506; classtype:attempted-admin; sid:26314; rev:1; service:http; service:imap; service:pop3; )
03715 alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS ( msg:"SERVER-OTHER Coppermine Photo Gallery picEditor.php command execution attempt"; flow:to_server,established; http_uri; content:"picEditor.php"; http_method; content:"POST"; http_client_body; content:"quality="; content:"newimage="; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-0506; classtype:attempted-admin; sid:26315; rev:1; service:http; service:imap; service:pop3; )
03716 alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS ( msg:"SERVER-OTHER Coppermine Photo Gallery picEditor.php command execution attempt"; flow:to_server,established; http_uri; content:"picEditor.php"; http_method; content:"POST"; http_client_body; content:"clipval="; content:"newimage="; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-0506; classtype:attempted-admin; sid:26316; rev:1; service:http; service:imap; service:pop3; )
03724 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Trend Micro OfficeScan Server cgiRecvFile overflow attempt"; flow:to_server,established; http_uri; content:"/cgi/cgiRecvFile.exe"; pkt_data; content:"ComputerName"; pcre:"/ComputerName\s*\x3d\s*\x22[^\x22]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31139; reference:cve,2008-2437; classtype:attempted-admin; sid:15510; rev:3; service:http; )
03725 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Novell QuickFinder server cross-site-scripting attempt"; flow:to_server, established; http_uri; content:"AdminServlet",nocase; pcre:"/AdminServlet.*(userid|adminurl)[^\x26\x20\x0a]*<script/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0611; classtype:web-application-attack; sid:16522; rev:3; service:http; )
03726 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER IBM WebSphere application server cross site scripting attempt"; flow:to_server, established; http_uri; content:"/ibm/console/",nocase; content:"<script",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34001; reference:cve,2009-0855; classtype:misc-attack; sid:16686; rev:4; service:http; )
03727 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-OTHER Zango adware installation request"; flow:to_server,established; http_uri; content:"Zango/Setup.exe"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.ftc.gov/os/caselist/0523130/index.shtm; classtype:policy-violation; sid:13632; rev:4; service:http; )
03745 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Adobe ColdFusion adminapi information disclosure attempt"; flow:to_server,established; http_uri; content:"/CFIDE/adminapi/customtags/l10n.cfm",fast_pattern,nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,59773; reference:cve,2013-3336; reference:url,www.adobe.com/support/security/advisories/apsa13-03.html; classtype:attempted-recon; sid:26621; rev:1; service:http; )
03746 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Struts2 skillName remote code execution attempt"; flow:to_server,established; http_uri; content:"edit.action?"; content:"skillName=|7B 28 23|"; pcre:"/skillName\x3D\x7B\x28\x23/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,60082; reference:cve,2013-1965; classtype:attempted-admin; sid:26772; rev:2; service:http; )
03748 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Struts2 remote code execution attempt"; flow:to_server,established; http_uri; content:".action?",nocase; content:"|24 7B|",nocase; content:"_memberAccess|5B 22|allowStaticMethodAccess",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1966; reference:cve,2013-2115; reference:url,struts.apache.org/development/2.x/docs/s2-014.html; classtype:attempted-admin; sid:26825; rev:1; service:http; )
03764 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER OpenX POST to known backdoored file"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/vastServeVideoPlayer/player.delivery.php",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-4211; reference:url,isc.sans.edu/diary/OpenX+Ad+Server+Backdoor/16303; classtype:attempted-admin; sid:27578; rev:1; service:http; )
03769 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager nnmRptConfig.exe multiple parameters buffer overflow attempt"; flow:to_server,established; http_uri; content:"nnmRptConfig.exe"; pcre:"/(data_select1|nameParams|schdParams|text1|schd_select1)=[^\x26]{512}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,45762; reference:cve,2011-0265; reference:cve,2011-0266; reference:cve,2011-0267; reference:cve,2011-0268; reference:cve,2011-0269; reference:url,osvdb.org/show/osvdb/70473; classtype:attempted-user; sid:24147; rev:2; service:http; )
03771 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager nnmRptConfig.exe multiple parameters buffer overflow attempt"; flow:to_server,established; http_uri; content:"nnmRptConfig.exe"; http_client_body; pcre:"/(data_select1|nameParams|schdParams|text1|schd_select1)=[^\x26]{512}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,45762; reference:cve,2011-0265; reference:cve,2011-0266; reference:cve,2011-0267; reference:cve,2011-0268; reference:cve,2011-0269; reference:url,osvdb.org/show/osvdb/70473; classtype:attempted-user; sid:18764; rev:6; service:http; )
03772 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Majordomo2 http directory traversal attempt"; flow:to_server,established; http_uri; content:"mj_wwwusr",fast_pattern,nocase; content:"extra=",distance 0,nocase; http_raw_uri; content:"../../.."; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,46127; reference:cve,2011-0049; classtype:web-application-attack; sid:18761; rev:4; service:http; )
03773 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Adobe ColdFusion locale directory traversal attempt"; flow:to_server,established; http_uri; content:"CFIDE",fast_pattern; pkt_data; content:"locale=",nocase; content:"../../../",distance 0; content:"%00",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42342; reference:cve,2010-2861; classtype:attempted-admin; sid:18464; rev:6; service:http; )
03779 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP SiteScope DownloadFilesHandler directory traversal attempt"; flow:to_server,established; http_uri; content:"REMOTE_HANDLER_KEY=DownloadFilesHandler"; content:"DownloadFilesHandler.file.name="; content:"..",within 3; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,55273; reference:cve,2012-3264; classtype:web-application-activity; sid:24447; rev:2; service:http; )
03780 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP SiteScope UploadFilesHandler directory traversal attempt"; flow:to_server,established; http_uri; content:"REMOTE_HANDLER_KEY=UploadFilesHandler"; content:"UploadFilesHandler.file.name="; content:"..",within 3; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,55273; reference:cve,2012-3264; classtype:web-application-activity; sid:24448; rev:2; service:http; )
03781 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Symantec Web Gateway blocked.php blind sql injection attempt"; flow:to_server,established; http_uri; content:"/spywall/blocked.php"; content:"id=",nocase; pcre:"/[\x3f\x26]id=\d*[\x28\x29\x22\x27]/is"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,54424; reference:cve,2012-2574; reference:url,osvdb.org/show/osvdb/84118; classtype:attempted-user; sid:23934; rev:3; service:http; )
03782 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM nnmRptConfig.exe CGI Host parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/nnmRptConfig|2E|exe"; http_client_body; content:"Action|3D|Create",nocase; pkt_data; content:"Template|3D|"; isdataat:1000,relative; http_client_body; pcre:"/Template\x3D[^\x0D\x0A]{1000}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3848; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20240; rev:5; service:http; )
03783 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP phpMyAdmin server_sync.php backdoor access attempt"; flow:to_server,established; http_uri; content:"/phpMyAdmin/server_sync.php"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,phpmyadmin.net/home_page/security/PMASA-2012-5.php; classtype:web-application-attack; sid:24256; rev:2; service:http; )
03787 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Joomla Remote File Include upload attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/admin/addcontent.inc.php"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,stopmalvertising.com/security/95.211.20.103-local-file-inclusion-attack.html; reference:url,www.mmleoni.net/sql-iniection-lfi-protection-plugin-for-joomla; classtype:attempted-user; sid:23828; rev:2; service:http; )
03788 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Joomla Remote File Include upload attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/images/psg.php"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,stopmalvertising.com/security/95.211.20.103-local-file-inclusion-attack.html; reference:url,www.mmleoni.net/sql-iniection-lfi-protection-plugin-for-joomla; classtype:attempted-user; sid:23827; rev:2; service:http; )
03789 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Symantec Web Gateway pbcontrol.php filename parameter command injection attempt"; flow:to_server,established; http_uri; content:"/spywall/pbcontrol.php"; content:"filename=",nocase; pcre:"/[?&]filename=[^&]*?[\x22\x27][^&]*?\x3B/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,54426; reference:cve,2012-2953; reference:url,osvdb.org/show/osvdb/84120; classtype:attempted-admin; sid:23783; rev:5; service:http; )
03790 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Wordpress Invit0r plugin php upload attempt"; flow:to_server,established; http_uri; content:"/wp-content/plugins/invit0r/lib/php-ofc-library/ofc_upload_image.php"; content:"name="; http_client_body; content:"<?php ",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53995; reference:url,osvdb.org/show/osvdb/82985; reference:url,www.opensyscom.fr/Actualites/wordpress-plugins-invit0r-arbitrary-file-upload-vulnerability.html; classtype:web-application-attack; sid:23485; rev:3; service:http; )
03791 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP PHP-CGI command injection attempt"; flow:to_server,established; http_uri; content:".php?"; content:"-s",nocase; http_raw_uri; content:!"="; http_uri; pcre:"/\x2ephp\x3f\s*-s/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1823; reference:cve,2012-2311; classtype:attempted-admin; sid:22064; rev:5; service:http; )
03792 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP PHP-CGI remote file include attempt"; flow:to_server,established; http_uri; content:"auto_prepend_file"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1823; reference:cve,2012-2311; classtype:attempted-admin; sid:22063; rev:5; service:http; )
03793 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP JCE Joomla module vulnerable directory traversal or malicious file upload attempt"; flow:to_server,established; http_uri; content:"option=com_jce"; http_client_body; content:"json",nocase; pcre:"/json\s*=\s*\x7b.*?\x22fn\x22\s*\x3a\s*\x22(getItems|folderRename|file(Delete|Copy))\x22\s*\x2c\s*\x22args\x22\s*\x3a\x5b?[^\x7d]*?\x22[^\x22]*?(\.\.|0day)[^\x22]*?\x22.*?\x7d/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:21926; rev:3; service:http; )
03794 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP phpThumb fltr[] parameter remote command execution attempt"; flow:to_server,established; http_uri; content:"/phpThumb.php?",nocase; content:"fltr[]=",nocase; content:"|3B|",within 200,nocase; pcre:"/\x2FphpThumb\.php\x3F[^\r\n]*fltr\[\]=[^\r\n\x26]+\x3B/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39605; reference:cve,2010-1598; reference:url,blog.spiderlabs.com/2011/12/honeypot-alert-phpthumb-fltr-parameter-command-injection-detected.html; classtype:attempted-user; sid:20827; rev:2; service:http; )
03795 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Wordpress timthumb.php theme remote file include attack attempt"; flow:to_server,established; http_uri; content:"/timthumb.php?",nocase; content:"src=http",distance 0,nocase; pcre:"/\x2ftimthumb\x2ephp\x3f[^\r\n]*?src=https?\x3a\x2f([^\x2e\x2f]+?\x2e){3}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,47374; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:web-application-attack; sid:19653; rev:3; service:http; )
03796 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP phpMyAdmin session_to_unset session variable injection attempt"; flow:to_server,established; http_uri; content:"session_to_unset="; content:"_SESSION[",nocase; pcre:"/session_to_unset=($|[\x26\x3B])/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-2505; reference:cve,2011-2506; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2011-5.php; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2011-6.php; classtype:attempted-user; sid:19553; rev:3; service:http; )
03798 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Joomla invalid token administrative password reset attempt"; flow:to_server,established; http_uri; content:"task=confirmreset",nocase; content:"option=com_user"; pkt_data; content:"token=%27&",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30667; reference:cve,2008-3681; reference:url,developer.joomla.org/security/news/241-20080801-core-password-remind-functionality.html; classtype:attempted-admin; sid:14610; rev:5; service:http; )
03799 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Asset Management default admin credentials function call attempt"; flow:to_server,established; http_uri; content:"/rtrlet/rtr"; content:"username=ivanhoe",nocase; content:"password=scott",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-4933; reference:url,www.kb.cert.org/vuls/id/332412; classtype:attempted-admin; sid:24436; rev:2; service:http; )
03801 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP IBM System Storage DS storage manager profiler XSS attempt"; flow:to_server,established; http_uri; content:"/SoftwareRegistration.do"; pcre:"/SoftwareRegistration\.do.*?updateRegn=[^\x26\r\n]+(script|onclick|onload|onmouseover|html|[\x22\x27\x3c\x3e\x28\x29])/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,54112; reference:cve,2012-2172; reference:url,www.exploit-db.com/exploits/19321/; classtype:web-application-attack; sid:23466; rev:4; service:http; )
03802 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Cisco Common Services Device Center XSS attempt"; flow:to_server,established; http_uri; content:"/cwhp/device.center.do"; pcre:"/device\.center\.do\?[^$\n]*(DeviceID|objectID|dsOsName|device)=[^$\n]*([\x3C\x3E\x22\x27]|script|src|location|document)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0962; classtype:web-application-attack; sid:21389; rev:3; service:http; )
03803 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Cisco Common Services Help servlet XSS attempt"; flow:to_server,established; http_uri; content:"com.cisco.nm.help.ServerHelpEngine"; pcre:"/com\.cisco\.nm\.help\.ServerHelpEngine\?[^$\n]*tag=[^$\n]*([\x3C\x3E\x22\x27]|script|src|location|document)/Oi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0961; classtype:web-application-attack; sid:21385; rev:3; service:http; )
03804 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Cisco Unified Communications Manager sql injection attempt"; flow:to_server,established; http_uri; content:"/ccmcip/xmldirectorylist"; pcre:"/xmldirectorylist(\.utf-8|\.other)?\.jsp[^\n]*?[\x3F\x26][lfn]=[^\x26]*?[\x22\x27][^\x26]*?\x20(or|union|like|select)\x20/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1610; classtype:web-application-attack; sid:21377; rev:5; service:http; )
03808 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM snmp.exe CGI Host parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/Main/Snmp|2E|exe"; http_client_body; content:"Oid|3D|",nocase; isdataat:1000,relative; pcre:"/Oid\x3D[^\x0D\x0A]{1000}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3849; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20241; rev:3; service:http; )
03809 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM ovlogin.exe CGI passwd parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/ovlogin|2E|exe"; http_client_body; content:"passwd|3D|",nocase; isdataat:29,relative; pcre:"/passwd\x3D[^\x26\x3F\x3B\x0D\x0A]{29}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3846; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20180; rev:3; service:http; )
03810 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM ovlogin.exe CGI userid parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/ovlogin|2E|exe"; http_client_body; content:"userid|3D|",nocase; isdataat:29,relative; pcre:"/userid\x3D[^\x26\x3F\x3B\x0D\x0A]{29}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3846; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20179; rev:3; service:http; )
03811 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM ovlogin.exe CGI Host parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/snmpviewer|2E|exe"; pkt_data; content:"Host|3A|",nocase; isdataat:121,relative; http_header; pcre:"/Host\x3A\s*[^\x0D\x0A]{121}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-4180; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20177; rev:3; service:http; )
03812 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Power Manager remote code execution attempt"; flow:to_server,established; http_uri; content:"/goform/formLogin"; http_client_body; content:"Login=",nocase; isdataat:51; pkt_data; pcre:"/^[^\x26\x3b]{51}/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36933; reference:cve,2009-2685; reference:cve,2010-4113; classtype:attempted-admin; sid:19826; rev:4; service:http; )
03813 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Openview Network Node Manager OvAcceptLang overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/Toolbar.exe"; http_cookie; pcre:"/OvAcceptLang\s*\x3d\s*[^\x3b\n]{300}/ism"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34134; reference:cve,2009-0921; classtype:attempted-user; sid:16555; rev:7; service:http; )
03814 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Virtual Server Agent command injection attempt"; flow:to_server,established; http_uri; content:"/RPC2",fast_pattern,nocase; http_client_body; content:"<?xml"; pkt_data; content:"params",distance 0; pcre:"/\x3C\s*param\s*\x3E\s*\x3C\s*value\s*\x3E\s*\x3C\s*string\s*\x3E[^\x3C]*[\x2C\x3B]/smiR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,44031; reference:cve,2010-3582; reference:cve,2010-3585; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html; classtype:attempted-admin; sid:19441; rev:4; service:http; )
03817 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Data Protector Media Operations SignInName Parameter overflow attempt"; flow:to_server,established; http_uri; content:"/4daction/wHandleURLs/handleSignIn"; http_client_body; content:"SignInName=",nocase; isdataat:256,relative; content:!"&",within 256; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,44381; classtype:attempted-admin; sid:19155; rev:3; service:http; )
03818 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView CGI parameter buffer overflow attempt"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"-textFile+"; content:"/OvCgi/"; pcre:"/\/OvCgi\/(jovgraph|webappmon)\.exe.*?-textFile+[^+]{201}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1551; reference:cve,2010-1552; reference:cve,2010-1553; reference:cve,2010-1554; reference:cve,2010-1555; reference:cve,2010-1961; reference:cve,2011-3167; classtype:attempted-user; sid:16674; rev:9; service:http; )
03819 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/snmpviewer|2E|exe"; pkt_data; content:"app|3D|",nocase; isdataat:300,relative; content:"act|3D|",nocase; isdataat:300,relative; pcre:"/act\x3D[^\x26\x3F\x3B\x0D\x0A]{300}/i"; pcre:"/app\x3D[^\x26\x3F\x3B\x0D\x0A]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1552; classtype:attempted-user; sid:19140; rev:3; service:http; )
03820 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI MaxAge parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/getnnmdata|2E|exe"; pkt_data; content:"MaxAge|3D|",nocase; isdataat:300,relative; pcre:"/MaxAge\x3D[^\x26\x3F\x3B\x0D\x0A]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1553; classtype:attempted-user; sid:19139; rev:3; service:http; )
03821 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI hostname parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/getnnmdata|2E|exe"; pkt_data; content:"Hostname|3D|",nocase; isdataat:300,relative; pcre:"/Hostname\x3D[^\x26\x3F\x3B\x0D\x0A\s]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1555; classtype:attempted-user; sid:19138; rev:3; service:http; )
03822 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI ICount parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/getnnmdata|2E|exe"; pkt_data; content:"ICount|3D|",nocase; isdataat:300,relative; pcre:"/ICount\x3D\x2D[^\x26\x3F\x3B\x0D\x0A\s]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1554; classtype:attempted-user; sid:19137; rev:3; service:http; )
03824 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP Jboss default configuration unauthorized application add attempt"; flow:to_server,established; http_uri; content:"/jmx-console/HtmlAdaptor?",nocase; content:"action=inspectMBean",nocase; content:"name=jboss.deployment|3A|type=DeploymentScanner,flavor=URL",nocase; pkt_data; content:"addURL|28|",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; classtype:web-application-attack; sid:18932; rev:3; service:http; )
03825 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/Toolbar.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18925; rev:3; service:http; )
03826 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/Title.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18924; rev:3; service:http; )
03827 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/snmpviewer.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18923; rev:3; service:http; )
03828 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/printsession.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18922; rev:3; service:http; )
03829 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/OvWebHelp.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18921; rev:3; service:http; )
03830 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/OvHelp.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18920; rev:3; service:http; )
03831 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovsipexport.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18919; rev:3; service:http; )
03832 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovsessioninfo.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18918; rev:3; service:http; )
03833 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovlogin.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18917; rev:3; service:http; )
03834 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovlaunchreg.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18916; rev:3; service:http; )
03835 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovlaunch.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18915; rev:3; service:http; )
03836 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovalarm.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18914; rev:3; service:http; )
03837 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/OpenView.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18913; rev:3; service:http; )
03838 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/OpenView5.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18912; rev:3; service:http; )
03839 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/nnmRptPresenter.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18911; rev:3; service:http; )
03840 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/nnmRptConfig.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18910; rev:3; service:http; )
03841 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/jovwreg.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18909; rev:3; service:http; )
03842 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/jovw.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18908; rev:3; service:http; )
03843 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/getnnmdata.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18907; rev:3; service:http; )
03844 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/getcvdata.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18906; rev:3; service:http; )
03845 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/Main/Snmp.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18905; rev:3; service:http; )
03846 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/webappmon.exe"; http_cookie; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:17140; rev:4; service:http; )
03847 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Power Manager formExportDataLogs directory traversal attempt"; flow:to_server,established; http_uri; content:"|2F|goform|2F|formExportDataLogs",nocase; pkt_data; pcre:"/fileName\x3d[^\x26]*(\x2e\x2e\x5c|\x2e\x2e\x2f)/Ri"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37866; reference:cve,2009-4000; classtype:web-application-attack; sid:18802; rev:5; service:http; )
03848 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Secure Backup Administration property_box.php other variable command execution attempt"; flow:to_server,established; http_uri; content:"/property_box.php",fast_pattern,nocase; content:"type=ListAttachment",nocase; content:"other=",nocase; http_raw_uri; pcre:"/other=[^\x26]*(%26|%7c)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,41616; reference:cve,2010-0899; classtype:attempted-admin; sid:18797; rev:3; service:http; )
03849 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovet_demandpoll.exe format string execution attempt"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/OvCgi/webappmon.exe",fast_pattern,nocase; http_client_body; content:"sel="; pkt_data; pcre:"/^[^\x26]*?\x25/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,40065; reference:cve,2010-1550; classtype:attempted-admin; sid:18795; rev:4; service:http; )
03850 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX authentication bypass attempt"; flow:to_server,established; http_method; content:"HEAD",nocase; http_uri; content:"/jmx-console/HtmlAdaptor",nocase; content:"import",nocase; pcre:"/\x26arg\d+\s*=\s*[^\r\n\x26]*import/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39710; reference:cve,2010-0738; classtype:attempted-admin; sid:18794; rev:4; service:http; )
03852 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt"; flow:to_server,established; http_uri; content:"/zenworks/UploadServlet",fast_pattern,nocase; pkt_data; content:"filename=",nocase; pcre:"/^[^\x26]*?\x2E\x2E/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39914; reference:url,www.novell.com/support/viewContent.do?externalId=7005573; classtype:attempted-admin; sid:18792; rev:3; service:http; )
03853 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovwebsnmpsrv.exe displayWidth buffer overflow attempt - GET"; flow:to_server,established; http_uri; content:"|2F|OvCgi|2F|jovgraph.exe",nocase; content:"displayWidth",distance 0,nocase; pcre:"/(displayWidth[\x2b\x20]\d[^\x2b\s\n]{128})/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,45762; reference:cve,2011-0262; classtype:attempted-user; sid:18760; rev:3; service:http; )
03854 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovwebsnmpsrv.exe displayWidth buffer overflow attempt - POST"; flow:to_server,established; http_uri; content:"|2F|OvCgi|2F|jovgraph.exe",nocase; http_client_body; content:"displayWidth",nocase; pcre:"/(displayWidth[\x2b\x20]\d[^\x2b\s\n]{128})/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,45762; reference:cve,2011-0262; classtype:attempted-user; sid:18759; rev:3; service:http; )
03855 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Power Manager formExportDataLogs buffer overflow attempt"; flow:to_server,established; http_uri; content:"|2F|goform|2F|formExportDataLogs",nocase; http_client_body; content:"fileName"; pcre:"/fileName\x3d[^\r\n&]{235}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37866; reference:cve,2009-3999; classtype:attempted-user; sid:18745; rev:3; service:http; )
03856 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager OpenView5 CGI buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/OpenView5.exe"; pkt_data; pcre:"/(Context|Action)\x3D[^\x26\x3b]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33147; reference:cve,2008-0067; classtype:attempted-user; sid:18579; rev:4; service:http; )
03860 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell iManager getMultiPartParameters unauthorized file upload attempt"; flow:to_server,established; http_uri; content:"/nps/servlet/modulemanager",nocase; pkt_data; content:"Content-Disposition",nocase; pcre:"/^[^\n]*filename[^\x3B]*([\x5C\x2F]\x2E\x2E|\x2E\x2E[\x5C\x2F])/Ri"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43635; classtype:attempted-admin; sid:18311; rev:3; service:http; )
03862 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Trend Micro OfficeScan Console authentication buffer overflow attempt"; flow:to_server,established; http_uri; content:"/officescan/console",fast_pattern; http_cookie; content:"session="; pcre:"/session=[^\s\x3b&]{520}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,24641; reference:bugtraq,24935; reference:cve,2007-3454; reference:cve,2007-3455; classtype:attempted-admin; sid:17295; rev:4; service:http; )
03863 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Cisco Secure Access Control Server UCP Application CSuserCGI.exe buffer overflow attempt"; flow:to_server,established; http_uri; content:"/CSuserCGI.exe?",nocase; content:"Logout",distance 0,nocase; pcre:"/\x2FCSuserCGI\x2Eexe\x3F.*?Logout.[^&]{96}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28222; reference:cve,2008-0532; reference:url,www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml; classtype:attempted-admin; sid:13656; rev:7; service:http; )
03864 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center database credentials information disclosure attempt - 3"; flow:to_server,established; http_uri; content:"/imc/reportscript/oracle/deploypara.properties"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,40298; reference:url,secunia.com/advisories/39891; classtype:attempted-user; sid:17159; rev:3; service:http; )
03865 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center database credentials information disclosure attempt - 2"; flow:to_server,established; http_uri; content:"/rpt/reportscript/sqlserver/deploypara.properties"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,40298; reference:url,secunia.com/advisories/39891; classtype:attempted-user; sid:17158; rev:3; service:http; )
03866 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center database credentials information disclosure attempt - 1"; flow:to_server,established; http_uri; content:"/imc/reportscript/sqlserver/deploypara.properties"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,40298; reference:url,secunia.com/advisories/39891; classtype:attempted-user; sid:17157; rev:3; service:http; )
03867 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center information disclosure attempt"; flow:to_server,established; http_uri; content:"/imc/report/DownloadReportSource",nocase; content:"fileName"; http_raw_uri; pcre:"/fileName=.*?\x2E\x2E(\x2F|\x5C)/s"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,40298; reference:url,secunia.com/advisories/39891; classtype:misc-attack; sid:17137; rev:2; service:http; )
03868 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovwebsnmpsrv.exe OVwSelection buffer overflow attempt - POST"; flow:to_server,established; http_uri; content:"|2F|OvCgi|2F|jovgraph.exe",nocase; http_client_body; content:"OVwSelection",nocase; pcre:"/(arg=[^\x26]*?OVwSelection[^\x26]*?\x26.*?sel=[^\s\x26]{1023}|sel=[^\x26]{1023,}\x26.*?arg=[^\s\x26]*?OVwSelection)/s"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37343; reference:cve,2009-4181; classtype:attempted-user; sid:16713; rev:2; service:http; )
03869 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovwebsnmpsrv.exe OVwSelection buffer overflow attempt - GET"; flow:to_server,established; http_uri; content:"|2F|OvCgi|2F|jovgraph.exe",nocase; content:"OVwSelection",nocase; pcre:"/(arg=[^\x26]*?OVwSelection[^\x26]*?\x26.*?sel=[^\s\x26]{1023}|sel=[^\x26]{1023,}\x26.*?arg=[^\s\x26]*?OVwSelection)/s"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37343; reference:cve,2009-4181; classtype:attempted-user; sid:16712; rev:2; service:http; )
03870 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovalarm.exe Accept-Language buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovalarm.exe",nocase; pkt_data; content:"OVABverbose=",nocase; pcre:"/^(?!false|off|no|0)/iR"; pcre:"/(OvAcceptLang|Accept-Language)\s*[\x3D\x3A]\s*[^\n]{69}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37261; reference:cve,2009-4179; classtype:attempted-user; sid:16604; rev:4; service:http; )
03871 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP Novell iManager eDirectory plugin schema buffer overflow attempt - GET request"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"/nps/servlet/",nocase; content:"taskId=base.ExtendSchema",nocase; pcre:"/(((DestFile|encryptPass)\x3D[^\x26]{50})|((BaseDN|SearchFilter)\x3D[^\x26]{128}))/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37672; reference:cve,2009-4486; classtype:attempted-admin; sid:16429; rev:4; service:http; )
03872 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP Novell iManager eDirectory plugin schema buffer overflow attempt - POST request"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/nps/servlet/",nocase; content:"taskId=base.ExtendSchema",nocase; http_client_body; pcre:"/(((DestFile|encryptPass)\x3D[^\x26]{50})|((BaseDN|SearchFilter)\x3D[^\x26]{128}))/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37672; reference:cve,2009-4486; classtype:attempted-admin; sid:16430; rev:4; service:http; )
03876 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager OvOSLocale parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/Toolbar.exe",nocase; http_cookie; content:"OvOSLocale",nocase; pcre:"/OvOSLocale\s*\x3d\s*[^\x3b\s]{249}/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34134; reference:cve,2008-0067; reference:cve,2009-0920; classtype:attempted-user; sid:15434; rev:10; service:http; )
03880 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt"; flow:to_server,established; http_uri; content:"Top_Unanswered_Customer_Questions.asp",nocase; pkt_data; pcre:"/\x26r\d\x3d[^\x26\s]*\x27/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-2991; classtype:web-application-attack; sid:13929; rev:5; service:http; )
03881 alert tcp $EXTERNAL_NET any -> $HOME_NET 7510 ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager HTTP handling buffer overflow attempt"; flow:to_server,established; http_uri; content:"/topology/home"; http_raw_uri; bufferlen:>184; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28569; reference:cve,2008-1697; classtype:attempted-admin; sid:13715; rev:7; service:http; )
03882 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP nessus 2.x 404 probe"; flow:to_server,established; http_uri; content:"/NessusTest"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service http; reference:nessus,10386; classtype:attempted-recon; sid:2585; rev:8; service:http; )
03883 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Symantec Web Gateway PHP remote code injection attempt"; flow:to_server,established; http_uri; content:"/spywall/blocked_file.php"; http_client_body; content:"<?"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53443; reference:cve,2012-0299; reference:url,osvdb.org/show/osvdb/53443; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00; classtype:attempted-admin; sid:24518; rev:3; service:http; )
03884 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Symantec Web Gateway PHP remote code execution attempt"; flow:to_server,established; http_uri; content:"/spywall/images/upload/"; content:".php",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53443; reference:cve,2012-0299; reference:url,osvdb.org/show/osvdb/53443; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00; classtype:attempted-admin; sid:24519; rev:3; service:http; )
03885 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell iManager buffer overflow attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/nps/servlet/webacc",nocase; http_client_body; content:"EnteredAttrName="; pcre:"/EnteredAttrName=[^&]{32}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-4188; reference:url,novell.com/support/kb/doc.php?id=7002971; classtype:attempted-admin; sid:23354; rev:2; service:http; )
03886 alert tcp $EXTERNAL_NET any -> $HOME_NET [10000] ( msg:"SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt"; flow:to_server,established; http_uri; content:"/file/show.cgi/"; content:"|7C|",distance 0; http_cookie; content:"sid="; metadata:policy balanced-ips alert,policy security-ips drop,service http; reference:bugtraq,55446; reference:cve,2012-2982; reference:url,osvdb.org/show/osvdb/85248; reference:url,www.kb.cert.org/vuls/id/788478; classtype:web-application-attack; sid:24628; rev:2; service:http; )
03887 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Fusion Middleware WebCenter selectedLocale parameter sql injection attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/cs/ContentServer"; http_client_body; content:"selectedLocale=",nocase; pcre:"/(^|&)selectedLocale=[^&]+?([\x22\x27]|%22|%27)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,55984; reference:cve,2012-3186; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html; classtype:web-application-attack; sid:24629; rev:1; service:http; )
03888 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX code execution attempt"; flow:to_server,established; http_uri; content:"/jmx-console/HtmlAdaptor"; pkt_data; pcre:"/\x26?arg\d+\s*=\s*[^\x26]*?(import|http)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39710; reference:cve,2010-0738; classtype:attempted-admin; sid:24642; rev:2; service:http; )
03889 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP D-Link Wireless Router CAPTCHA data processing buffer overflow attempt"; flow:to_server,established; http_uri; content:"/goform/formLogin"; http_client_body; content:"FILECODE=",nocase; isdataat:96,relative; pcre:"/FILECODE=[^&]{96}/i"; metadata:policy balanced-ips alert,policy security-ips drop,service http; reference:url,websecuritywatch.com/d-link-wireless-n300-cloud-router-captcha-processing-buffer-overflow-vulnerability; classtype:attempted-admin; sid:24647; rev:2; service:http; )
03891 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/UNCWS/Management.asmx"; http_header; content:!"SOAP",nocase; http_client_body; pcre:"/(^|&)SelectedID=[^&]+?(\x3B|%3B)/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,47355; reference:cve,2011-1653; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={CD065CEC-AFE2-4D9D-8E0B-BE7F6E345866}; classtype:attempted-admin; sid:24704; rev:2; service:http; )
03892 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/UNCWS/Management.asmx"; http_header; content:"SOAP",nocase; http_client_body; pcre:"/<SelectedID>[^<]+?(\x3B|%3B)/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,47355; reference:cve,2011-1653; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={CD065CEC-AFE2-4D9D-8E0B-BE7F6E345866}; classtype:attempted-admin; sid:24705; rev:2; service:http; )
03893 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/common/applications/lifecycleEdit.jsf"; pcre:"/[?&]appName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24728; rev:2; service:http; )
03894 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/common/security/realms/realms.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24729; rev:2; service:http; )
03895 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/web/grizzly/networkListeners.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24730; rev:2; service:http; )
03896 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/common/security/auditModules/auditModules.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24731; rev:2; service:http; )
03897 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/common/security/jacc/jaccProviders.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24732; rev:2; service:http; )
03898 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/common/security/msgSecurity/msgSecurity.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24733; rev:2; service:http; )
03899 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/jms/jmsHosts.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24734; rev:2; service:http; )
03900 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/web/grizzly/protocols.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24735; rev:2; service:http; )
03901 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/web/grizzly/transports.jsf"; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24736; rev:2; service:http; )
03902 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; http_uri; content:"/xhp"; pcre:"/[?&]key=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24737; rev:2; service:http; )
03906 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Invision IP Board PHP unserialize code execution attempt"; flow:to_server,established; http_uri; content:"<?"; http_cookie; content:"member_id=",nocase; pcre:"/(^|[\x3b\x7b\x7d]|%3b|%7b|%7d)O(%3a|\x3a)(\x2b|%2b)?[0-9]+?(%3a|\x3a)(%22|\x22)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,56288; reference:cve,2012-5692; reference:url,community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-critical-security-update; classtype:attempted-admin; sid:24804; rev:1; service:http; )
03907 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"/OvCgi/jovgraph.exe"; pcre:"/[?&]arg=[^-][^+&$]{189}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,40638; reference:cve,2010-1961; classtype:attempted-user; sid:24913; rev:2; service:http; )
03908 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/OvCgi/jovgraph.exe"; http_client_body; pcre:"/[?&]arg=[^-][^+&$]{189}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,40638; reference:cve,2010-1961; classtype:attempted-user; sid:24914; rev:2; service:http; )
03909 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft SCOM Web Console cross-site scripting attempt"; flow:to_server,established; http_uri; content:"/InternalPages/ExecuteTask.aspx"; http_client_body; content:"__CALLBACKPARAM=",nocase; pcre:"/__CALLBACKPARAM=[^\r\n]+?([\x22\x27]|%22|%27)([\x3E\x3C\x28\x29]|%3E|%3C|%28|%29)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0010; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-003; classtype:attempted-user; sid:25273; rev:1; service:http; )
03910 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP MoinMoin arbitrary file upload attempt"; flow:to_server,established; http_uri; content:"action="; content:"wikidraw",within 11; content:"target="; pcre:"/target=\.\.[\x2f\x5c]\.\.[\x2f\x5c]/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,57082; reference:cve,2012-6081; classtype:attempted-admin; sid:25286; rev:2; service:http; )
03913 alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 ( msg:"SERVER-WEBAPP VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_server,established; http_method; content:"GET",nocase; http_uri; content:"|2F|requests|2F|status.xml",nocase; content:"smb"; pkt_data; pcre:"/^GET\s+.*\x2Frequests\x2Fstatus\.xml\x3F.*smb\x3A\x2F\x2F[^\s\x0A\x0D]{251}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35500; reference:cve,2009-2484; reference:url,osvdb.org/show/osvdb/55509; classtype:attempted-user; sid:16753; rev:4; service:http; )
03915 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft SharePoint Server directory traversal attempt"; flow:to_server,established; http_uri; content:"/_layouts/ScriptResx.ashx"; content:"name=c:",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-024; classtype:attempted-admin; sid:26165; rev:1; service:http; )
03916 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft SharePoint Server directory traversal attempt"; flow:to_server,established; http_uri; content:"/_layouts/ScriptResx.ashx"; content:"name=",nocase; pcre:"/[?&]name=[^&]*\x2e\x2e\x2f[^&]*\x2e\x2e\x2f[^&]*\x2e\x2e\x2f/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-024; classtype:attempted-admin; sid:26166; rev:1; service:http; )
03917 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft SharePoint Server directory traversal attempt"; flow:to_server,established; http_uri; content:"/_layouts/ScriptResx.ashx"; content:"name=",nocase; http_raw_uri; pcre:"/[?&]name=(\x5c\x5c|%5c%5c)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-024; classtype:attempted-admin; sid:26167; rev:1; service:http; )
03918 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint Server elevation of privilege exploit attempt"; flow:to_server,established; http_uri; content:!"/ssp/admin/_layouts"; content:"mode=ssp"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-077; classtype:attempted-admin; sid:15108; rev:8; service:http; )
03919 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint query.iqy XSS attempt"; flow:to_server,established; http_uri; content:"/owssvr.dll?",nocase; content:"query.iqy",distance 0,fast_pattern,nocase; pcre:"/[?&]Using=_layouts/query.iqy.*?&List=[^&]+(script|src|location|document|onlick|onload)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1863; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-050; classtype:attempted-user; sid:23282; rev:4; service:http; )
03920 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint scriptresx.ashx XSS attempt"; flow:to_server,established; http_uri; content:"_layouts/scriptresx.ashx"; pcre:"/sections=[^\r\n\x26]+(script|onclick|onload|onmouseover|html|[\x22\x27\x3c\x3e\x28\x29])/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1859; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-050; classtype:web-application-attack; sid:23281; rev:4; service:http; )
03921 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft SharePoint chart webpart XSS attempt"; flow:to_server,established; http_uri; content:"_layouts/Chart/WebUI/WizardList.aspx"; pcre:"/([sp]key|csk)=[^\r\n\x26]+(script|onclick|onload|onmouseover|html|[\x22\x27\x3c\x3e\x28\x29])/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0145; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-011; classtype:web-application-attack; sid:21298; rev:3; service:http; )
03922 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint themeweb.aspx XSS attempt"; flow:to_server,established; http_uri; content:"/_layouts/themeweb.aspx"; pkt_data; pcre:"/ctl\d+\x24PlaceHolderMain\x24ctl\d+\x24customizeThemeSection\x24(accent1|accent2|accent3|accent4|accent5|accent6|dark1|dark2|light1|light2)=[^\r\n\x26]+(script|onclick|onload|onmouseover|[\x22\x27\x3c\x3e\x28\x29])/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-011; classtype:web-application-attack; sid:21297; rev:4; service:http; )
03923 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint XSS attempt"; flow:to_server,established; http_uri; content:"_layouts/help.aspx?",nocase; content:"cid0=",distance 0,nocase; pcre:"/\x5flayouts\x2fhelp\x2easpx\x3f.*?cid0\x3d[A-Za-z\x5c\x2e0-9]*[^A-Za-z\x5c\x2f\x2e\x26\x3d0-9\s]/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0817; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-039; classtype:attempted-user; sid:16560; rev:12; service:http; )
03925 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint cross site scripting attempt"; flow:to_server,established; http_uri; content:"/_layouts/OSSSearchResults.aspx"; pcre:"/[?&](k|u|cs)=[^&]+?</i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0083; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-024; classtype:web-application-attack; sid:26124; rev:4; service:http; )
03926 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Office SharePoint cross site scripting attempt"; flow:to_server,established; http_uri; content:"/_layouts/filter.aspx"; pcre:"/[?&](CallbackParam|CallbackFn)=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|eval|script|onload|src)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0080; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-024; classtype:web-application-attack; sid:26131; rev:3; service:http; )
03927 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Wordpress wp-banners-lite plugin cross site scripting attempt"; flow:to_server,established; http_uri; content:"wpbanners_show.php",nocase; content:"cid=",distance 0; pcre:"/wpbanners_show\.php.*?[?&]cid=[^&]*?([^\x26]*[\x22\x27\x3C\x3E\x28\x29\x3B]|script|src|location|document)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,seclists.org/fulldisclosure/2013/Mar/209; classtype:web-application-attack; sid:26263; rev:1; service:http; )
03928 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Nagios3 statuswml.cgi remote command execution attempt"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/cgi-bin/statuswml.cgi"; http_client_body; pcre:"/(?>traceroute|ping)=(?:%3b|\x3b)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-2288; reference:url,osvdb.com/55281; classtype:attempted-admin; sid:26274; rev:1; service:http; )
03929 alert tcp any any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/|3B|",nocase; content:"$",distance 0; content:"IFS",within 4; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35742; reference:cve,2009-2765; classtype:attempted-admin; sid:26275; rev:1; service:http; )
03930 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Redmine SCM rev parameter command injection attempt"; flow:to_server,established; http_uri; content:"/repository/annotate?"; content:"rev=|60|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-4929; reference:url,osvdb.org/show/osvdb/70090; reference:url,www.redmine.org/news/49; classtype:attempted-admin; sid:26320; rev:2; service:http; )
03931 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center mibFileUpload servlet arbitrary file upload attempt"; flow:to_server,established; http_uri; content:"/imc/webdm/mibbrowser/mibFileUpload"; http_client_body; content:"../../../../"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58385; reference:cve,2012-5201; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91026; classtype:attempted-admin; sid:26416; rev:1; service:http; )
03932 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center mibFileUpload servlet arbitrary file upload attempt"; flow:to_server,established; http_uri; content:"/imc/webdm/mibbrowser/mibFileUpload"; http_client_body; content:"..|5C|..|5C|..|5C|..|5C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58385; reference:cve,2012-5201; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91026; classtype:attempted-admin; sid:26417; rev:1; service:http; )
03933 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/proxy/DataValidation"; content:"iprange=",nocase; isdataat:68,relative; pcre:"/[?&]iprange=[^&]{68}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?swItem=MTX-df3d68cc03364ce78f1987b83b; reference:url,osvdb.org/show/osvdb/91812; classtype:attempted-admin; sid:26418; rev:1; service:http; )
03934 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center FaultDownloadServlet information disclosure attempt"; flow:to_server,established; http_uri; content:"/imc/tmp/fault/download?"; content:"fileName=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58675; reference:cve,2012-5202; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91027; classtype:attempted-recon; sid:26436; rev:2; service:http; )
03936 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Adobe RoboHelp r0 SQL injection attempt"; flow:to_server,established; http_uri; content:"Help_Errors.asp"; pcre:"/\x26r\d\x3d\d*[^\x26\s\d]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-2991; classtype:web-application-attack; sid:13928; rev:8; service:http; )
03937 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Secure Backup login.php uname variable based command injection attempt"; flow:to_server,established; http_uri; content:"login.php"; content:"attempt="; content:"uname="; http_raw_uri; content:"%26"; pcre:"/uname=[^&]*%26/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-5449; classtype:attempted-admin; sid:18293; rev:3; service:http; )
03938 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP CA XOsoft Multiple Products entry_point.aspx buffer overflow attempt"; flow:to_server,established; http_uri; content:"/entry_point.aspx",nocase; pkt_data; content:"txt_user_name_p|3D|",nocase; isdataat:300,relative; pcre:"/txt_user_name_p\x3D[^\x26\x3F\x3B]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39238; reference:cve,2010-1223; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=232869; classtype:attempted-user; sid:19136; rev:3; service:http; )
03940 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center IctDownloadServlet information disclosure attempt"; flow:to_server,established; http_uri; content:"/imc/tmp/ict/download?"; content:"fileName=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58676; reference:cve,2012-5204; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91029; classtype:attempted-recon; sid:26505; rev:1; service:http; )
03941 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center ReportImgServlet information disclosure attempt"; flow:to_server,established; http_uri; content:"/imc/reportImg?"; content:"path=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58672; reference:cve,2012-5203; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91028; classtype:attempted-recon; sid:26523; rev:1; service:http; )
03942 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP phpMyAdmin preg_replace remote code execution attempt"; flow:to_server,established; http_uri; content:"/db_structure.php"; http_client_body; content:"prefix=",nocase; pcre:"/from(%5f|_)prefix=[^&]*?(%2f|\/)[^&]*?e[^&]*?(%00|\x00)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3238; reference:url,osvdb.org/show/osvdb/92793; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2013-2.php; classtype:attempted-admin; sid:26547; rev:2; service:http; )
03943 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Wordpress brute-force login attempt"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"|2F|wp|2D|login|2E|php"; detection_filter:track by_src, count 26, seconds 60; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.spiderlabs.com/2013/04/defending-wordpress-logins-from-brute-force-attacks.html; reference:url,blog.sucuri.net/2013/04/mass-wordpress-brute-force-attacks-myth-or-reality.html; classtype:suspicious-login; sid:26557; rev:2; service:http; )
03944 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt"; flow:to_server,established; http_uri; content:"ї|3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,51860; reference:url,bugs.php.net/bug.php?id=60965; classtype:attempted-admin; sid:26593; rev:1; service:http; )
03946 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center SyslogDownloadServlet information disclosure attempt"; flow:to_server,established; http_uri; content:"/imc/tmp/syslog/download?"; content:"fileName=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58385; reference:cve,2012-5206; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91031; classtype:attempted-recon; sid:26669; rev:1; service:http; )
03947 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP Intelligent Management Center UAM acmServletDownload information disclosure attempt"; flow:to_server,established; http_uri; content:"/imc/download?"; content:"Name=",nocase; content:"../",distance 0; pcre:"/[?&](path|file)Name=[^&]*?\x2e\x2e\x2f/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58385; reference:cve,2012-5211; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; reference:url,osvdb.org/show/osvdb/91036; classtype:attempted-recon; sid:26794; rev:1; service:http; )
03948 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Mutiny editdocument servlet arbitrary file access attempt"; flow:to_server,established; http_uri; content:"/interface/editdocument"; http_client_body; content:"operation=",nocase; content:"paths",nocase; pcre:"/(^|&)paths(%5b|\x5b)(%5d|\x5d)=[^&]*?(%2e|\x2e){2}(%2f|\x2f)/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0136; reference:url,osvdb.org/show/osvdb/93444; classtype:attempted-recon; sid:26797; rev:1; service:http; )
03949 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Mutiny editdocument servlet arbitrary file upload attempt"; flow:to_server,established; http_uri; content:"/interface/editdocument"; http_client_body; content:"uploadFile",nocase; content:"uploadPath",nocase; pcre:"/uploadPath[^-]+?(%2e|\x2e){2}(%2f|\x2f)/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0136; reference:url,osvdb.org/show/osvdb/93444; classtype:attempted-admin; sid:26798; rev:1; service:http; )
03951 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP TWiki search function remote code execution attempt"; flow:to_server,established; http_uri; content:"/twiki/"; pcre:"/[?&](search|topic)=[^&]*?(\x27|%27)(\s*|(%20)*)(\x3b|%3b)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,11674; reference:cve,2004-1037; classtype:attempted-user; sid:26907; rev:1; service:http; )
03952 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP TWiki search function remote code execution attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/twiki/"; http_client_body; pcre:"/[?&](search|topic)=[^&]*?(\x27|%27)(\s*|(%20)*)(\x3b|%3b)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,11674; reference:cve,2004-1037; classtype:attempted-user; sid:26908; rev:1; service:http; )
03954 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP D-Link DIR-300/DIR-600 unauthenticated remote command execution attempt"; flow:to_server,established; http_method; content:"POST",depth 4,nocase; http_uri; content:"/command.php"; http_client_body; content:"cmd=",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,57734; reference:url,exploit-db.com/exploits/24453/; reference:url,osvdb.org/show/osvdb/89861; reference:url,www.s3cur1ty.de/m1adv2013-003; classtype:attempted-admin; sid:26953; rev:1; service:http; )
03955 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP WordPress Super Cache & W3 Total Cache remote code execution attempt"; flow:to_server,established; http_uri; content:"wp-comments-post.php",nocase; http_client_body; content:"mfunc"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,59316; reference:cve,2013-2010; reference:url,osvdb.org/show/osvdb/92652; classtype:attempted-admin; sid:26990; rev:2; service:http; )
03957 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP WordPress Super Cache & W3 Total Cache remote code execution attempt"; flow:to_server,established; http_uri; content:"wp-comments-post.php",nocase; http_client_body; content:"mclude"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,59316; reference:cve,2013-2010; reference:url,osvdb.org/show/osvdb/92652; classtype:attempted-admin; sid:26992; rev:2; service:http; )
03958 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Mobile Management dusap.php directory traversal attempt"; flow:to_server,established; http_uri; content:"/dusap.php?"; content:"language=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,60179; reference:cve,2013-1082; reference:url,osvdb.org/show/osvdb/91118; reference:url,www.novell.com/support/kb/doc.php?id=7011896; classtype:attempted-admin; sid:27018; rev:2; service:http; )
03959 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Mobile Management dusap.php directory traversal attempt"; flow:to_server,established; http_uri; content:"/dusap.php"; http_client_body; content:"language=",nocase; content:"..|5C|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,60179; reference:cve,2013-1082; reference:url,osvdb.org/show/osvdb/91118; reference:url,www.novell.com/support/kb/doc.php?id=7011896; classtype:attempted-admin; sid:27019; rev:2; service:http; )
03960 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Mobile Management dusap.php directory traversal attempt"; flow:to_server,established; http_uri; content:"/dusap.php"; http_client_body; content:"language=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,60179; reference:cve,2013-1082; reference:url,osvdb.org/show/osvdb/91118; reference:url,www.novell.com/support/kb/doc.php?id=7011896; classtype:attempted-admin; sid:27020; rev:2; service:http; )
03961 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Mobile Management mdm.php directory traversal attempt"; flow:to_server,established; http_uri; content:"/mdm.php?"; content:"language=",nocase; content:"../",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58402; reference:cve,2013-1081; reference:url,osvdb.org/show/osvdb/91119; reference:url,www.novell.com/support/kb/doc.php?id=7011895; classtype:attempted-admin; sid:27028; rev:2; service:http; )
03964 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP System Management arbitrary command injection attempt"; flow:to_server,established; http_uri; content:"/smhutil/snmpchp/"; content:"&&"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,60471; reference:cve,2013-3576; reference:url,osvdb.org/show/osvdb/94191; classtype:attempted-admin; sid:27104; rev:1; service:http; )
03965 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP System Management arbitrary command injection attempt"; flow:to_server,established; http_uri; content:"/smhutil/snmpchp/"; content:"|3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,60471; reference:cve,2013-3576; reference:url,osvdb.org/show/osvdb/94191; classtype:attempted-admin; sid:27105; rev:1; service:http; )
03966 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP DokuWiki PHP file inclusion attempt"; flow:to_server,established; http_uri; content:"/doku.php?",nocase; content:"config_cascade[main][default][]="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35095; reference:cve,2009-1960; reference:url,osvdb.org/show/osvdb/54740; classtype:web-application-attack; sid:27226; rev:1; service:http; )
03967 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SezHoo remote file include in SezHooTabsAndActions.php"; flow:to_server,established; http_uri; content:"SezHooTabsAndActions.php"; content:"IP=",nocase; pcre:"/IP=(https?|ftps?)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31756; classtype:web-application-attack; sid:27284; rev:1; service:http; )
03968 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Gazi Download Portal down_indir.asp SQL injection attempt"; flow:established,to_server; http_uri; content:"/down_indir.asp?"; content:"id=",nocase; pcre:"/id=((UNION|DELETE|ASCII)?\s*SELECT.*?FROM|UPDATE.*?SET)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,23714; reference:cve,2007-2810; classtype:web-application-attack; sid:27285; rev:1; service:http; )
END OF CODE