00002 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent ErrCode - W32/Fujacks.htm"; flow:established,to_server; http_header; content:"User-Agent|3A| ErrCode"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=141161; reference:url,www.virustotal.com/latest-report.html?resource=f9dc0803ea4634256eae73b2db61a3c5; classtype:trojan-activity; sid:18247; rev:5; service:http; )
00003 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent wget 3.0"; flow:to_server,established; http_header; content:"User-Agent|3A 20|wget|20 33 2E 30 0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=a860efad636dba6ee1d270a1238a559c; classtype:trojan-activity; sid:19175; rev:3; service:http; )
00004 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string STORMDDOS - Backdoor.Win32.Inject.ctt"; flow:to_server,established; http_header; content:"User-Agent|3A 20|STORMDDOS"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=eb85f7ec383b4e76046cfbddd183d592; classtype:trojan-activity; sid:19480; rev:4; service:http; )
00005 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string ErrorFix"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Error|20|Fix"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=f93aae75c25ae232a68f13e3b579f2ea; classtype:trojan-activity; sid:19482; rev:4; service:http; )
00007 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent string MacProtector"; flow:to_server,established; http_header; content:"User-Agent|3A 20|MacProtector"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file-scan/report.html?id=22c3ded47d1903c101efefaba219e13542a4d2c463004fc6058f00eba2293466-1304566748; classtype:trojan-activity; sid:19589; rev:2; service:http; )
00021 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Opera/8.89 - P2P-Worm.Win32.Palevo.ddm"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Opera|2F|8|2E|89"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=bc58e841f8a43072da7b3c7647828cb8; classtype:trojan-activity; sid:19756; rev:3; service:http; )
00025 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent string Baby Remote - Win32/Babmote.A"; flow:to_server,established; http_header; content:"User-Agent|3A| Baby Remote"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=0712178d245f4e5a5d0cf6318bf39144; classtype:trojan-activity; sid:20009; rev:3; service:http; )
00026 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string feranet/0.4 - Win32/Ferabsa.A"; flow:to_server,established; http_header; content:"User-Agent|3A| feranet/0.4|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=93c9b388af56cd66c55630509db05dfd; classtype:trojan-activity; sid:20012; rev:3; service:http; )
00027 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - InfoBot"; flow:to_server,established; http_header; content:"User-Agent|3A| InfoBot|2F|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=0d624da9ec161f78c513cf6b0c85a069b65581cf09ba0a3315e2cac83a89a685-1311198379; classtype:trojan-activity; sid:20104; rev:4; service:http; )
00028 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - IPHONE"; flow:to_server,established; http_header; content:"User-Agent|3A| IPHONE"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=459c30e9568295b0d9a3e5092734bb7fb6137b9bb8d7cbf5486b62e48e36bd7c-1311220119; classtype:trojan-activity; sid:20105; rev:6; service:http; )
00029 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - darkness"; flow:to_server,established; http_header; content:"User-Agent|3A| darkness"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=30ae2284f7d211b8e448f4b011ee554d1303a0ef0163c4b664fe09d168b4441a-1314088474; classtype:trojan-activity; sid:20106; rev:3; service:http; )
00030 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - meterpreter"; flow:to_server,established; http_header; content:"User-Agent|3A| Meterpreter"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:trojan-activity; sid:20201; rev:3; service:http; )
00031 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string 0pera 10"; flow:to_server,established; http_header; content:"User-Agent|3A| 0pera 10"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=68c5adbc86aad8332455dcacbe624718d053d9078e99e149d6ecc69085a9e691-1313299701; classtype:trojan-activity; sid:20230; rev:3; service:http; )
00032 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Mozilla//4.0"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozilla//4.0 [compatible"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=56afa16e9c6bb2a379d3cff3787d18fa0a7b5f3c3df712ac9702cad789d7eb29-1316218781; classtype:trojan-activity; sid:20231; rev:3; service:http; )
00033 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string MBVDFRESCT"; flow:to_server,established; http_header; content:"User|2D|Agent|3A| MBVDFRESCT"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=61c2dbab2a90512689ac11e724bd8d2923a30780bfb9cac884ba4eb390e8fd40-1315489381; classtype:trojan-activity; sid:20293; rev:4; service:http; )
00037 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Win32 Amti"; flow:to_server,established; http_header; content:"User-Agent|3A| Win32|2F|Amti"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=5c1b20432a465cfc9f830a8507645b757a95aadcb1f0dd74a05b3c76daddeef9-1296059565; classtype:trojan-activity; sid:21175; rev:4; service:http; )
00038 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string API Guide test program"; flow:to_server,established; http_header; content:"User|2D|Agent|3A| API|2D|Guide test program"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/97ff0c3329bff100cae187cd91dc761495dc8927ebcc64bc04025134624951f6/analysis/; reference:url,www.virustotal.com/file/cb5df70973c7ccedd7ee76e4dcadc2b8b7abab51b1aa16bcac4dd57df9b99182/analysis/; classtype:trojan-activity; sid:21188; rev:4; service:http; )
00039 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Aldi Bot"; flow:to_server,established; http_header; content:"User-Agent|3A| Aldi Bot"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=7b17e377e2c44bdad10828dffd9da193a08de4512b47e5caae8a654a9406bb98-1315864372; classtype:trojan-activity; sid:21206; rev:3; service:http; )
00040 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Flag"; flow:to_server,established; http_header; content:"User-Agent|3A| Flag|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=43606116e03672d5c2bca7d072caa573d3fc2463795427d6f5abfa25403bd280-1320677089; classtype:trojan-activity; sid:21225; rev:4; service:http; )
00043 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Google Bot"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Google Bot|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=9b5ea51d036ed45e7665abb280e43459; classtype:trojan-activity; sid:21278; rev:4; service:http; )
00044 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent ASafaWeb Scan"; flow:to_server,established; http_header; content:"User-Agent|3A| asafaweb.com"; metadata:policy balanced-ips alert,policy security-ips drop,ruleset community,service http; reference:url,asafaweb.com; classtype:network-scan; sid:21327; rev:6; service:http; )
00045 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string psi"; flow:to_server,established; http_header; content:"User-Agent|3A 20|psi|20|v"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b76f804853db8b602393a588385e3c091bfb81b312ca8d7228881fc9d8bdae6e/analysis/1330351984/; classtype:trojan-activity; sid:21455; rev:3; service:http; )
00046 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string 1234567890"; flow:to_server,established; http_header; content:"User-Agent|3A| 1234567890"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,/www.virustotal.com/file-scan/report.html?id=aead70177d2932a1ddd4556fa6b7eb3f7a136f58d5511e2c391b74c0f6d32a98-1315311757; classtype:trojan-activity; sid:21469; rev:3; service:http; )
00047 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string core-project"; flow:to_server, established; http_header; content:"User-Agent|3A 20|core-project"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:misc-activity; sid:21475; rev:3; service:http; )
00048 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent YZF"; flow:to_server,established; http_header; content:"User-Agent|3A| YZF|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/92221d283f4d4109b1e8ba139355498cf5b1f444ef8ea181e8ecdc4f68558a97/analysis/; classtype:trojan-activity; sid:21476; rev:2; service:http; )
00049 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Adware user agent Gamevance tl_v"; flow:to_server,established; http_header; content:"User-Agent|3A| tl_v"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/009b5aba4b00bb618b46987630c23c69b20af29194c3e50a5c6dd2ae04338dd1/analysis/; classtype:trojan-activity; sid:21591; rev:2; service:http; )
00050 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Adware user agent gbot"; flow:to_server,established; http_header; content:"User-Agent|3A| gbot"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/289eb3becfaf41707ff5e5315c6ba0cca3a5b84f5241d596c748eb036a22a889/analysis/; classtype:trojan-activity; sid:21636; rev:2; service:http; )
00051 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Adware user agent mus - TDSS related"; flow:to_server,established; http_header; content:"User-Agent|3A| mus"; pcre:"/User-Agent\x3A\s+?mus[\x0d\x0a]/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/dd3979104aea7a45136e51a24fddcda4658d1825e5a4ee65f2e0601d5ddfc971/analysis/; classtype:trojan-activity; sid:21639; rev:2; service:http; )
00052 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent TCYWinHTTPDownload"; flow:to_server,established; http_header; content:"User-Agent|3A| TCYWinHTTPDownload"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3303912ce4dd35cb0fefe2d6fbc75a887c2734d42e5edd622609a2c8bedd0dae/analysis/; classtype:trojan-activity; sid:21526; rev:3; service:http; )
00053 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent BOT/0.1"; flow:to_server,established; http_header; content:"User-Agent|3A| BOT/0.1 |28|BOT for JCE|29|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:21925; rev:2; service:http; )
00055 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent RAbcLib"; flow:to_server,established; http_header; content:"User-Agent|3A| RAbcLib"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/47D648603A2923D4539AAF6D4F63B3B704CCE090F68BB394A0F8B1BC2649844A/analysis/; classtype:trojan-activity; sid:22939; rev:2; service:http; )
00056 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Flame malware"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 6.0|3B|Windows NT 5.1|3B| .NET CLR 1.1.2150|29|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23019; rev:2; service:http; )
00077 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - PoisonIvy RAT"; flow:to_server,established; http_header; content:"User-Agent|3A| PoisonIvy"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.poisonivy-rat.com; reference:url,www.virustotal.com/file/c71d8085544e6f81e0301d9dd5cdf88369339a6001bab8e4fda22de9ec0fee31/analysis/; classtype:trojan-activity; sid:23627; rev:2; service:http; )
00078 alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - you"; flow:to_server,established; http_header; content:"User-Agent|3A| you|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory-W32-DistTrack.pdf; classtype:trojan-activity; sid:23903; rev:2; service:http; )
00087 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Testing"; flow:to_server,established; http_header; content:"User-Agent|3A| Testing"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file/1b79d2d27a386ab40a1452514cf82f8aa65c7c406610787ac8be7cb9f710859b/analysis/; classtype:trojan-activity; sid:24441; rev:1; service:http; )
00088 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Alerter COM"; flow:to_server,established; http_header; content:"User-Agent|3A| Alerter COM+"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file/1b79d2d27a386ab40a1452514cf82f8aa65c7c406610787ac8be7cb9f710859b/analysis/; classtype:trojan-activity; sid:24442; rev:1; service:http; )
00089 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - malware"; flow:to_server,established; http_header; content:"malware"; pcre:"/^User-Agent\x3A[^\r\n]*malware/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/analisis/c55e2acfed1996ddbd17ddd4cba57530dd34c207be9f9b327fa3fdbb10cdaa7c-1270750352; classtype:trojan-activity; sid:16551; rev:8; service:http; )
00090 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Tear Application"; flow:to_server,established; http_header; content:"User-Agent|3A| Tear Application"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=48f1270338bc233839ffefa7e5eefde7; classtype:trojan-activity; sid:16497; rev:7; service:http; )
00091 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Async HTTP Agent"; flow:to_server,established; http_header; content:"User-Agent|3A| Async HTTP Agent"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082798; classtype:successful-recon-limited; sid:5900; rev:10; service:http; )
00093 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Opera/9.61"; flow:to_server,established; http_header; content:"User-Agent: Opera/9.61|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/78F000C1901081A2B7F43E55843BA89B3ED2BE2CAB2C3C36F04C768800863940/analysis/; classtype:trojan-activity; sid:24575; rev:1; service:http; )
00094 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Lizard/1.0"; flow:to_server,established; http_header; content:"User-Agent: Lizard/1.0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/F885D6F24FFE5CD899841E9B9914F7CC1CF22C13C5EBF5332F1A1B4F378793FE/analysis/; classtype:trojan-activity; sid:24631; rev:1; service:http; )
00095 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - 1"; flow:to_server,established; http_header; content:"User-Agent: 1|0D 0A|"; content:!"Accept:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24632; rev:2; service:http; )
00096 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - test_hInternet"; flow:to_server,established; http_header; content:"User-Agent: test_hInternet|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24633; rev:1; service:http; )
00097 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - vaccinepc"; flow:to_server,established; http_header; content:"User-Agent: vaccinepc"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24634; rev:1; service:http; )
00098 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent - Google page"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Google page"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:24792; rev:1; service:http; )
00099 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent"; flow:to_server,established; http_header; content:"User-Agent: User-Agent: Opera/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/E50BE9062933ACA19777767538BC9E03C94DB23AFBC4F6F19383FCBA3479EAB4/analysis/; classtype:trojan-activity; sid:25009; rev:2; service:http; )
00101 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - NewBrandTest"; flow:to_server,established; http_header; content:"User-Agent|3A 20|NewBrandTest|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/02b18d0aa415e299515891b56424751e846ca917d3bb55b82f07cfb97f62c4e1/analysis/; classtype:trojan-activity; sid:25119; rev:2; service:http; )
00102 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - 04/XP"; flow:to_server,established; http_header; content:"User-Agent: 04/XP|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/641B3981E33E33030D3D75EDE4D4F2C896D9F355FC9075B2F852E874FBB97F7A/analysis/; classtype:trojan-activity; sid:25243; rev:1; service:http; )
00103 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - me0hoi"; flow:to_server,established; http_header; content:"User-Agent: me0hoi|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/7919E2A3586AA83072689A5DB77DA8DDB4F675421D775C8F1A0110D12423EF3E/analysis/; classtype:trojan-activity; sid:25245; rev:1; service:http; )
00114 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - spam_bot"; flow:to_server,established; http_header; content:"User-Agent: spam_bot|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/ED62E89CC17E400A60D98E075FAFFB9D778C1A27A9CB83723E3AFA6A2C385339/analysis/; classtype:trojan-activity; sid:25659; rev:1; service:http; )
00196 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent cibabam"; flow:to_server,established; http_header; content:"User-Agent|3A| cibabam|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/d8a18e7ce01d17149ada4a46ff3889da/analysis/; classtype:trojan-activity; sid:26248; rev:1; service:http; )
00214 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Malicious user agent Brutus AET"; flow:to_server,established; http_header; content:"Mozilla|2F|3.0 |28|Compatible|29 3B|Brutus|2F|AET"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,sectools.org/tool/brutus; classtype:misc-activity; sid:26558; rev:3; service:http; )
00215 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent Opera 10"; flow:to_server,established; http_header; content:"Opera/10|20|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s irefef-malware; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; classtype:trojan-activity; sid:26577; rev:2; service:http; )
00222 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string J13A"; flow:to_server,established; http_header; content:"User-Agent: J13A|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/de/file/75667889BC6ACBB77E57EF02DDE1D908EEF9625292618E31E7D4F5194733C6F0/analysis/; classtype:trojan-activity; sid:26685; rev:2; service:http; )
00223 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Alina"; flow:to_server, established; http_header; content:"User-Agent|3A| Alina"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/102fa9c066102db7ebf821e28dbc6363d544843bfe45c331eb826663ab6c74b9/analysis/; classtype:trojan-activity; sid:26686; rev:1; service:http; )
00224 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Win"; flow:to_server,established; http_header; content:"User-Agent|3A| Win|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/6142f9c4ac27a3f5676c625d685e4ad500eaed2d936564b84fe5c0251e581701/analysis/; classtype:trojan-activity; sid:26702; rev:1; service:http; )
00226 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - msctls_progress32"; flow:to_server,established; http_header; content:"User-Agent|3A| msctls_progress32|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/0b88db0c00910a9f018189a01bb9ab2b166cf16f73930d96e519281d6c5b3001/analysis/; classtype:trojan-activity; sid:26751; rev:1; service:http; )
00241 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - yahoonews"; flow:to_server,established; http_header; content:"User-Agent|3A| yahoonews|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/49608d016caf8dc31e95e01bd76cc4ac3f37df47b1299931f872e67a4ec80fa3/analysis/; classtype:trojan-activity; sid:27263; rev:1; service:http; )
00670 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Phoenix exploit kit post-compromise behavior"; flow:to_server, established; http_header; content:"Accept-Encoding: identity, *|3B|q=0"; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 5.0|3B| Windows 98)"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2008-5353; reference:cve,2009-0927; reference:cve,2009-3867; reference:cve,2009-4324; reference:cve,2010-0188; reference:cve,2010-0248; reference:cve,2010-0840; reference:cve,2010-0842; reference:cve,2010-0866; reference:cve,2010-1240; reference:cve,2010-1297; reference:cve,2011-2110; reference:cve,2011-2140; reference:cve,2011-2371; reference:cve,2011-3544; reference:cve,2011-3659; reference:cve,2012-0500; reference:cve,2012-0507; reference:cve,2012-0779; reference:url,contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html; classtype:successful-user; sid:21860; rev:3; service:http; )
00708 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Eleanore exploit kit exploit fetch request"; flow:to_server, established; http_header; content:"?spl="; pcre:"/\?spl=\d&br=[^&]+&vers=[^&]+&s=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21069; rev:3; service:http; )
00757 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX Exploit Kit Java Exploit request structure"; flow:to_server,established; http_uri; content:"j.php?t=u"; http_header; content:"content-type"; content:"x-java-archive|0D 0A|",distance 0; content:" Java/1."; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24786; rev:2; service:http; )
00778 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Java User-Agent flowbit set"; flow:to_server,established; http_header; content:"User-Agent|3A 20|"; content:"Java/1.",fast_pattern; pcre:"/User-Agent\x3a[^\x0d\x0a]*Java\/1\./"; flowbits:set,java_user_agent; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25041; rev:4; service:http; )
00882 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit payload requested"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:".html"; http_header; content:" Java/1",fast_pattern; http_uri; pcre:"/\/\d{2}\.html$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26346; rev:2; service:http; )
00910 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; http_header; content:".com-"; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/i"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, */*|3B| q=.2|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26562; rev:1; service:http; )
00920 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit short jar request"; flow:to_server,established; http_uri; content:".jar"; http_header; content:" Java/1."; content:"content-type|3A| application/x-java-archive"; http_uri; pcre:"/^\/[a-z0-9]{1,4}\.jar$/"; http_header; content:!"cbssports.com"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26808; rev:2; service:http; )
00974 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Private Exploit Kit outbound traffic"; flow:to_server,established; http_uri; content:".php?"; http_header; content:"content-type: application/"; content:" Java/1"; http_uri; pcre:"/\x2ephp\x3f[a-z]+=[a-fA-Z0-9]+&[a-z]+=[0-9]+$/i"; metadata:policy balanced-ips alert,policy security-ips drop,ruleset community,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27144; rev:1; service:http; )
01830 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-MULTIMEDIA Apple QuickTime user agent"; flow:to_server,established; http_header; content:"User-Agent|3A| QuickTime"; flowbits:set,quicktime_agent; flowbits:noalert; metadata:policy balanced-ips alert,policy security-ips alert,service http; classtype:misc-activity; sid:13515; rev:10; service:http; )
02431 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Apache auto_prepend_file a.control.bin C2 traffic"; flow:to_server,established; http_header; content:"User-Agent|3A| SEX|2F|1"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:27203; rev:2; service:http; )
02521 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Agent outbound connection"; flow:to_server,established; http_header; content:"Extra-Data-Bind|3A|",nocase; content:"Extra-Data-Space|3A|",nocase; content:"Extra-Data|3A|",nocase; http_uri; pcre:"/^\/\d+$/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/4d6c4f5f0525d07b1454283ee1f1a166528f1edc208d10de9d3ce80d021c8fa3/analysis/; classtype:trojan-activity; sid:22095; rev:4; service:http; )
02563 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Trojan.Magania variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent: Google page|0D 0A|"; http_uri; content:".asp?"; content:"mac=",within 4; content:"&ver=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-pinkstats.html; reference:url,www.virustotal.com/file/6a813f96bb65367a8b5c5ba2937c773785a0a0299032a6c77b9b0862be8bdb71/analysis/; classtype:trojan-activity; sid:24015; rev:5; service:http; )
02577 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vbvoleur.a variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent: default"; http_client_body; content:"uid|3D|"; content:"|26|subid|3D|"; content:"|26|torrent_count|3D|"; content:"|26|video_count|3D|"; metadata:impact_flag red,policy balanced-ips drop,service http; reference:url,www.virustotal.com/file/dd616615017e0d5a1a9b126e0294d3cfc026ea0aa76b76354536d24b3c327c47/analysis/; classtype:trojan-activity; sid:23394; rev:8; service:http; )
02592 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Bublik variant outbound connection"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:"/was/u.php"; http_header; content:"Content-Length|3A 20|328"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/B600D0A5FC596CEEDD377890C93FE4B50F8093F2CE874EF39956E497CC63E544/analysis/; classtype:trojan-activity; sid:23103; rev:4; service:http; )
02605 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Aldi bot variant outbound connection user-agent"; flow:to_server,established; http_header; content:"Aldi Bot FTW! :D"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,ddos.arbornetworks.com/2011/10/ddos-aldi-bot/; classtype:trojan-activity; sid:21912; rev:2; service:http; )
02607 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX Flashback malware user-agent"; flow:to_server,established; http_header; content:"Windows NT 6.1|3B| WOW64|3B| rv:9.0.1|3B| sv:2|3B| id:"; pcre:"/[1-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,contagiodump.blogspot.com/2012/04/i-have-been-tracking-infections-too-and.html; classtype:trojan-activity; sid:21910; rev:2; service:http; )
02608 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX.Sabpub outbound connection"; flow:to_server,established; http_uri; content:"/update.aspx"; http_header; content:"Accept-Encoding|3A 20|base64,gzip"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Exploits_Targeted_Attacks_and_Possible_APT_link; classtype:trojan-activity; sid:21877; rev:4; service:http; )
02609 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Orsam variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/ping.php"; http_header; content:"WinHttp.WinHttpRequest"; pcre:"/User-Agent\x3a\x20[^\n]*?WinHttp\x2eWinHttpRequest.*?\n/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/792636c6d2114a93afb95dccc05fd2820fa236fc5d3d9d1f5a3db6ba80353087/analysis/; classtype:trojan-activity; sid:21852; rev:3; service:http; )
02610 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Swisyn variant outbound connection"; flow:to_server,established; http_uri; content:"/download.html",nocase; http_header; content:"User-Agent|3A 20|wmagents.exe"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=f9775d5fc61ec53a7cab4b432ec2d227; classtype:trojan-activity; sid:21761; rev:7; service:http; )
02611 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Swisyn variant outbound connection"; flow:to_server,established; http_method; content:"POST",nocase; http_header; content:"|0A|User-Agent|3A 20|tiehttp",fast_pattern,nocase; http_client_body; content:"Content-Disposition|3A 20|",nocase; content:"form-data|3B| name=|22|filename|22|",distance 0,nocase; content:"|0D 0A 0D 0A|",within 4; pkt_data; pcre:"/^\d{0,10}_passes_\d{1,10}\.xm/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=f9775d5fc61ec53a7cab4b432ec2d227; classtype:trojan-activity; sid:21760; rev:5; service:http; )
02617 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Ransom variant outbound connection"; flow:to_server,established; http_header; content:"Referer|3A| res|3A 2F 2F|"; content:"|3A 5C|",within 3,distance 1; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/2ed70f0d0fed4fba04d576bc2a9a13541a95f4ecb5bdead07ca30d7b40a70d84/analysis/; classtype:trojan-activity; sid:21632; rev:4; service:http; )
02624 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Bredolab variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_client_body; content:"smk=",depth 4; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31aa86be253421f4c5c645/analysis/; classtype:trojan-activity; sid:21562; rev:4; service:http; )
02626 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kahn outbound connection"; flow:to_server,established; http_method; content:"POST"; http_header; content:"Content-Length|3A 20|1000002"; http_client_body; content:"z=",depth 2; http_uri; pcre:"/\/$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,ddos.arbornetworks.com/2012/03/kahn/; reference:url,www.virustotal.com/file/3e37577f8bd7d4d248d414ec65b1c339e491d0d7c096c92e602c639faec7626f/analysis/; classtype:trojan-activity; sid:21551; rev:2; service:http; )
02629 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Dofoil variant outbound payload request"; flow:to_server,established; http_uri; content:".exe"; pkt_data; content:"HTTP/1.0"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; content:!"Accept|3A|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3cf5e228deffb924d84ffbc8975f9cf1f62837078793bced52be6a3adf2d6d47/analysis/; classtype:trojan-activity; sid:21538; rev:3; service:http; )
02648 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.hacktool variant outbound connection"; flow:to_server,established; http_uri; content:"/update",nocase; http_header; content:"Mozilla/4.75",fast_pattern,nocase; pcre:"/\x2Fupdate\w\x2Ephp\x3Fp\x3D\d+.*User\x2DAgent\x3A\s+Mozilla\x2F4\x2E75\s\x5Ben\x5D\s\x28X11\x3B\sU\x3B\sLinux\s2\x2E2\x2E16\x2D3\si686\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=f602982724b3562b80f435f0d87c6a5f; classtype:trojan-activity; sid:16496; rev:11; service:http; )
02651 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC RSPlug Win.Trojan.server connection"; flow:to_server,established; http_header; content:"GET /cgi-bin/generator.pl HTTP/1.0|0D 0A|User-Agent|3A| "; content:"1|3B|7017|3B|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html; classtype:trojan-activity; sid:15563; rev:8; service:http; )
02654 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Startpage variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/get_config.cgi"; http_header; content:"x-company|3A 20|soft2pcfr"; content:"User-Agent|3A 20|EoAgence",fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/c96a0bbedc16bc05904b3d60b63976825efa23493a01410c7c8d0cad7b1551c7/analysis/; classtype:trojan-activity; sid:21436; rev:5; service:http; )
02662 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.FakeAV TDSS/PurpleHaze outbound connection - base64 encoded"; flow:to_server,established; http_header; content:"Accept-Language|3A 20|en-US|0D 0A|User-Agent|3A 20|Mozilla/4.0|20|(compatible"; content:!"Referer"; pkt_data; pkt_data; content:"GET /",depth 5; base64_decode:relative; base64_data; content:"cl|7C|1.6|7C|"; content:"|7C|161",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html; classtype:trojan-activity; sid:21318; rev:5; service:http; )
02663 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Dofoil variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/hhh/index.php"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_client_body; content:"smk="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3cf5e228deffb924d84ffbc8975f9cf1f62837078793bced52be6a3adf2d6d47/analysis/; classtype:trojan-activity; sid:21313; rev:2; service:http; )
02665 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Spyeye variant outbound connectivity check"; flow:to_server,established; http_uri; content:"/ib2/"; http_header; content:"Referer|3A 20|http|3A 2F 2F|disney.com|2F|index.html"; http_uri; pcre:"/\x2fib2\x2f$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/10b9e42a99890e672c8d3da3bdbe375d681ec9c21a7f7e165041186614d51584/analysis/; classtype:trojan-activity; sid:21306; rev:3; service:http; )
02668 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MsUpdater initial outbound connection"; flow:to_server,established; http_uri; content:"/search?qu="; http_header; content:"User-Agent|3A 20|Firefox|2F|2.0.0.2|0D 0A|"; http_cookie; content:"PREF=ID="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/; classtype:trojan-activity; sid:21241; rev:6; service:http; )
02669 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MsUpdater outbound connection"; flow:to_server,established; http_uri; content:"/search"; content:"?h1=",distance 0; content:"&h2=",distance 0; content:"&h3=",distance 0; content:"&h4=",distance 0; http_header; content:"User-Agent|3A 20|Mozilla|2F|5.0|20|(compatible|3B|"; pcre:"/\x28compatible\x3b[A-Z]*\x3b\x29\x0d\x0a/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/; classtype:trojan-activity; sid:21240; rev:6; service:http; )
02673 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC MacOS.Flashback.A outbound connection"; flow:to_server,established; http_uri; content:"/counter/",nocase; http_header; content:"User|2D|Agent|3A| ",nocase; content:"install|20 28|unknown version|29|",within 64,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=8061839dfd1167b115865120728c806791f40ee422760866f303607dbd8a9dda-1319210978; reference:url,www.virustotal.com/file-scan/report.html?id=baa14d6bfbff020007c330aa7872e89337fd0036ebfdfa4b4f1d61565c2b0f96-1318536797; classtype:trojan-activity; sid:20762; rev:5; service:http; )
02674 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gbot.oce outbound connection"; flow:to_server,established; http_uri; content:"index.html?tq="; http_header; content:"User-Agent|3A 20|mozilla/2.0|0D 0A|",fast_pattern; content:"Content-Length|3A 20|0|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=40324644d689f5cef21e9035d6b482079a94e540e18a93352acc32d48e9ba64e-1316072758; classtype:trojan-activity; sid:20759; rev:5; service:http; )
02675 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Jorik variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A 20|hello|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=9e75c7e39e9e740fd1579d73d457db319f277345022c0ab46c77d480a6f93fd8-1316968091; classtype:trojan-activity; sid:20756; rev:4; service:http; )
02676 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Krap outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A 20|id=",nocase; content:"tick=",distance 0,nocase; content:"ver=",distance 0,nocase; content:"smtp=",distance 0,nocase; content:"task=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=18bf1732e9f22502b1b4b1eeb7ebde8249fb7551963a9e1e642efd1add5fde15-1293460542; classtype:trojan-activity; sid:20755; rev:4; service:http; )
02682 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Jinchodz variant outbound connection"; flow:to_server,established; http_uri; content:".exe",nocase; http_header; content:"User-Agent|3A 20|Agent"; http_uri; pcre:"/^\/\d\x2eexe/i"; http_header; pcre:"/User-Agent\x3a\x20Agent\d{5,9}/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=59c54a224ccff90e4e2f89a5ca5d60c974d00e7a5d2b738abbeba6542eecfc0d-1316515617; classtype:trojan-activity; sid:20229; rev:4; service:http; )
02684 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Injector outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Opera|5C|9.64|0A|"; http_uri; content:"bb.php?v="; content:"id=",distance 0; content:"b=",distance 0; content:"tm=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file-scan/report.html?id=2afb098dfea7d2acd73da520fe26d09acee1449c79d2c8753f3008a2a8f648b2-1303397086; classtype:trojan-activity; sid:20221; rev:4; service:http; )
02685 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Swisyn variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/gs.php",nocase; http_header; content:"Synapse",nocase; content:"Content-Length|3A| 12",distance 0,nocase; http_client_body; content:"id="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=07d2e3f1eaaeffefa493a9e2b81c8a92bc9ac29409920a0b9f02bf6a07f1dfe6-1316107850; reference:url,www.virustotal.com/file-scan/report.html?id=5ed1654c72a0d6f274f61e3b3c61b247463533c7136f4e9d8dd63d408ca7f5b0-1315791284; reference:url,www.virustotal.com/file-scan/report.html?id=eff9b75161853b46ad9f492480b3d39cbdbd23b02c16d50b291a3797b9bb4db8-1316416732; classtype:trojan-activity; sid:20213; rev:3; service:http; )
02689 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Briewots.A runtime traffic detected"; flow:to_server,established; http_uri; content:"/geo/countrybyip.php",nocase; http_header; content:"User-Agent|3A| User Agent"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=f8433bdde30354db80ebce58b2c866ea; classtype:trojan-activity; sid:20011; rev:3; service:http; )
02705 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Jorik variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A 20|IE"; http_uri; content:"type|3D|stats",nocase; content:"affid|3D|508"; content:"subid|3D|new02",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=1e92508de36f878dceb369121364bd3d; classtype:trojan-activity; sid:19711; rev:6; service:http; )
02707 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent.grdm outbound connection"; flow:to_server,established; http_uri; content:"/one.php?dwId=",nocase; http_header; content:"User-Agent|3A 20|Mozilla|0D 0A|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=db03b00a06360745f0d126ccada6e9658ff943bd351262ecba06f32c07aa630f-1311386661; classtype:trojan-activity; sid:19705; rev:5; service:http; )
02708 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent.grdm outbound connection"; flow:to_server,established; http_uri; content:"/one.php?inf=",nocase; http_header; content:"User-Agent|3A 20|Mozilla|0D 0A|",nocase; http_uri; pcre:"/\?inf\=[0-9a-f]{8}\x2Ex\d{2}\x2E\d{8}\x2E/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=db03b00a06360745f0d126ccada6e9658ff943bd351262ecba06f32c07aa630f-1311386661; classtype:trojan-activity; sid:19704; rev:5; service:http; )
02709 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Worm Win.Trojan.Dusta.br outbound connnection"; flow:to_server,established; http_uri; content:"/funtionsjs",nocase; http_header; content:"User-Agent|3A 20|vb|20|wininet|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=2083e1fca5aedbf9e496596933f92c62b532d01cb2f2d69ee9224d0706f27bb0-1310789129; classtype:trojan-activity; sid:19703; rev:5; service:http; )
02719 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC TT-bot botnet variant outbound connection"; flow:to_server,established; http_header; content:"TT-Bot"; pkt_data; pcre:"/^User-Agent\x3A[^\r\n]*TT-Bot/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,anubis.iseclab.org/index.php?action=result&format=html&task_id=1494581651ca480640538ead93feabed2; classtype:trojan-activity; sid:16493; rev:12; service:http; )
02728 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC MacBack Win.Trojan.outbound connection"; flow:to_server, established; http_uri; content:"/checkur1"; http_header; content:"User-Agent|3A 20|curl"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f78f399d4c2328be8992bc1c02334f7acea99f3db418a983591670109de49186-1305514984; classtype:trojan-activity; sid:19016; rev:7; service:http; )
02740 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.command and control communication"; flow:to_server,established; http_header; content:"Ryeol HTTP Client Class",nocase; content:"jaiku.com",nocase; pcre:"/^User\x2DAgent\x3A\s+Ryeol\s+HTTP\s+Client\s+Class/smi"; pcre:"/^Host\x3A\s+.*jaiku\x2Ecom/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=9a546564bf213ff866f48848f0f14027; classtype:trojan-activity; sid:16459; rev:8; service:http; )
02752 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Zeus/Zbot malware config file download request"; flow:to_server; http_uri; content:"/w/update.dat",nocase; http_header; content:"Host|3A| chartseye.cn",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=21782783; classtype:trojan-activity; sid:15481; rev:9; service:http; )
02756 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC bagle.a http notification detection"; flow:to_server,established; http_uri; content:"/1.php?p=",nocase; http_header; content:"User-Agent|3A|",nocase; content:"beagle_beagle",fast_pattern,nocase; pcre:"/^User-Agent\x3A[^\r\n]*beagle_beagle/smi"; metadata:impact_flag red,policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,www.sophos.com/virusinfo/analyses/w32baglea.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-011815-3332-99&tabid=2; classtype:trojan-activity; sid:9418; rev:14; service:http; )
02763 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.FlyStudio known command and control channel traffic"; flow:to_server,established; http_uri; content:"/piao1.asp?AC=",nocase; http_header; content:"Content-Length|3A 20|0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16823.html; classtype:trojan-activity; sid:16823; rev:8; service:http; )
02773 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Backdoor outbound connection"; flow:to_server,established; http_uri; content:"/registraMaquina*/",nocase; http_header; content:"User-Agent|3A| Clickteam"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C1EE4AA7DFBB02C4E9C1EA6A45D7C98EA10727661994BD595CADF4173415CFCA/analysis/; classtype:trojan-activity; sid:23945; rev:6; service:http; )
02774 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Backdoor file download"; flow:to_server,established; http_uri; content:"/_libs/wget.exe"; http_header; content:"User-Agent|3A| Compressor ZIP do Windows"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C1EE4AA7DFBB02C4E9C1EA6A45D7C98EA10727661994BD595CADF4173415CFCA/analysis/; classtype:trojan-activity; sid:23946; rev:6; service:http; )
02781 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Coswid.klk outbound connection"; flow:to_server,established; http_uri; content:"/update.png",nocase; http_header; content:"User-Agent|3A| ",nocase; content:"+Mozilla/4.0",within 30,nocase; content:"MSIE 8.0|3B| Win32",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file/28414CF6120E4EF72E3F4669A0824465405C2FD757B3502BDCD319C9D69AF3BF/analysis/; classtype:trojan-activity; sid:22103; rev:6; service:http; )
02787 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC PointGuide outbound connection"; flow:to_server,established; http_uri; content:"/cont/proid.txt"; http_header; content:"reward|2E|pointguide|2E|kr",distance 0,fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=2ef41c20bdadd9d85da91a68639f8ea8d733537ecbba7280ecbcbb31bfa3b2fe-1234376606; classtype:trojan-activity; sid:19328; rev:3; service:http; )
02788 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dropper Win.Trojan.Agent.alda outbound connection"; flow:to_server,established; http_uri; content:"/mydown.asp"; content:"ver=",distance 0; content:"tgid=",distance 0; content:"address=",distance 0; http_header; content:"www|2E|qqcjidc|2E|cn",fast_pattern; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=4d875250872a1c6ec7d47be59ed7d244c2b9ce06a65ff251763e74adb5e2641d-1247780429; classtype:trojan-activity; sid:19339; rev:5; service:http; )
02805 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Biloky variant outbound connection"; flow:to_server,established; http_uri; content:"/loc/gate.php|3F|"; http_header; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSlE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET CLR 1.1.4322"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/41d6db389438c2ca66262e64152a9e9f8cde55d3643a387a6241d7a2431c8ce5/analysis/; classtype:trojan-activity; sid:24216; rev:3; service:http; )
02813 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.VB variant outbound connection"; flow:to_server,established; http_uri; content:"/reportmac.asp",nocase; http_header; content:"User-Agent: http"; http_uri; content:"anma=",nocase; content:"zhanghao=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/e2636ae650252d760e15b13d80603d48081ebb664e6143fe1a257b4cd015d2c0/analysis/; classtype:trojan-activity; sid:24375; rev:3; service:http; )
02814 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.XBlocker outbound communication"; flow:to_server,established; http_header; content:"User-Agent: Mozilla/4.0 (SPGK)"; http_uri; content:"/rz/mn.php?ver=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/68051395c25797dc668101cdd0086109cfae0114cf4d2df7d241035378b1ec13/analysis; classtype:trojan-activity; sid:24381; rev:1; service:http; )
02815 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.XBlocker outbound communication"; flow:to_server,established; http_header; content:"User-Agent: Mozilla/4.0 (SPGK)"; http_uri; content:"/rz/report.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/68051395c25797dc668101cdd0086109cfae0114cf4d2df7d241035378b1ec13/analysis; classtype:trojan-activity; sid:24382; rev:1; service:http; )
02818 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Chiviper outbound connection"; flow:to_server,established; http_uri; content:"d10="; content:"d11="; content:"d21="; content:"d22="; http_header; content:"User-Agent|3A| Example"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file/1b79d2d27a386ab40a1452514cf82f8aa65c7c406610787ac8be7cb9f710859b/analysis/; classtype:trojan-activity; sid:24440; rev:2; service:http; )
02834 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Veli variant outbound connection"; flow:to_server,established; http_client_body; content:"Yuok$$"; http_header; content:"User-Agent: Asynchronous WinHTTP/1.0",nocase; http_uri; content:"logon.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/953a812f745cb3b0e5abc59c5df68dcb8e3db2ee0af8ae419480cc2c2ada27f4/analysis/; classtype:trojan-activity; sid:24563; rev:2; service:http; )
02837 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Worm.Win32.Faketube update request attempt"; flow:to_server,established; http_header; content:"User-Agent|3A| Autoit",nocase; http_uri; content:"|2F 7E|ntproduc|2F|update",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=35cc362bd4c354d0a27691a39f7d9b5a157f7dd0a0f286d99d64608ab8bc99a3-1287378453; classtype:trojan-activity; sid:19058; rev:2; service:http; )
02842 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Quarian outbound connection - proxy connection"; flow:to_server,established; http_method; content:"CONNECT"; http_header; content:"Proxy-Connetion|3A|"; content:"Content_length|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/dce3412caecdb1c4959adb5794bbe3b69348b26b97360ef262acf5fd2c0dfa2c/analysis/; classtype:trojan-activity; sid:24858; rev:2; service:http; )
02843 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gnutler variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent:|20|ver:"; content:"|7C|os:"; content:"|7C|admin:"; content:"|7C|port:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/bc9ab894cf8229ab9b233d89595d962c7d226c8e72880d60d93f79fe4f7a6215/analysis/; classtype:trojan-activity; sid:24873; rev:1; service:http; )
02844 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Banking Trojan Config File Download"; flow:to_server,established; http_raw_uri; bufferlen:11; http_uri; content:"|2F|Config|2E|txt"; http_header; content:"Mozilla|2F|3|2E|0|20 28|compatible|3B 20|Indy|20|Library|29 0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/2418469245edf860633f791b972e1a8a11e5744c6deb0cc1a55531cba3d0bd7f/analysis/; classtype:trojan-activity; sid:24885; rev:2; service:http; )
02856 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ZeroAccess URI and Referer"; flow:to_server,established; http_raw_uri; bufferlen:52; http_header; content:"/s/?k="; http_uri; pcre:"/^\x2f[a-z0-9]{51}$/i"; http_header; pcre:"/Referer\x3a\s*?http\x3a\x2f{2}[a-z0-9\x2e\x2d]+\x2fs\x2f\x3fk\x3d/i"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:25224; rev:2; service:http; )
02858 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Worm.Gamarue outbound connection"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:12; http_uri; content:"/a/image.php"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:25256; rev:2; service:http; )
02859 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Skintrim outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/bin/check.php?cv="; http_header; content:"ThIs_Is_tHe_bouNdaRY_$",fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/80e67695fa394f56fd6ddae74b72e9050f651244aad52ad48ebe6304edff95e2/analysis/1357239259/; classtype:trojan-activity; sid:25257; rev:3; service:http; )
02861 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BancosBanload outbound connection"; flow:to_server,established; http_header; content:"|0D 0A|Accept|2D|Encoding|3A 20|gzip|2C|deflateidentity|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/098fa9dbc519669a50fc6f3cdc8d9e4b05a6f0c32d154f515e403b54d72efff6/analysis/1357138873/; classtype:trojan-activity; sid:25259; rev:2; service:http; )
02862 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Buterat outbound connection"; flow:to_server,established; http_header; content:"From|3A|"; content:"Via|3A|"; http_raw_uri; bufferlen:13; http_uri; pcre:"/^\x2f\d{3}\x2f\d{3}\x2ehtml$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/90fb793d1fd7245b841ca4b195e3944a991d97d854090729062d700fe74553e5/analysis/; classtype:trojan-activity; sid:25269; rev:2; service:http; )
02876 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Virut variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:17; http_uri; content:".txt"; http_header; content:"User-Agent|3A 20|Download"; http_uri; pcre:"/\/[a-z0-9]{12}\.txt$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/A310DE3A30A3D7E5651F8BDAE6FF6995F2B91331544DF054CD89D51C8D047F87/analysis/; classtype:trojan-activity; sid:25572; rev:1; service:http; )
02884 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Medfos variant outbound connection"; flow:to_server,established; http_uri; content:"/js/disable.js?type="; http_header; content:"Accept|3A 20|application/javascript|2C 20 2A 2F 2A 3B|q=0.8"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:JS/Medfos.B; classtype:trojan-activity; sid:25660; rev:2; service:http; )
02889 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 ( msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; http_header; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; http_raw_uri; bufferlen:159; http_uri; pcre:"/\x2f[A-F0-9]{158}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7; service:http; )
02890 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan Agent YEH outbound connection"; flow:to_server,established; http_header; content:"|29 3B 28|b|3A|3790|3B|c|3A|INT|2D|6760|3B|l|3A|09|29 0D 0A|"; http_uri; pcre:"/\x2f\?ts\x3d[a-f0-9]{40}\x26/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-YEH/detailed-analysis.aspx; classtype:trojan-activity; sid:25765; rev:3; service:http; )
02892 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Urausy Botnet variant outbound communication"; flow:to_server,established; http_raw_uri; bufferlen:95<>102; http_header; content:"|29 20|Chrome|2F|"; content:!"|0A|Accept-Encoding|3A 20|"; http_uri; pcre:"/^\x2f[a-z\x2d\x5f]{90,97}\.php$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.botnets.fr/index.php/Urausy; classtype:trojan-activity; sid:25807; rev:3; service:http; )
02895 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Zeus - MSIE7 No Referer No Cookie"; flow:to_server,established; http_raw_uri; bufferlen:1; http_uri; content:"|2F|"; http_header; pcre:"/\r\nHost\x3A\s+[^\r\n]*?[bcdfghjklmnpqrstvwxyz]{5,}[^\r\n]*?\x2Einfo\r\n/i"; content:!"|0A|Referer|3A|"; content:!"|0A|Cookie|3A|"; content:"|3B 20|MSIE|20|7.0|3B 20|"; content:"|2E|info|0D 0A|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,en.wikipedia.org/wiki/Zeus_(Trojan_horse); classtype:trojan-activity; sid:25854; rev:3; service:http; )
02896 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC GzWaaa outbound data connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:".php"; http_header; content:"User|2D|Agent|3A 20|Mozilla|2F|3.0|20 28|compatible|3B 20|Indy Library|29 0D 0A|"; http_client_body; content:"form-data|3B| name=|22|userfile|22 3B| filename="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/04edf40eaf652dfab4e8dc2ca21fbf2e99d361746995767071789cc3fa24d2cc/analysis/1361822708/; classtype:trojan-activity; sid:25949; rev:2; service:http; )
02898 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC CNC Dirtjumper outbound connection"; flow:to_server,established; http_header; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|Content-Length: 34|0D 0A|"; http_client_body; content:"k=",depth 2; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,ddos.arbornetworks.com/2012/04/a-ddos-family-affair-dirt-jumper-bot-family-continues-to-evolve/; classtype:trojan-activity; sid:26010; rev:5; service:http; )
02900 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zbot variant in.php outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:7; http_uri; content:"/in.php"; http_header; content:".ru|0D 0A|User-Agent|3A 20|Mozilla/4.0|0D 0A|"; content:"|0A|Content-Length|3A 20|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,zeustracker.abuse.ch/monitor.php?ipaddress=195.22.26.231; classtype:trojan-activity; sid:26023; rev:3; service:http; )
02904 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Encriyoko variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Go http package|0D 0A|"; http_uri; content:"/downs/zdx.tgz"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/9562bd4c4fa237ba85247d7c4cf0f9ab7631a97f1c641eaf3aa66223726a909f/analysis/; classtype:trojan-activity; sid:24439; rev:2; service:http; )
02905 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Encriyoko variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Go http package|0D 0A|"; http_uri; content:"/about/step1.php"; http_client_body; content:"m_usr="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/9562bd4c4fa237ba85247d7c4cf0f9ab7631a97f1c641eaf3aa66223726a909f/analysis/; classtype:trojan-activity; sid:26088; rev:1; service:http; )
02909 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Malex variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent: PCICompliant/3.33"; http_uri; content:"/process.php?xy="; content:"fGF6fDIu",within 8,distance 48; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/BB12FC4943857D8B8DF1EA67EECC60A8791257AC3BE12AE44634EE559DA91BC0/analysis/; classtype:trojan-activity; sid:26204; rev:3; service:http; )
02910 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Eldorado variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:12; http_uri; content:"/pid/pid.txt"; http_header; content:"(compatible|3B 20|Indy Library)|0D 0A 0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/46b01e093493ff14a4f1a43905d4943f5559fb518c04edde46084d9672d0f20f/analysis/1363359002/; classtype:trojan-activity; sid:26211; rev:2; service:http; )
02911 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC CNC Dirtjumper outbound connection"; flow:to_server,established; http_header; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|Content-Length: 17|0D 0A|"; http_client_body; content:"k=",depth 2; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,ddos.arbornetworks.com/2012/04/a-ddos-family-affair-dirt-jumper-bot-family-continues-to-evolve/; classtype:trojan-activity; sid:26011; rev:4; service:http; )
02913 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Brontok Worm outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Brontok.A8 Browser|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.securelist.com/en/descriptions/10286064/Email-Worm.Win32.Brontok.rf?print_mode=1; classtype:trojan-activity; sid:26288; rev:1; service:http; )
02914 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Scar variant outbound connection"; flow:to_server,established; http_uri; content:".php?mac="; http_header; content:"|0D 0A|Accept-Language|3A 20|ko|0D 0A|"; http_uri; pcre:"/\.php\?mac\x3d([a-f0-9]{2}\x3a){5}[a-f0-9]{2}$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/171a0b12197c1b1b525e2db1a62adb6f6c3f42ccb5704c8174944ee8b901abec/analysis/; classtype:trojan-activity; sid:26325; rev:1; service:http; )
02916 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - ksa.txt"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:"/ksa.txt"; http_header; content:"User-Agent|3A 20|Mozilla/3.0 (compatible|3B| Indy Library)"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26370; rev:1; service:http; )
02918 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zbot fake PNG config file download without User-Agent"; flow:to_server,established; http_header; content:"Accept: application/xml,application/xhtml+xml,text/html|3B|q=0.9,text/plain|3B|q=0.8,image/png,*/*|3B|q=0.5|0D 0A|"; http_uri; pcre:"/\.png$/i"; http_header; content:!"User-Agent:",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26480; rev:3; service:http; )
02919 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Harakit botnet traffic"; flow:to_server,established; http_raw_uri; bufferlen:10; http_header; content:"sousi.extasix.com|0D 0A|"; http_uri; content:"/genst.htm"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23239; reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910c28c4358367e10723ba21f/analysis/; classtype:trojan-activity; sid:26563; rev:1; service:http; )
02930 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Shiz outbound connection"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/login.php",depth 10; http_header; content:"Referer|3A| http://www.google.com"; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 2.0|3B|"; pkt_data; pkt_data; content:"HTTP/1.0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,camas.comodo.com/cgi-bin/submit?file=58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6; reference:url,www.virustotal.com/en/file/58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6/analysis/1368563326/; classtype:trojan-activity; sid:26657; rev:2; service:http; )
02937 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Miniduke server contact"; flow:to_server, established; http_raw_uri; bufferlen:>45; http_header; content:"User-Agent: Mozilla/4.0"; http_uri; content:"/news/feed.php"; pcre:"/i=[a-zA-Z0-9$~]{40}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/29ad305cba186c07cedc1f633c09b9b0171289301e1d4319a1d76d0513a6ac50/analysis/; classtype:trojan-activity; sid:26690; rev:2; service:http; )
02938 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.UFRStealer variant outbound connection"; flow:to_server,established; http_header; content:"boundary=ABCDABCDABCD"; http_uri; content:"/log/logs.php",nocase; http_client_body; content:"|0D 0A 0D 0A|UFR!"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/5c097c6dddbd72976b7b1d93845a17d4ed4b5abbd2cd99e4454aa37f20683ad9/analysis/; classtype:trojan-activity; sid:26691; rev:1; service:http; )
02943 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Upero variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Win|0D 0A|"; http_uri; content:"?cdata=",nocase; content:"&detail=",nocase; content:"&fold=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/6142f9c4ac27a3f5676c625d685e4ad500eaed2d936564b84fe5c0251e581701/analysis/; classtype:trojan-activity; sid:26703; rev:1; service:http; )
02944 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Kazy Trojan check-in"; flow:to_server,established; http_header; content:"User-Agent: Opera/11 |28|Windows NT 5.1|3B 20 3B| x86|29|"; http_uri; content:"/count.php?page=",depth 16; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,camas.comodo.com/cgi-bin/submit?file=6d823488b26533f5151c3bab93c2a8ba832c9320e612d58d1134740abe3ca157; classtype:trojan-activity; sid:26712; rev:1; service:http; )
02945 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BlackRev rev 1 outbound traffic"; flow:to_server,established; http_uri; content:"gate.php|3F|reg="; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Synapse)|0D 0A|"; http_uri; pcre:"/gate\x2ephp\x3freg=[a-z]{10}/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26713; rev:1; service:http; )
02946 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BlackRev rev 2 outbound traffic"; flow:to_server,established; http_uri; content:"gate.php|3F|reg="; pcre:"/gate\x2ephp\x3freg=[a-zA-Z]{15}/"; http_header; content:"User-Agent|3A| Mozilla/4.0 (SEObot)|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26714; rev:2; service:http; )
02947 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BlackRev rev 3 outbound traffic"; flow:to_server,established; http_uri; content:"gate.php|3F|id="; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| SEObot)|0D 0A|"; http_uri; pcre:"/gate\x2ephp\x3fid=[a-z]{15}/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26715; rev:2; service:http; )
02991 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC XP Fake Antivirus Check-in"; flow:to_server,established; http_raw_uri; bufferlen:11; http_header; content:"|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|Accept: */*|0D 0A|"; http_uri; pcre:"/^\x2F\d{10}$/"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26812; rev:1; service:http; )
02993 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC OSX.Trojan.KitM outbound connection user-agent"; flow:to_server,established; http_header; content:"User-Agent: macs 1."; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26815; rev:2; service:http; )
03005 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.TripleNine RAT beacon attempt"; flow:to_server,established; http_method; content:"GET",depth 3,nocase; http_header; content:"User-Agent: Mozilla/5.0",nocase; content:"Cache-Control: no-cache",nocase; http_uri; content:"/999"; pcre:"/^\/999$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26940; rev:3; service:http; )
03019 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"/opt.dat"; http_header; content:"User-Agent:Mozilla/4.0|0D 0A|"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/FFF7840FFB18110BBED8872DEFB6F6DA7243DD840A1A611016C44312CB40974C/analysis/; classtype:trojan-activity; sid:26995; rev:1; service:http; )
03020 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"/svc.dat"; http_header; content:"User-Agent:Mozilla/4.0|0D 0A|"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/FFF7840FFB18110BBED8872DEFB6F6DA7243DD840A1A611016C44312CB40974C/analysis/; classtype:trojan-activity; sid:26996; rev:1; service:http; )
03038 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Gamarue Trojan - Mozi1la User-Agent"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozi1la/4.0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity; sid:27248; rev:2; service:http; )
03045 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rovnix malicious download request"; flow:to_server,established; http_uri; content:"/ld.aspx",nocase; http_header; content:"User-Agent|3A 20|FWVersionTestAgent|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap; reference:url,blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvix-private-tcp-ip-stacks.aspx; classtype:trojan-activity; sid:27567; rev:1; service:http; )
03082 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Trackware e2give runtime detection - redirect affiliate site request 2"; flow:to_server,established; http_uri; content:"/fs-bin/swat?",nocase; content:"lsnsig=",nocase; content:"offerid=",nocase; http_header; content:"Referer|3A| e2give.com",fast_pattern,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5909; rev:11; service:http; )
03142 alert tcp $HOME_NET any -> $EXTERNAL_NET 1942 ( msg:"MALWARE-OTHER Possible data upload - Bitcoin Miner User Agent"; flow:to_server,established; http_header; content:"User-Agent|3A| Ufasoft bitcoin-miner"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26395; rev:2; service:http; )
03176 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-TOOLS Havij advanced SQL injection tool user-agent string"; flow:to_server, established; http_header; content:"Havij"; pcre:"/User-Agent\:[^\x0a\x0d]+?Havij/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,itsecteam.com/en/projects/project1.htm; classtype:attempted-user; sid:21459; rev:3; service:http; )
03177 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-TOOLS slowhttptest DoS tool"; flow:to_server,established; http_header; content:"Referer|3A| http|3A 2F 2F|code.google.com|2F|p|2F|slowhttptest",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,code.google.com/p/slowhttptest/; classtype:attempted-dos; sid:21104; rev:2; service:http; )
03205 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Tetus device information leakage"; flow:to_server, established; http_header; content:"User-Agent: Dalvik"; http_uri; content:"imei=",nocase; content:"lpn=",nocase; content:"vd=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/855332267ffd1fb671d916822ea2929bef8974441a34cb4d9eb9c9b60ba6481f/analysis/; classtype:trojan-activity; sid:26938; rev:1; service:http; )
03206 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Tetus device information leakage variant"; flow:to_server, established; http_header; content:"User-Agent: Dalvik"; http_uri; content:"imei=",nocase; content:"referrer=",nocase; content:"pid=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/855332267ffd1fb671d916822ea2929bef8974441a34cb4d9eb9c9b60ba6481f/analysis/; classtype:trojan-activity; sid:26939; rev:1; service:http; )
03215 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ANDR.Trojan.Opfake device information disclosure attempt"; flow:to_server,established; http_uri; content:"/q.php",nocase; http_header; content:"Apache-HttpClient/UNAVAILABLE (java 1."; http_client_body; content:"log",depth 3,nocase; content:"Executing",distance 0,nocase; content:"sendSMS",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.avast.com/2012/10/31/double-trouble/; classtype:trojan-activity; sid:26827; rev:3; service:http; )
03216 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ANDR.Trojan.Opfake credential theft attempt"; flow:to_server,established; http_uri; content:"/login.php",nocase; http_header; content:"|28|Linux|3B| U|3B| Android 2."; http_client_body; content:"user_id=",nocase; content:"&password=",distance 0,nocase; content:"&submit=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.avast.com/2012/10/31/double-trouble/; classtype:trojan-activity; sid:26826; rev:3; service:http; )
03218 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Fakeinst device information leakage"; flow:to_server, established; http_header; content:"Apache-HttpClient/UNAVAILABLE (java 1.4)|0D 0A|"; http_client_body; content:"imei=",nocase; content:"imsi=",nocase; content:"msisdn=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/0a77e1aac4720037e2946edf84d957616e564bd525e444cf3994f5ae4b9374ab/analysis/; classtype:trojan-activity; sid:26761; rev:2; service:http; )
03219 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Fakeinst device information leakage"; flow:to_server, established; http_header; content:"User-Agent: Dalvik/"; http_uri; content:"imei=",nocase; content:"imsi=",nocase; content:"phone=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/0a77e1aac4720037e2946edf84d957616e564bd525e444cf3994f5ae4b9374ab/analysis/; classtype:trojan-activity; sid:26760; rev:2; service:http; )
03222 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Denofow phone information exfiltration"; flow:to_server,established; http_header; content:"SOAPAction: "; http_client_body; content:"</opname>",nocase; content:"</cell>",nocase; content:"</openmic>",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/fc0417fd719f457f172a5c3fbb8fc155a04f2376b2ca4155395e01a028908038/analysis/; classtype:trojan-activity; sid:26689; rev:2; service:http; )
03224 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android MDK encrypted information leak"; flow:to_server,established; http_header; content:"Host: wap.juliu.net",nocase; http_uri; content:"/control.html?",nocase; http_header; content:"User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,androidmalwaredump.blogspot.com/2013/01/androidtrojmdk-aka-androidksapp.html; classtype:trojan-activity; sid:26442; rev:2; service:http; )
03229 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android Fakenetflix email password upload"; flow:to_server,established; http_header; content:"Host|3A| erofolio.no-ip.biz"; http_client_body; content:"email=",nocase; content:"&pass=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-101105-0518-99&tabid=2; classtype:trojan-activity; sid:26205; rev:3; service:http; )
03241 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ADRD encrypted information leak"; flow:to_server,established; http_uri; content:".aspx?im=",nocase; http_header; content:"User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)"; content:"Accept-Language: zh-CN, en-US",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99&tabid=2; classtype:trojan-activity; sid:25999; rev:2; service:http; )
03242 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ADRD encrypted information leak"; flow:to_server,established; http_uri; content:".aspx?im=",nocase; http_header; content:"User-Agent: J2ME/UCWEB7.4.0.57"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99&tabid=2; classtype:trojan-activity; sid:25998; rev:2; service:http; )
03254 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android ANDR.Trojan.FakeToken information disclosure attempt"; flow:to_server,established; http_uri; content:"/cp/server.php",nocase; http_header; content:"|28|Linux|3B| U|3B| Android 2."; http_client_body; content:"imei",nocase; content:"sid_1",distance 0,nocase; content:"smsResults",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/f7c36355c706fc9dd8954c096825e0613807e0da4bd7f3de97de0aec0be23b79/analysis/; classtype:trojan-activity; sid:27094; rev:1; service:http; )
03399 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware.Phono post infection download attempt"; flow:to_server,established; http_uri; content:"/playerUpdate2.exe",nocase; http_header; content:"User-Agent|3A 20|phonostar|20|Radio|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/6515C764C78F1F1C1067D8C23D4F400004A292E7C3C06175D8D2DDD77A16438C/analysis/; classtype:trojan-activity; sid:23369; rev:2; service:http; )
03407 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware desktopmedia runtime detection - ads popup"; flow:to_server,established; http_uri; content:"/rep/pop/pop_",nocase; content:"ad_soft_type=",nocase; content:"ad_mid=",nocase; content:"ad_type=",nocase; content:"dm_source=",nocase; http_header; content:"Host|3A|",nocase; content:"corep.dmcast.com",nocase; pcre:"/^Host\x3a[^\r\n]*corep\x2Edmcast\x2Ecom/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156; classtype:misc-activity; sid:8352; rev:7; service:http; )
03412 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE LiveSecurityPlatinum.A outbound connection - initial connection"; flow:to_server,established; http_uri; content:"/api/urls/?ts="; http_header; content:"User-Agent|3A 20 20 0D 0A|",nocase; http_uri; pcre:"/\/api\/urls\/\?ts=[a-z0-9]+&affid=\d{5}/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,siri-urz.blogspot.ca/2012/06/live-security-platinum.html; classtype:trojan-activity; sid:23863; rev:3; service:http; )
03418 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - third party information collection"; flow:to_server,established; http_uri; content:"/d/sr/?",nocase; content:"xargs=",nocase; content:"yargs=",nocase; http_header; content:"Referer|3A| ",nocase; content:"mysearch.dropspam.com/index.php?tpid=",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5938; rev:9; service:http; )
03419 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - pass information to its controlling server"; flow:to_server,established; http_uri; content:"/r.php?",nocase; content:"apid=",nocase; content:"ldid=",nocase; content:"tpid=",nocase; content:"ttid=",nocase; content:"uid=",nocase; content:"st=",nocase; content:"cdurl=",nocase; content:"srurl=",nocase; http_header; content:"Referer|3A| ",nocase; content:"mysearch.dropspam.com/index.php?tpid=",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5937; rev:9; service:http; )
03424 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker shopnav outbound connection - collect information"; flow:to_server,established; http_uri; content:"/dat/bgf/trpix.gif?",nocase; content:"rdm=",nocase; content:"dlv=",nocase; content:"dmn=",nocase; http_header; content:"Referer|3A| ",nocase; content:"search2.ad.shopnav.com/9899/search/results.php",nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5889; rev:11; service:http; )
03452 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Hijacker copernic meta toolbar runtime detection - pass info to server"; flow:to_server,established; http_uri; content:"/d/sr/?",nocase; content:"xargs=",nocase; content:"yargs=",nocase; http_header; content:"Referer|3A| ",nocase; content:"metaresults.copernic.com",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5886; rev:9; service:http; )
03465 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache mod_isapi dangling pointer exploit attempt"; flow:to_server,established; http_header; content:"Proxy-Connection: Keep-Alive"; content:"Transfer-Encoding: chunked|0D 0A|Content-Length: 40334"; http_uri; content:".dll"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38494; reference:cve,2010-0425; classtype:attempted-admin; sid:19124; rev:2; service:http; )
03466 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache mod_isapi dangling pointer exploit attempt"; flow:to_server,established; http_header; content:"Proxy-Connection|3A| Keep-Alive|0D 0A|Okytuasd|3A| AAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38494; reference:cve,2010-0425; classtype:attempted-admin; sid:16480; rev:3; service:http; )
03488 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS ADFS custom header arbitrary code execution attempt "; flow:to_server,established; http_header; content:"pFilterCtxHdr",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-2509; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-070; classtype:attempted-admin; sid:16312; rev:4; service:http; )
03630 alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"SERVER-OTHER Apple CUPS IPP memory corruption attempt"; flow:to_server,established; http_header; content:"Content-Type|3A|",nocase; content:"application/ipp",within 20,fast_pattern,nocase; http_client_body; content:"|01|",depth 9; pcre:"/^.{8}\x01[\x37-\x40\x43]/"; byte_jump:2,0,relative,little; byte_jump:2,0,relative,little; pkt_data; pcre:"/[\x35\x36\x41\x42\x44-\x49]\x00\x00/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-2941; classtype:attempted-admin; sid:23139; rev:2; service:http; )
03631 alert tcp $EXTERNAL_NET any -> $HOME_NET 631 ( msg:"SERVER-OTHER Apple CUPS IPP memory corruption attempt"; flow:to_server,established; http_header; content:"Content-Type|3A|",nocase; content:"application/ipp",within 20,fast_pattern,nocase; http_client_body; content:"|01|",depth 9; pcre:"/^.{8}\x01[\x35\x36\x41\x42\x44-\x49]/"; byte_jump:2,0,relative,little; byte_jump:2,0,relative,little; pkt_data; pcre:"/[\x37-\x40\x43]\x00\x00/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-2941; classtype:attempted-admin; sid:23138; rev:2; service:http; )
03679 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER lighthttpd connection header denial of service attempt"; flow:to_server,established; http_header; content:"Connection|3A|"; content:",,",distance 0,fast_pattern; pcre:"/^Connection\x3A\s*[^\r\n]*?\x2c\x2c/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-5533; classtype:denial-of-service; sid:24805; rev:1; service:http; )
03709 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt"; flow:established,to_server; http_header; content:"SOAPAction|3A|"; pcre:"/SOAPAction\x3A\s*?\x22[^\x22\x23]+?\x23([^\x22]{2048}|[^\x22]+$)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0230; reference:cve,2013-1462; classtype:attempted-admin; sid:25780; rev:1; service:http; )
03720 alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 ( msg:"SERVER-OTHER Squid proxy Accept-Language denial of service attempt"; flow:to_server,established; http_header; content:"Accept-Language|3A 20 2C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1839; classtype:denial-of-service; sid:26379; rev:1; service:http; )
03823 alert tcp $EXTERNAL_NET any -> $HOME_NET 9080 ( msg:"SERVER-WEBAPP IBM Rational Quality Manager and Test Lab Manager policy bypass attempt"; flow:to_server,established; http_uri; content:"/manager",nocase; http_header; content:"Authorization|3A 20|Basic|20|QURNSU46QURNSU4="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,44172; reference:cve,2010-4094; classtype:default-login-attempt; sid:19110; rev:3; service:http; )
03857 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Performance Insight Server backdoor account code execution attempt"; flow:to_server,established; http_uri; content:"/services",nocase; http_header; content:"aGNoOTA4djp6NnQwaiQraQ=="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,46079; reference:cve,2011-0276; classtype:attempted-admin; sid:18560; rev:2; service:http; )
03858 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Performance Insight Server backdoor account code execution attempt"; flow:to_server,established; http_uri; content:"/reports",nocase; http_header; content:"aGNoOTA4djp6NnQwaiQraQ=="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,46079; reference:cve,2011-0276; classtype:attempted-admin; sid:18559; rev:2; service:http; )
03939 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP JavaScript tag in User-Agent field possible XSS attempt"; flow:to_server,established; http_header; content:"User-Agent|3A| <SCRIPT>"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html; classtype:web-application-attack; sid:26483; rev:1; service:http; )
03945 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Windows 2012 Server additional empty Accept-Encoding field denial of service attempt"; flow:to_server,established; http_header; content:"Accept-Encoding:"; content:"Accept-Encoding:|0D 0A|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1305; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-039; classtype:attempted-dos; sid:26632; rev:1; service:http; )
END OF CODE