00092 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - SAH Agent"; flow:to_server,established; content:"User-Agent|3A| SAH Agent"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:misc-activity; sid:5808; rev:9; service:http; )
00210 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"BLACKLIST User-Agent known malicious user agent NOKIAN95/WEB"; flow:to_server,established; content:"User-Agent|3A| NOKIAN95|2F|WEB"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:26522; rev:2; service:http; )
00863 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Cool exploit kit MyApplet class retrieval"; flow:to_server,established; http_raw_uri; bufferlen:21; pkt_data; content:"/world/MyApplet.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26229; rev:2; service:http; )
00870 alert tcp $HOME_NET any -> $EXTERNAL_NET 82 ( msg:"EXPLOIT-KIT Sakura Exploit Kit exploit request"; flow:to_server,established; content:"/news/thing.php"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26293; rev:1; service:http; )
00887 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit java exploit request"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:".jar"; http_header; content:" Java/1"; pkt_data; content:"content-type|3A| application/x-java-archive",fast_pattern,fast_pattern_offset 20,fast_pattern_length 20; http_uri; pcre:"/\/([0-9][0-9a-z]{2}|[0-9a-z][0-9][0-9a-z]|[0-9a-z]{2}[0-9])\.jar$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26377; rev:3; service:http; )
01637 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Stream redirector file download request"; flow:to_server,established; content:".asx"; http_uri; pcre:"/\x2easx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; reference:url,msdn.microsoft.com/en-us/library/dd562372%28v=vs.85%29.aspx; classtype:misc-activity; sid:26458; rev:1; service:http; )
01664 alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"FILE-IMAGE CUPS Gif Decoding Routine Buffer Overflow attempt"; flow:to_server,established; content:"GIF89a"; content:"|3A 00 0B 00 00 0D 2C 00 FF|",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28544; reference:cve,2008-1373; classtype:attempted-user; sid:17558; rev:3; service:http; )
01670 alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iCCP",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22109; rev:5; service:http; service:smtp; )
01671 alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22108; rev:5; service:http; service:smtp; )
01672 alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"zTXt",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22107; rev:5; service:http; service:smtp; )
01677 alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; content:"|00|",within 79,distance 12; content:"|00|",within 1; metadata:policy balanced-ips drop,policy security-ips drop,service http,service smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:25066; rev:2; service:http; service:smtp; )
02503 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-SHELLCODE Metasploit php meterpreter stub .php file upload"; flow:established,to_server; content:"|24|GLOBALS|5B 27|msgsock_type|27 5D| = |24|s_type|3B 0A|eval"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20184; rev:3; service:http; )
02541 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET",depth 3,nocase; content:"/AES",within 4,distance 1,fast_pattern,nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24116; rev:2; service:http; )
02543 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET",depth 3,nocase; content:"/ZES",within 4,distance 1,fast_pattern,nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24118; rev:2; service:http; )
02545 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET",depth 3,nocase; content:"/SUS",within 4,distance 1,fast_pattern,nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24120; rev:2; service:http; )
02547 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET",depth 3,nocase; content:"/DES",within 4,distance 1,fast_pattern,nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24122; rev:2; service:http; )
02559 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Win.Backdoor.PCRat data upload"; flow:to_server,established; content:"PCRatd",depth 6; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/669DF9DED24D56997D7B1EA6249BB704226DADA09230DC285AE66CA0C9B7247B/analysis/; classtype:misc-activity; sid:26655; rev:1; service:http; )
02561 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Unix.Backdoor.Cdorked backdoor command attempt"; flow:to_server,established; content:"SECID="; http_cookie; content:"SECID=",depth 6; http_method; content:"POST"; http_raw_header; pcre:"/^Cookie\x3a\s?SECID=[^\x3b]+?$/m"; http_uri; pcre:"/\?[a-f0-9]{4}$/mi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26529; rev:3; service:http; )
02585 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control traffic - Pushbot"; flow:to_server,established; content:"User-Agent|3A| cvc_v105"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:23261; rev:3; service:http; )
02623 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kelihos variant outbound connection"; flow:to_server,established; http_uri; content:"/rtce0"; content:".exe",distance 0; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.abuse.ch/?p=3658; reference:url,www.virustotal.com/latest-report.html?resource=B49BCE1778F76F7D59909790B93CBB86; classtype:trojan-activity; sid:21563; rev:2; service:http; )
02653 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Murofet variant outbound connection"; flow:to_server,established; http_uri; content:".php?w=",nocase; content:"&n=",distance 0; pcre:"/\.php\x3fw\x3d\d+\x26n\x3d\d+/"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/aeab4913c8bb1f7f9e40258c323878969b439cf411bb2acab991bba975ada54e/analysis/; classtype:trojan-activity; sid:21440; rev:6; service:http; )
02690 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Waledac outbound connection"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:".png"; pkt_data; content:"|0A|a=",nocase; content:"&b=AAAAAA",distance 0,fast_pattern,nocase; http_uri; pcre:"/\x2F[a-z]+\x2epng/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=6075bdd818db6d78a0ecd889383e09c61900c1735a00c5948dde4e27d17a4c65-1245685985; classtype:trojan-activity; sid:19995; rev:3; service:http; )
02701 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.KukuBot.A outbound connection"; flow:to_server,established; http_uri; content:"/mrow_pin/?id",nocase; pkt_data; content:"|0A|User|2D|Agent|3A 20|KUKU v",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=d9c46ecfc91366f43bf1a8e0172465fb3918cf3cf9339de82d47f5d8b1c84a75-1311886018; classtype:trojan-activity; sid:19730; rev:3; service:http; )
02712 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC FakeAV variant traffic"; flow:to_server; http_uri; content:"/1020",depth 5; pkt_data; content:"Windows NT 5.1)|0D 0A|"; content:"Accept: */*|0D 0A|",within 13; content:"Connection: close|0D 0A 0D 0A|",within 21; http_uri; pcre:"/\x2f1020\d{6,16}$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=01631197b30df842136af481372f266ebbd9eabb392d4a6554b88d4e23433363-1309345508; classtype:trojan-activity; sid:19657; rev:5; service:http; )
02713 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Savnut.B outbound connection"; flow:to_server,established; content:"&id=",nocase; content:"&version",distance 0,nocase; content:"&vendor=",distance 0,nocase; content:"&do=",distance 0,nocase; content:"&check=chck",distance 0,fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=4aad64ad4f2517983051818a818e449599f79ade89af672d0e90af53dcfff044-1307979492; classtype:trojan-activity; sid:19590; rev:5; service:http; )
02733 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Night Dragon keepalive message"; flow:to_server,established; content:"|68 57 24 13|",depth 4,offset 12; content:"|03 50|",depth 2; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:trojan-activity; sid:18459; rev:3; service:http; )
02734 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Night Dragon initial beacon"; flow:to_server,established; content:"|68 57 24 13|",depth 4,offset 12; content:"|01 50|",depth 2; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:trojan-activity; sid:18458; rev:3; service:http; )
02776 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent.alqt variant outbound connection"; flow:to_server,established; content:"|47 68 30 73 74|",depth 5; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=9c86fa9e7b4a8b10cc2a21d5b89ae310; classtype:trojan-activity; sid:19484; rev:6; service:http; )
02778 alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,1024:] ( msg:"MALWARE-CNC Win.Trojan.Litmpuca.A Runtime Detection"; flow:to_server,established; content:"<html><title>",depth 13; content:"</title><body>",within 48; content:!"</body>"; content:!"<head>"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/5513b45a4856f7941d71cf0885380469fdc22ece101d0399baabc9bd8b5536be/analysis/; classtype:trojan-activity; sid:21945; rev:6; service:http; )
02779 alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,1024:] ( msg:"MALWARE-CNC Win.Trojan.Litmpuca.A Runtime Detection"; flow:to_server,established; content:"|96 F4 F6 F6|",depth 64; isdataat:128,relative; content:"|FE F6 F0 F6|",within 384,distance 128; content:"|F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/5513b45a4856f7941d71cf0885380469fdc22ece101d0399baabc9bd8b5536be/analysis/; classtype:trojan-activity; sid:21946; rev:7; service:http; )
02782 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Mecklow.C runtime traffic detected"; flow:to_server,established; content:"|2F|aws",depth 4,offset 4,nocase; content:"|2E|jsp|3F|",within 9,distance 1,nocase; pcre:"/\x2Faws\d{1,5}\.jsp\x3F/i"; metadata:policy balanced-ips alert,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=4b873858b58be4b47013545420f27759; classtype:trojan-activity; sid:20837; rev:5; service:http; )
02783 alert tcp $HOME_NET any -> $EXTERNAL_NET 4455 ( msg:"MALWARE-CNC Win.Trojan.RShot.brw outbound connection"; flow:to_server,established; dsize:<120; content:"connected#",depth 10; content:"#Windows",distance 0; pcre:"/\x23\d{2}\x3a\d{2}\x3a\d\d$/R"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=6794c1cb09ec3f42f2732369c8c25a5999eb908262cd75d1a4cda4d25adf8a37-1325372956l; classtype:trojan-activity; sid:21208; rev:4; service:http; )
02790 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Downloader Win.Trojan.FraudLoad.emq outbound connection"; flow:to_server,established; http_uri; content:"/fff9999.php"; pkt_data; content:"mgjmnfgbdfb|2E|com"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=3794798f5eeb53dd71001e4454f006c871eb7c9085e1bf5336efa07b70d7b38d-1246897098; classtype:trojan-activity; sid:19348; rev:6; service:http; )
02793 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Clob bot traffic"; flow:to_server; content:"/l1/ms32clod.dll",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=1474e6d74aa29127c5d6df716650d724; classtype:trojan-activity; sid:16289; rev:2; service:http; )
02794 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.tdss.1.gen install-time detection - yournewsblog.net"; flow:to_server,established; http_uri; content:"/tdss/"; pkt_data; content:"Host|3A| yournewsblog.net",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rootkit.TDss.Gen&threatid=414535; reference:url,www.threatexpert.com/files/TDSSserv.sys.html; reference:url,www.threatexpert.com/report.aspx?uid=cffa846b-93ba-438d-8715-0665b6cd9627; classtype:trojan-activity; sid:16268; rev:5; service:http; )
02795 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.tdss.1.gen install-time detection - findzproportal1.com"; flow:to_server,established; http_uri; content:"/botmon/readdata/"; pkt_data; content:"Host|3A| findzproportal1.com",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rootkit.TDss.Gen&threatid=414535; reference:url,www.threatexpert.com/files/TDSSserv.sys.html; reference:url,www.threatexpert.com/report.aspx?uid=cffa846b-93ba-438d-8715-0665b6cd9627; classtype:trojan-activity; sid:16269; rev:5; service:http; )
02797 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC y3k 1.2 variant outbound connection icq notification"; flow:to_server,established; content:"from=Y3K",nocase; content:"Server",distance 0,nocase; content:"fromemail=y3k",distance 0,nocase; content:"subject=Y3K",distance 0,nocase; content:"online",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7116; rev:7; service:http; )
02800 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; content:"POST"; content:"|78 9C 2B 4B 2D B2 35 54 CB C9 4F CF CC B3 CD 2E CD CE 49 4C CE 48 2D 53 CB 4D 4C 2E CA 2F 4E 2D 8E 2F|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/14429942c5fa23cb0364880280c92f2122f22a60cd3f5c1cff3662ecfd92a8d5/analysis/; classtype:trojan-activity; sid:24169; rev:1; service:http; )
02811 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Nomno variant outbound connection"; flow:to_server,established; content:"c|3D|"; content:"shell|5F|exec"; http_cookie; content:"c|3D|"; content:"shell|5F|exec"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,service http; reference:url,www.virustotal.com/file/2f4624795d22528e629a83dc40b01810e89ea9e3c0e584ec4db1286f091b7eb7/analysis/; classtype:trojan-activity; sid:24285; rev:3; service:http; )
02823 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; content:"/images2/",nocase; isdataat:500,relative; http_uri; pcre:"/^\/images2\/[0-9a-fA-F]{500,}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:24494; rev:2; service:http; )
02849 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC ZeroAccess Clickserver callback"; flow:to_server,established; http_raw_uri; bufferlen:95; pkt_data; content:" HTTP/1.0|0D 0A|Host:"; http_uri; pcre:"/^\x2f[A-Z\d]{83}\x3d[A-Z\d]{10}$/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:25054; rev:3; service:http; )
02851 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Macnsed variant outbound connection"; flow:to_server,established; content:"/gtskinfo.aspx"; content:"ver=",nocase; content:"m=",nocase; content:"p=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/f32f4af269d5cfd038d7f3c421d4d725fcbd8469a7c8327845dbf03626aef0f2/analysis/; classtype:trojan-activity; sid:25071; rev:2; service:http; )
02853 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"/Post|2E|Php|3F|UserName"; content:"Bank=",nocase; content:"Money=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/7d70bdcf5329404920570c96e084c78d8756bff8932832a357866eb4c57555cf/analysis/; classtype:trojan-activity; sid:25074; rev:2; service:http; )
02869 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"lfstream|26|",depth 9,offset 8; pcre:"/^POST\x20\x2fg[ao]lfstream\x26/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/f4c44b5331c30b62beacae5d343d591584715c2d9d6d65848216b61efd916ec1/analysis/; classtype:trojan-activity; sid:25511; rev:3; service:http; )
02882 alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] ( msg:"MALWARE-CNC Win.Trojan.Reventon variant outbound communication"; flow:to_server,established; dsize:<7; content:"|9A 02 00 00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/25c690dac0d17f9ba304e5e68c1da2381685b1aa0aa3cd503589bbc59daf81eb/analysis/; classtype:trojan-activity; sid:25627; rev:3; service:http; )
02924 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Sosork variant outbound connection"; flow:to_server,established; content:"GET /3010"; content:!"Accept"; pcre:"/^GET \x2F3010[0-9A-F]{166}00000001/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/de/file/24E26943C43BBC57362EC1415114730C94DB9E356E3F4E6081453E924121BB11/analysis/; classtype:trojan-activity; sid:26606; rev:3; service:http; )
02941 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Cbeplay Ransomware outbound connection - Abnormal HTTP Headers"; flow:to_server,established; content:"POST /index.php HTTP/1.1|0D 0A|Content-Type: multipart/form-data|3B| boundary=",depth 70; http_header; content:"|0D 0A|Connection: close|0D 0A|Cache-Control: no-cache|0D 0A|Content-Length: "; http_client_body; content:"|3B| name=|22|data|22 3B| filename=|22|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-moved.html; classtype:trojan-activity; sid:26696; rev:2; service:http; )
02951 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; http_uri; content:"/imagens/",depth 9; content:".jpg",distance 0; pkt_data; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26722; rev:1; service:http; )
02952 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan Downloader7"; flow:to_server,established; content:".lavaibrasilok.com|0D 0A 0D 0A|"; http_header; content:"|3B| MSIE "; content:!"Accept-Language:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader7.25647.html; classtype:trojan-activity; sid:26723; rev:1; service:http; )
02981 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Blocker outbound connection HTTP Header Structure"; flow:to_server,established; http_raw_uri; bufferlen:11; http_method; content:"GET"; http_uri; content:"/index.html"; pkt_data; content:".info|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; pcre:"/HTTP\/1.[01]\r\nUser\x2dAgent\x3a\x20[ -~]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.info\r\n/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26775; rev:1; service:http; )
02996 alert tcp $HOME_NET any -> $EXTERNAL_NET 10000:30000 ( msg:"MALWARE-CNC Win.Trojan.Zeus P2P-proxy C2 Write command"; flow:to_server,established; content:"POST |2F|write HTTP|2F|1.1",depth 25; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.cert.pl/PDF/2013-06-p2p-rap_en.pdf; classtype:trojan-activity; sid:26839; rev:1; service:http; )
03002 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Gozi Trojan HTTP Header Structure"; flow:to_server,established; http_raw_uri; bufferlen:255<>260; pkt_data; content:"= HTTP/1."; http_uri; content:".php?"; http_raw_uri; pcre:"/^\/[a-z]{2,20}\.php\?[a-z]{2,10}\x3d[a-zA-Z0-9\x2f\x2b]+\x3d$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26924; rev:1; service:http; )
03018 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Cyvadextr variant outbound connection"; flow:to_server,established; http_uri; content:"fetch.py"; pkt_data; content:"method|3D|POST|26|encoded|5F|path",nocase; http_client_body; content:"|26|headers|3D|"; content:"|26|postdata|3D|"; content:"|26|version|3D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/33774900681b25519d0b023d6d78a043cc2dff0a21d6f6df89e314c91118c0fd/analysis; classtype:trojan-activity; sid:26987; rev:1; service:http; )
03022 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Chinoxy variant outbound connection"; flow:to_server,established; content:"|11 00 00 00 BD B4 E8 BE B6 75 9C A0 80 44 8B EB 82 8B A3 93|",depth 20; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/ad424e0a59135e4d2b1b1ac984bc8a4c1566e147478064d9d5c0fe5031cf6433/analysis; classtype:trojan-activity; sid:27000; rev:1; service:http; )
03028 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Epipenwa variant outbound connection attempt"; flow:to_server,established; content:"/whisperings/whisperings.asp"; http_client_body; content:"name="; content:"&userid="; content:"&other="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/4f0532e15ced95a1cebc13dd268dcbe7c609d4da237d9e46916678f288d3d9c6/analysis; classtype:trojan-activity; sid:27014; rev:2; service:http; )
03033 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dalbot outbound connection"; flow:to_server,established; content:"Cookie: CAQGBgoFD1"; http_cookie; content:"CAQGBgoFD1"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/dbf9d2a7659d09ea7ef2d38f30fa4cfb/analysis/; classtype:trojan-activity; sid:27057; rev:1; service:http; )
03039 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Win.Kraziomel Download - 000.jpg"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:"/000.jpg"; pkt_data; content:"HTTP/1.0|0D 0A|Host: "; content:!"|3A 20|",distance 0; metadata:impact_flag red,policy balanced-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/33525f8cf5ca951095d4af7376e026821b81557526d4846916805387fb9c5bb2/analysis/; classtype:trojan-activity; sid:27533; rev:1; service:http; )
03055 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER NeoSploit Malvertising - URI Requested"; flow:to_server,established; http_raw_uri; bufferlen:>62; pkt_data; content:"GET /?"; http_uri; pcre:"/\/\?[0-9a-f]{60,66}[\;\d]*$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:23058; rev:2; service:http; )
03083 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Trackware e2give runtime detection - redirect affiliate site request 1"; flow:to_server,established; http_uri; content:"/fs-bin/click?",nocase; content:"id=",nocase; content:"offerid=",nocase; content:"type=",nocase; pkt_data; content:"Referer|3A| e2give.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5908; rev:8; service:http; )
03084 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Trackware e2give runtime detection - check update"; flow:to_server,established; http_uri; content:"/go/check?",nocase; content:"build=",nocase; content:"source=",nocase; pkt_data; content:"Host|3A| e2give.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5907; rev:8; service:http; )
03223 alert tcp $HOME_NET any -> $EXTERNAL_NET 30125 ( msg:"OS-MOBILE Android MDK encrypted information leak"; flow:to_server,established; content:"Host: app.looking3g.com",nocase; content:"/serv?",nocase; content:"User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,androidmalwaredump.blogspot.com/2013/01/androidtrojmdk-aka-androidksapp.html; classtype:trojan-activity; sid:26443; rev:2; service:http; )
03232 alert tcp $HOME_NET any -> $EXTERNAL_NET 9888 ( msg:"OS-MOBILE Android YZHC device registration"; flow:to_server,established; content:"networklocale="; content:"networkname="; content:"networkcode="; content:"register?imei="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.csc.ncsu.edu/faculty/jiang/YZHCSMS/; classtype:trojan-activity; sid:26189; rev:2; service:http; )
03354 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-SOCIAL XBOX Marketplace http request"; flow:to_server,established; http_uri; content:"/global"; content:"/marketplace"; pkt_data; content:"User-Agent|3A| Xbox Live Client/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:policy-violation; sid:15171; rev:5; service:http; )
03355 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-SOCIAL XBOX Netflix client activity"; flow:to_server,established; content:"User-Agent|3A| NETFLIX360|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:policy-violation; sid:15170; rev:5; service:http; )
03401 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware.MediaGetInstaller outbound connection - source ip infected"; flow:to_server,established; content:"MediagetDownloaderInfo"; http_cookie; content:"MediagetDownloaderInfo"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/72e86852d56b35cf19ae86c9fb37f8b65b8e3038a9a1e2c77532f254fe4f662a/analysis/; classtype:misc-activity; sid:21645; rev:3; service:http; )
03417 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker yok supersearch outbound connection - addressbar keyword search hijack"; flow:to_server,established; http_uri; content:"/go3.php",nocase; content:"key=",nocase; content:"NO=",nocase; content:"PID=",nocase; content:"UN=",nocase; pkt_data; content:"Host|3A|",nocase; content:"www.yok.com",distance 0,nocase; pcre:"/^Host\x3a[^\r\n]*www\x2Eyok\x2Ecom/smi"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Yok.SuperSearch&threatid=44407; classtype:misc-activity; sid:8358; rev:9; service:http; )
03420 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - side search"; flow:to_server,established; http_uri; content:"/sidesearch.htm",nocase; pkt_data; content:"Host|3A| sidesearch.dropspam.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5936; rev:8; service:http; )
03421 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - search request 3"; flow:to_server,established; content:"/search.cgi",nocase; content:"source=lifestyle",nocase; content:"query=",distance 0,nocase; content:"select=",distance 0,nocase; content:"Host|3A| desksearch.dropspam.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5935; rev:7; service:http; )
03422 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - search request 2"; flow:to_server,established; http_uri; content:"/search.cgi?",nocase; content:"tbid=",nocase; content:"query=",nocase; pkt_data; content:"Host|3A| search.dropspam.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5934; rev:8; service:http; )
03423 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - search request 1"; flow:to_server,established; http_uri; content:"/search.cgi?",nocase; content:"source=",nocase; content:"query=",nocase; pkt_data; content:"Host|3A| search.dropspam.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5933; rev:8; service:http; )
03427 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker shopathomeselect outbound connection"; flow:to_server,established; content:"SAHSelect=GUID=",nocase; content:"CustomerID=",nocase; content:"stealth=",nocase; content:"InstallerLocation="; content:"LastPrefs=",nocase; content:"AgentVersion=",nocase; content:"CTG=",nocase; content:"WSS_GW=",nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074921; classtype:misc-activity; sid:5807; rev:8; service:http; )
03442 alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server serverdown Authentication bypass attempt"; flow:to_server,established; content:"error-serverdown.jsp"; pcre:"/^[a-zA-Z]+\s+\x2Ferror-serverdown\x2Ejsp.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15156; rev:5; service:http; )
03443 alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server png Authentication bypass attempt"; flow:to_server,established; content:"|2F|.png"; pcre:"/^[a-zA-Z]+\s+\x2F\x2Epng.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15155; rev:6; service:http; )
03444 alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server gif Authentication bypass attempt"; flow:to_server,established; content:"|2F|.gif"; pcre:"/^[a-zA-Z]+\s+\x2F\x2Egif.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15154; rev:6; service:http; )
03445 alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server setup Authentication bypass attempt"; flow:to_server,established; content:"setup/setup-"; pcre:"/^[A-Z]+\s+\x2Fsetup\x2Fsetup-.*?\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6509; classtype:attempted-admin; sid:15153; rev:5; service:http; )
03446 alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server setup-index Authentication bypass attempt"; flow:to_server,established; content:"setup/index.jsp"; pcre:"/^[a-zA-Z]+\s+\x2Fsetup\x2F\index\x2Ejsp.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15152; rev:5; service:http; )
03447 alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server logout Authentication bypass attempt"; flow:to_server,established; content:"index.jsp?logout=true"; pcre:"/^[a-zA-Z]+\s+\x2Findex\x2Ejsp\x3Flogout\x3Dtrue.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15151; rev:5; service:http; )
03448 alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server login Authentication bypass attempt"; flow:to_server,established; content:"login.jsp"; pcre:"/^[a-zA-Z]+\s+\x2Flogin\x2Ejsp.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15150; rev:5; service:http; )
03456 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Trackware myway speedbar / mywebsearch toolbar runtime detection - track activity 1"; flow:to_server,established; http_uri; content:"/tr.js?",nocase; content:"a=",nocase; content:"r=",nocase; pkt_data; content:"Host|3A| c4.myway.com"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5801; rev:11; service:http; )
03459 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"%2E%2E/"; http_raw_uri; content:"%2E%2E/"; pkt_data; pcre:"/\/(\\|%5C)%2E%2E\//"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17502; rev:6; service:http; )
03460 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/%2E%2E"; http_raw_uri; content:"/%2E%2E"; pkt_data; pcre:"/\/%2E%2E(\\|%5C)\//"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17501; rev:6; service:http; )
03461 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/..%5C/"; http_raw_uri; content:"/..%5C/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17500; rev:5; service:http; )
03462 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/..|5C|/"; http_raw_uri; content:"/..|5C|/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17499; rev:5; service:http; )
03463 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/|5C|../"; http_raw_uri; content:"/|5C|../"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17498; rev:6; service:http; )
03464 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/%5C../"; http_raw_uri; content:"/%5C../"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17391; rev:7; service:http; )
03467 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache mod_isapi dangling pointer exploit attempt - public shell code"; flow:to_server,established; content:"1|C0|1|C9|d|8B|q0|8B|v|0C 8B|v|1C 8B|V|08 8B|~ |8B|6f9O|14|u|F2|f|B9 01|mf|81 E9 94|lf9|0F|f|89 C1|u|E1 89 E5 EB|q`|8B|l|24 24 8B|E<|8B|T|05|x|01 EA 8B|J|18 8B|Z |01 EB E3|4I|8B|4|8B 01 EE|1|FF|1|C0 FC AC 84 C0|t|07 C1 CF 0D 01 C7 EB F4 3B 7C 24 28|u|E1 8B|Z|24 01 EB|f|8B 0C|K|8B|Z|1C 01 EB 8B 04 8B 01 E8 89|D|24 1C|a|C3 AD|PR|E8 AA FF FF FF 89 07|f|81 C4 0C 01|f|81 EC 04 01|f|81 C7 08 01|f|81 EF 04 01|9|CE|u|DE C3 EB 10|^|8D|}|04 89 F1 80 C1 0C E8 CD FF FF FF EB 3B E8 EB FF FF FF|n|7C|.|E1 1E|<?|D7|t|1E|H|CD|1|D2|X|88|P|07 EB|/1|D2|Y|88|Q|01 EB|.QP|FF|U|04 EB|,1|D2|Y|88|Q|09 EB|3QP|89 C6 FF|U|08|S|FF|U|0C E8 D1 FF FF FF|sos.txtN|E8 CC FF FF FF|wN|E8 CD FF FF FF E8 CF FF FF FF|pwn-isapiN|E8 C8 FF FF FF 90 90 90 90|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38494; reference:cve,2010-0425; classtype:attempted-admin; sid:16479; rev:3; service:http; )
03468 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache APR apr_fn match infinite loop denial of service attempt"; flow:to_server,established; content:"P=*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0419; reference:url,issues.apache.org/bugzilla/show_bug.cgi?id=51219; classtype:attempted-dos; sid:19709; rev:2; service:http; )
03475 alert tcp $EXTERNAL_NET any -> $HOME_NET 8081 ( msg:"SERVER-APACHE HP Performance Manager Apache Tomcat policy bypass attempt"; flow:to_server,established; content:"/manager",nocase; content:"Authorization",distance 0,nocase; content:"Basic",within 50,nocase; content:"b3Z3ZWJ1c3I6T3ZXKmJ1c3Ix",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36954; reference:bugtraq,37086; reference:cve,2009-3548; reference:cve,2009-3843; classtype:attempted-admin; sid:17156; rev:3; service:http; )
03476 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache mod_log_config cookie handling denial of service attempt"; flow:to_server,established; content:"Cookie|3A| =|0D 0A 0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,51705; reference:cve,2012-0021; classtype:denial-of-service; sid:24697; rev:2; service:http; )
03483 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS Microsoft Windows IIS 5.0 WebDav Request Directory Security Bypass"; flow:to_server,established; content:"POST",nocase; content:"|25 32 35 25 33 37 25 33 30 25 32 35 25 33 37 25|",within 16,distance 2; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35232; reference:cve,2009-1122; classtype:attempted-admin; sid:17525; rev:4; service:http; )
03489 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS WebDAV Request Directory Security Bypass attempt"; flow:to_server,established; content:"/%c0%af/"; pcre:"/^(GET|OPTIONS|HEAD|POST|PUT|DELETE|CONNECT|PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK)[^\r\n]*\s+[^\r\n]*\x2f\x25c0\x25af\x2f/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34993; reference:cve,2009-1535; classtype:attempted-admin; sid:17564; rev:2; service:http; )
03491 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|",within 255; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-007; classtype:attempted-admin; sid:2091; rev:15; service:http; )
03552 alert tcp $EXTERNAL_NET any -> $HOME_NET 9700 ( msg:"SERVER-ORACLE Application Server BPEL module cross site scripting attempt"; flow:to_server,established; content:"GET /BPELConsole/default/activities.jsp",depth 39,nocase; pcre:"/(\x3F|\x26)[^\x3D]*(\x27|%27)[^\x3D]*(\x3C|%3c)script(\x3E|%3e)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4014; classtype:attempted-user; sid:15445; rev:6; service:http; )
03579 alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 ( msg:"SERVER-ORACLE Oracle Secure Enterprise Search search_p_groups cross-site scripting attempt"; flow:to_server,established; content:"search|2F|query|2F|search",nocase; content:"search_p_groups|3D|",distance 0,nocase; pcre:"/^[^\x26\s]*(\x3e|\x253e)/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35681; reference:cve,2009-1968; classtype:attempted-user; sid:16717; rev:2; service:http; )
03586 alert tcp $EXTERNAL_NET any -> $HOME_NET 4000 ( msg:"SERVER-ORACLE Application Server 9i Webcache file corruption attempt"; flow:to_server,established; content:"webcacheadmin?"; content:"SCREEN_ID=CGA.CacheDump"; content:"ACTION=Submit&index=1"; content:"cache_dump_file="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13420; reference:cve,2005-1382; classtype:attempted-admin; sid:15955; rev:2; service:http; )
03598 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Oracle Database Application Express Component APEX password hash disclosure attempt"; flow:to_server,established; content:"select%20user_name,web_password2%20from"; content:"WWV_FLOW_USERS",distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34461; reference:cve,2009-0981; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html; classtype:misc-attack; sid:15488; rev:3; service:http; )
03604 alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"SERVER-OTHER IPP Application Content"; flow:to_server,established; content:"Content-Type|3A|",nocase; content:"application/ipp",distance 1,nocase; flowbits:set,ipp.application; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; sid:17534; rev:8; service:http; )
03607 alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"SERVER-OTHER Apple CUPS Text to PostScript Filter Integer Overflow attempt"; flow:to_server,established; flowbits:isset,ipp.application; content:"printer-uri",nocase; content:"ipp://",within 6,distance 2; pcre:"/(((c|l)pi\x00.{1}(-\d|0)\x21)|(columns\x00.{1}(-\d|0)\x21)|(page-(right|left|top|bottom)\x00.{1}(-\d|0|([3-9]\d{5}|24\d{4}|236\d{3}|23593\d{1}|23592[2-9])\x21)))/is"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31690; reference:cve,2008-3640; classtype:attempted-user; sid:17535; rev:5; service:http; )
03637 alert tcp $EXTERNAL_NET any -> $HOME_NET 19300 ( msg:"SERVER-OTHER IBM Cognos Server backdoor account remote code execution attempt"; flow:to_server,established; content:"Authorization",offset 0,nocase; content:"Basic",within 50,nocase; content:"Y3hzZGs6a2RzeGM=",within 100,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38084; reference:cve,2010-0557; classtype:attempted-admin; sid:17207; rev:4; service:http; )
03638 alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 ( msg:"SERVER-OTHER Oracle BEA Weblogic server console-help.portal cross-site scripting attempt"; flow:to_server,established; content:"|2F|consolehelp|2F|console-help|2E|portal",nocase; content:"searchQuery|3D|",distance 0,nocase; pcre:"/^[^\x26\s]*(\x3e|\x253e)/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35673; reference:cve,2009-1975; classtype:attempted-user; sid:16710; rev:2; service:http; )
03645 alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"SERVER-OTHER Apple CUPS RGB+Alpha PNG filter overly large image height integer overflow attempt"; flow:to_server,established; content:"|89|PNG|0D 0A 1A 0A|",depth 8; content:"IHDR"; content:"|06|",within 1,distance 9; byte_test:4,>,1431655765,-6,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32518; reference:cve,2008-5286; reference:url,www.cups.org/str.php?L2974; classtype:attempted-admin; sid:15146; rev:4; service:http; )
03646 alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"SERVER-OTHER Apple CUPS TrueColor PNG filter overly large image height integer overflow attempt"; flow:to_server,established; content:"|89|PNG|0D 0A 1A 0A|",depth 8; content:"IHDR"; content:"|02|",within 1,distance 9; byte_test:4,>,1431655765,-6,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32518; reference:cve,2008-5286; reference:url,www.cups.org/str.php?L2974; classtype:attempted-admin; sid:15145; rev:4; service:http; )
03657 alert tcp $EXTERNAL_NET any -> $HOME_NET 7205:7211 ( msg:"SERVER-OTHER Novell GroupWise WebAccess authentication overflow"; flow:to_server,established; content:"Authorization",nocase; content:"Basic",distance 0,nocase; pcre:"/Authorization\s*\x3A\s*Basic\s*[^\n]{437}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,23556; reference:cve,2007-2171; classtype:attempted-admin; sid:10998; rev:5; service:http; )
03690 alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 ( msg:"SERVER-OTHER Alt-N MDaemon WorldClient invalid user"; flow:to_server,established; content:"ComposeUser=Anyinvaliduser",depth 26,offset 150,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-2631; classtype:attempted-dos; sid:17225; rev:4; service:http; )
03699 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Rails JSON to YAML parsing deserialization attempt"; flow:to_server,established; http_header; content:"application/json"; pkt_data; content:"!ruby/hash"; content:"ActionController",within 30; content:"NamedRouteCollection",within 90; metadata:policy balanced-ips alert,policy security-ips drop,service http; reference:cve,2013-0333; classtype:attempted-user; sid:25552; rev:1; service:http; )
03723 alert tcp $EXTERNAL_NET any -> $HOME_NET 52312 ( msg:"SERVER-OTHER IBM Tivoli Endpoint Manager Web Reports xss attempt"; flow:to_server,established; content:"ScheduleParam",nocase; pcre:"/^\x3d[^\s\x26\x0d\x0a]*?\x2527/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0719; reference:url,www.ibm.com/support/docview.wss?uid=swg21587743; classtype:attempted-user; sid:21944; rev:2; service:http; )
03744 alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 ( msg:"SERVER-OTHER PostgreSQL database name command line injection attempt"; flow:established,to_server; content:"user|00|",depth 5,offset 8; content:"database|00|-",within 70; pcre:"/^.{8}user\x00[^\x00]+?\x00database\x00-[^\x00]+?\x00/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1899; reference:url,www.postgresql.org/support/security/faq/2013-04-04/; classtype:attempted-user; sid:26586; rev:1; service:http; )
03770 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Windows .NET Chart Control directory traversal attempt"; flow:to_server,established; content:"charImg.axd?"; http_uri; content:"i=/",distance 0; http_raw_uri; content:".."; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1977; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-066; classtype:attempted-recon; sid:19694; rev:5; service:http; )
03774 alert tcp $EXTERNAL_NET any -> $HOME_NET 8081 ( msg:"SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt"; flow:to_server,established; content:"/cgiablogon.exe"; content:"CRYPT",nocase; isdataat:512,relative; pcre:"/pwd=(\!|\%21)CRYPT(\!|\%21)[^\r\n&]{513}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28020; reference:cve,2008-1365; reference:url,secunia.com/advisories/29124; classtype:web-application-attack; sid:17605; rev:4; service:http; )
03775 alert tcp $EXTERNAL_NET any -> $HOME_NET 17000 ( msg:"SERVER-WEBAPP Oracle TimesTen In-Memory Database evtdump CGI module format string exploit attempt"; flow:to_server,established; content:"GET ",depth 4,nocase; content:"evtdump?",distance 0,nocase; pcre:"/evtdump\x3f.*?\x2525[^\x20]*?\x20HTTP/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33177; reference:cve,2008-5440; classtype:attempted-admin; sid:15264; rev:2; service:http; )
03784 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP libtidy null pointer dereference attempt"; flow:to_server,established; content:"<?"; content:"Tidy",distance 0; content:"diagnose"; pcre:"/(?P<var>\x24\w+)\s*=\s*(new Tidy|Tidy->new)\x28\s*[\x22\x27]\x2a[\x22\x27]\s*\x29.{1,256}(?P=var)->diagnose/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-4153; classtype:attempted-dos; sid:23995; rev:3; service:http; )
03785 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP zend_strndup null pointer dereference attempt"; flow:to_server,established; content:"define|28|",nocase; content:"str_repeat|28|"; pcre:"/<\?(php)?.{1,256}define\s*\x28\s*str_repeat\s*\x28\s*[\x22\x27][^\x22\x27]+[\x22\x27]\s*\x2c\s*\x24argv/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-4153; classtype:attempted-dos; sid:23994; rev:4; service:http; )
03797 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP TikiWiki jhot.php script file upload attempt"; flow:to_server,established; http_uri; content:"/jhot.php",nocase; pkt_data; content:"Content-Disposition|3A|",nocase; content:"filename=",nocase; pcre:"/^Content-Disposition\x3A[^\r\n]*filename=(?P<q1>\x22|\x27|)[^\r\n]*?\x2Ephp(?P=q1)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19819; reference:cve,2006-4602; reference:url,tikiwiki.org/tiki-read_article.php?articleid=136; classtype:attempted-user; sid:17597; rev:4; service:http; )
03816 alert tcp $EXTERNAL_NET any -> $HOME_NET 4150 ( msg:"SERVER-WEBAPP Oracle GoldenGate Veridata Server soap request overflow attempt"; flow:to_server,established; content:"<soapenv:",nocase; content:"<ns1:",distance 0,nocase; isdataat:256,relative; content:!">",within 256; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,45868; reference:cve,2010-4416; classtype:attempted-admin; sid:19168; rev:3; service:http; )
03851 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt"; flow:to_server,established; content:"/zenworks-fileupload/?",nocase; pcre:"/(filename|type)=[^\x26]*?\x2E\x2E/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39914; reference:url,www.novell.com/support/viewContent.do?externalId=7005573; classtype:attempted-admin; sid:18793; rev:4; service:http; )
03873 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Java System Web Server 7.0u7 authorization digest heap overflow"; flow:to_server,established; http_method; content:!"GET",nocase; content:!"POST",nocase; pkt_data; content:"Authorization",nocase; content:"Digest",distance 0,fast_pattern,nocase; pcre:"/^Authorization\s*\x3A\s*Digest\s+([^\n\x2C]*\x2C){15}/im"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37896; reference:cve,2010-0387; classtype:attempted-user; sid:16392; rev:4; service:http; )
03874 alert tcp $EXTERNAL_NET any -> $HOME_NET [8008,8010,8028,8030] ( msg:"SERVER-WEBAPP Novell eDirectory HTTP request content-length heap buffer overflow attempt"; flow:to_server,established; content:"POST /SOAP",depth 10,nocase; pcre:"/^Content-Length\s*\x3A\s/mi"; content:"-",within 1; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4478; classtype:attempted-user; sid:16195; rev:6; service:http; )
03875 alert tcp $EXTERNAL_NET any -> $HOME_NET [8008,8010,8028,8030] ( msg:"SERVER-WEBAPP Novell eDirectory HTTP request content-length heap buffer overflow attempt"; flow:to_server,established; content:"POST /SOAP",depth 10,nocase; pcre:"/^Content-Length\s*\x3A\s*[1-9][0-9]{8}/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4478; classtype:attempted-user; sid:16194; rev:4; service:http; )
03877 alert tcp $EXTERNAL_NET any -> $HOME_NET 808 ( msg:"SERVER-WEBAPP Youngzsoft CCProxy CONNECT Request buffer overflow attempt"; flow:to_server,established; content:"CONNECT ",nocase; isdataat:1024,relative; pcre:"/^CONNECT\s[^\s]{1024}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31416; reference:cve,2008-6415; classtype:attempted-user; sid:15190; rev:3; service:http; )
03878 alert tcp $EXTERNAL_NET any -> $HOME_NET 8889 ( msg:"SERVER-WEBAPP Openwsman HTTP basic authentication buffer overflow attempt"; flow:to_server,established; content:"Authorization|3A|",nocase; content:"Basic",nocase; isdataat:256,relative; pcre:"/^Authorization\x3a\s*Basic[^\n]{256}/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30694; reference:cve,2008-2234; classtype:attempted-user; sid:14992; rev:3; service:http; )
03914 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP PHPmyadmin brute force login attempt - User-Agent User-Agent"; flow:to_server; content:"User-Agent: User-Agent: Mozilla/"; content:"/phpmyadmin/index.php?lang=en&server=1&pma_username=root"; detection_filter:track by_src, count 30, seconds 4; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:25907; rev:1; service:http; )
03924 alert tcp $EXTERNAL_NET any -> $HOME_NET 8082 ( msg:"SERVER-WEBAPP Microsoft Office SharePoint document conversion remote code excution attempt"; flow:to_server,established; content:"Microsoft.HtmlTrans.IDocumentConversionsLauncher/Microsoft.HtmlTrans.Interface"; content:"<i2|3A|ConvertFile"; content:"<convert",distance 0; pcre:"/^(To|From)[^\x3e]*?\x3e[a-z0-9]*[^a-z0-9][^\x3c]*?\x3c\x2fconvert(To|From)/isR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3964; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-104; classtype:attempted-admin; sid:18238; rev:8; service:http; )
03935 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP nginx URI parsing buffer overflow attempt"; flow:to_server,established; content:"GET |2F 25|23|2E 2E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36384; reference:cve,2009-2629; classtype:attempted-admin; sid:17528; rev:5; service:http; )
END OF CODE