00100 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLACKLIST Connection to malware sinkhole"; flow:to_client,established; http_header; content:"malware-sinkhole|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:25018; rev:3; service:http; )
00346 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 7/8 execute local file in Internet zone redirect attempt"; flow:to_client,established; http_header; content:"|0A|Location|3A|",nocase; content:"file|3A|//127.0.0.1",distance 0,fast_pattern; pcre:"/^Location\x3a[^\n]*file\x3a\x2f\x2f127\x2e0\x2e0\x2e1/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0255; reference:cve,2010-0555; reference:url,technet.microsoft.com/en-us/security/advisory/980088; classtype:attempted-user; sid:16423; rev:8; service:http; )
00357 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt"; flow:to_client,established; content:"302 Redirect",nocase; http_header; content:"Location|3A 20|cdl|3A 2F 2F|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1262; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-admin; sid:19245; rev:4; service:http; )
00694 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit pdf download"; flow:to_client, established; flowbits:isset, blackhole.pdf; http_header; content:"application/pdf"; file_data; pkt_data; content:"arr="; pcre:"/\d+(.)\d+\1\d+\1\d+\1\d+\1\d+\1/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21344; rev:3; service:http; )
00758 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT CritX Exploit Kit Java Exploit download"; flow:to_client,established; http_header; content:" filename="; content:".jar|0D 0A|",distance 0; pcre:"/filename\=[a-z0-9]{24}\.jar/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24787; rev:2; service:http; )
00760 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT CritX Exploit Kit PDF Exploit download attempt"; flow:to_client,established; http_header; content:"application/pdf"; content:"Content-Disposition|3A| inline|3B| filename="; content:".pdf|0D 0A|",distance 0; pcre:"/filename=[a-z0-9]{12}[0-9]{12}\.pdf/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24789; rev:3; service:http; )
00762 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT CritX Exploit Kit Portable Executable download"; flow:to_client,established; http_header; content:" filename="; content:".exe|0D 0A|",distance 0; pcre:"/filename\=[a-z0-9]{24}\.exe/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24791; rev:2; service:http; )
00764 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Possible malicious Jar download attempt - specific-structure"; flow:to_client,established; http_header; content:"|3B 20|filename|3D|",nocase; content:".jar",within 4,distance 8,nocase; pcre:"/filename\x3d\w{8}\.jar/i"; file_data; pkt_data; content:"PK|03 04|",depth 4; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2013-0422; classtype:trojan-activity; sid:24798; rev:4; service:http; )
00779 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible Exploit Kit"; flow:to_client,established; flowbits:isset,java_user_agent; http_header; content:!"FTB_Launcher.exe",nocase; content:"filename="; file_data; pkt_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/11/cve-2012-5076-massively-adopted.html; classtype:trojan-activity; sid:25042; rev:2; service:http; )
00792 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit Payload detection - info.exe"; flow:to_client,established; http_header; content:"filename="; content:"info.exe",within 9,fast_pattern; content:"|0D 0A|",within 4; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25383; rev:2; service:http; )
00793 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit Payload detection - contacts.exe"; flow:to_client,established; http_header; content:"filename="; content:"contacts.exe",within 13,fast_pattern; content:"|0D 0A|",within 4; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25384; rev:2; service:http; )
00794 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit Payload detection - calc.exe"; flow:to_client,established; http_header; content:"filename="; content:"calc.exe",within 9,fast_pattern; content:"|0D 0A|",within 4; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25385; rev:2; service:http; )
00795 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit Payload detection - about.exe"; flow:to_client,established; http_header; content:"filename="; content:"about.exe",within 10,fast_pattern; content:"|0D 0A|",within 4; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25386; rev:2; service:http; )
00796 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit Payload detection - readme.exe"; flow:to_client,established; http_header; content:"filename="; content:"readme.exe",within 12,fast_pattern; content:"|0D 0A|",within 4; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25387; rev:2; service:http; )
00884 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit obfuscated portable executable"; flow:to_client,established; http_header; content:"filename=setup.exe"; file_data; pkt_data; content:"|8B 7F AA 11 CE 52 0A 3D 76|",depth 9; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26349; rev:2; service:http; )
00894 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit Payload detection - info.dll"; flow:to_client,established; http_header; content:"filename="; content:"info.dll",within 9,fast_pattern; content:"|0D 0A|",within 4; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26508; rev:1; service:http; )
00924 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit executable download"; flow:to_client,established; file_data; http_header; content:"filename="; pkt_data; content:".exe",within 4,distance 24; http_header; pcre:"/filename\=[a-z0-9]{24}\.exe/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26891; rev:1; service:http; )
00925 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit jar file download"; flow:to_client,established; file_data; http_header; content:"filename="; pkt_data; content:".jar",within 4,distance 24; http_header; pcre:"/filename\=[a-z0-9]{24}\.jar/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26892; rev:1; service:http; )
00931 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit inbound java exploit download"; flow:to_client,established; http_header; content:"filename=atom.jar"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26947; rev:2; service:http; )
00932 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit inbound java exploit download"; flow:to_client,established; http_header; content:"filename=site.jar"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2013-1493; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26948; rev:2; service:http; )
00944 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple exploit kit Portable Executable downloaded when mp3 is declared"; flow:to_client,established; http_header; content:"filename="; content:"mp3",within 25; content:"|0D 0A|",within 4; file_data; pkt_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27005; rev:3; service:http; )
00966 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple exploit kit malicious jar file downloaded when exe is declared"; flow:to_client,established; http_header; content:"filename="; content:"exe",within 25,nocase; file_data; pkt_data; content:"PK"; content:".class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27108; rev:1; service:http; )
00970 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Private Exploit Kit numerically named exe file dowload"; flow:to_client,established; http_header; content:"filename="; content:".exe",within 4,distance 4; pcre:"/filename\=\d{4}\.exe/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27140; rev:1; service:http; )
01342 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY XML download detected"; flow:to_client,established; http_header; content:"Content-Type|3A|",nocase; content:"text/xml",within 20,fast_pattern,nocase; flowbits:set,file.xml; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21288; rev:6; service:http; )
01599 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable download detected"; flow:to_client,established; http_header; content:"application/octet-stream",fast_pattern,nocase; pcre:"/^Content-Type\x3a[\x20\x09]+application\/octet-stream/smi"; file_data; pkt_data; content:"MZ",within 2; flowbits:set,file.exe; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:25513; rev:1; service:http; service:imap; service:pop3; )
01600 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable download detected"; flow:to_client,established; http_header; content:"application/x-msdos-program",fast_pattern,nocase; pcre:"/^Content-Type\x3a[\x20\x09]+application\/x-msdos-program/smi"; file_data; pkt_data; content:"MZ",within 2; flowbits:set,file.exe; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:25514; rev:1; service:http; service:imap; service:pop3; )
01699 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Jar file downloaded when zip is defined"; flow:to_client,established; http_header; content:"filename="; content:".zip|0D 0A|",distance 0; file_data; pkt_data; content:"PK",depth 2; content:".class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26292; rev:2; service:http; )
02250 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code execution attempt - java-deployment-toolkit"; flow:to_client,established; http_header; content:"application/java-deployment-toolkit",nocase; file_data; pkt_data; content:"-J-jar"; pcre:"/http\x3A\s+-J-jar\s+-J[^\s]+\x2Ejar/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16550; rev:5; service:http; )
02251 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code execution attempt - npruntime-scriptable-plugin"; flow:to_client,established; http_header; content:"application/npruntime-scriptable-plugin|3B|deploymenttoolkit",nocase; file_data; pkt_data; content:"-J-jar"; pcre:"/http\x3A\s+-J-jar\s+-J[^\s]+\x2Ejar/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16549; rev:5; service:http; )
02428 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirect attempt"; flow:to_client,established; http_header; content:"/index.php?"; pcre:"/^Location:\s*?https?\x3a\x2f{2}[0-9a-f]{16}[^/]+?\/index.php\?[a-z]=[^&\r\n]{100}/im"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26528; rev:1; service:http; )
03135 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=PostalReceipt.zip|0D 0A|"; file_data; pkt_data; content:"PostalReceipt.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25578; rev:2; service:http; )
03136 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=BookingInfo.zip|0D 0A|"; file_data; pkt_data; content:"BookingInfo.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25579; rev:2; service:http; )
03137 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=BookingDetails.zip|0D 0A|"; file_data; pkt_data; content:"BookingDetails.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25580; rev:2; service:http; )
03140 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=Postal-Receipt.zip|0D 0A|"; file_data; pkt_data; content:"Postal-Receipt.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:26261; rev:1; service:http; )
03141 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Double HTTP Server declared"; flow:to_client,established; http_header; content:"Server|3A| Apache"; content:"Server|3A|nginx"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26369; rev:1; service:http; )
03148 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - HTTP header redirecting to a SutraTDS"; flow:to_client,established; http_header; content:"/in.cgi"; pcre:"/\x2Fin\.cgi\?\d{1,2}$/smi"; metadata:impact_flag red,policy security-ips drop,ruleset community,service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21849; rev:7; service:http; )
03151 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake delivery information phishing attack"; flow:to_client,established; http_header; content:"|3B| filename="; content:"Delivery_Information_ID-"; file_data; pkt_data; content:"Delivery_Information_ID-"; content:".exe",within 50; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26660; rev:1; service:http; )
03737 alert tcp $EXTERNAL_NET [80,8090] -> $HOME_NET any ( msg:"SERVER-OTHER Nullsoft Winamp Ultravox streaming malicious metadata"; flow:to_client,established; http_header; content:"misc/ultravox"; file_data; pkt_data; content:"|5A|",within 1; content:"|39 01|",within 2,distance 1; content:"<artist>",distance 0,nocase; isdataat:266,relative; content:!"</artist>",within 256; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0065; classtype:attempted-user; sid:13520; rev:7; service:http; )
03738 alert tcp $EXTERNAL_NET [80,8090] -> $HOME_NET any ( msg:"SERVER-OTHER Nullsoft Winamp Ultravox streaming malicious metadata"; flow:to_client,established; http_header; content:"misc/ultravox"; file_data; pkt_data; content:"|5A|",within 1; content:"|39 01|",within 2,distance 1; content:"<name>",distance 0,nocase; isdataat:266,relative; content:!"</name>",within 256; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0065; classtype:attempted-user; sid:20110; rev:4; service:http; )
03742 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt"; flow:to_client,established; http_header; content:"Content-Type|3A|",nocase; content:"text/xml",within 20,nocase; content:"xsl|3A|transform"; content:"crypto|3A|rc4_",nocase; pcre:"/crypto\x3Arc4_(encrypt|decrypt)\x28\x27[^\x27]{129}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30467; reference:cve,2008-2935; classtype:attempted-user; sid:14040; rev:11; service:http; )
03743 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt - 2"; flow:to_client,established; http_header; content:"Content-Type|3A|",nocase; content:"text/xml",nocase; content:"xsl|3A|version"; content:"crypto|3A|rc4_",nocase; pcre:"/crypto\x3Arc4_(encrypt|decrypt)\x28\x27[^\x27]{129}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30467; reference:cve,2008-2935; classtype:attempted-user; sid:14041; rev:13; service:http; )
END OF CODE