00092 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - SAH Agent"; flow:to_server,established; content:"User-Agent|3A| SAH Agent"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:misc-activity; sid:5808; rev:9; service:http; )
00780 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 url structure detected"; flow:to_server,established; http_uri; content:".php?"; content:"|3A|",within 7,distance 2; content:"|3A|",within 1,distance 2; content:"|3A|",within 1,distance 2; content:"|3A|",within 1,distance 2; pkt_data; content:"&",distance 0; http_uri; pcre:"/\.php\?[a-z]{2,8}=[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\&[a-z]{2,8}=/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25043; rev:1; service:http; )
00802 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Red Dot executable retrieval attempt"; flow:to_server,established; http_uri; content:"/load.php?guid=",nocase; content:"&thread=",distance 0,nocase; content:"&exploit=",distance 0,nocase; content:"&version=",within 9,distance 1,nocase; pkt_data; content:"&rnd=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25540; rev:1; service:http; )
00863 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Cool exploit kit MyApplet class retrieval"; flow:to_server,established; http_raw_uri; bufferlen:21; pkt_data; content:"/world/MyApplet.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26229; rev:2; service:http; )
00887 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit java exploit request"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:".jar"; http_header; content:" Java/1"; pkt_data; content:"content-type|3A| application/x-java-archive",fast_pattern,fast_pattern_offset 20,fast_pattern_length 20; http_uri; pcre:"/\/([0-9][0-9a-z]{2}|[0-9a-z][0-9][0-9a-z]|[0-9a-z]{2}[0-9])\.jar$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26377; rev:3; service:http; )
01637 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Stream redirector file download request"; flow:to_server,established; content:".asx"; http_uri; pcre:"/\x2easx([\?\x5c\x2f]|$)/smi"; flowbits:set,file.asx; flowbits:noalert; metadata:service http; reference:url,msdn.microsoft.com/en-us/library/dd562372%28v=vs.85%29.aspx; classtype:misc-activity; sid:26458; rev:1; service:http; )
02503 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-SHELLCODE Metasploit php meterpreter stub .php file upload"; flow:established,to_server; content:"|24|GLOBALS|5B 27|msgsock_type|27 5D| = |24|s_type|3B 0A|eval"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20184; rev:3; service:http; )
02522 alert tcp $HOME_NET any -> $EXTERNAL_NET 80 ( msg:"MALWARE-BACKDOOR Win.Backdoor.Tinrot.A runtime detection"; flow:to_server,established; content:"|A0 00 00 00|",depth 4; content:"|98 00 00 00|",within 4,distance 4; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/latest-report.html?resource=e181424c4fb8bcde4aae154bf3ecb14d; classtype:trojan-activity; sid:23341; rev:4; )
02549 alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 ( msg:"MALWARE-BACKDOOR Arucer backdoor traffic - command execution attempt"; flow:to_server,established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:cve,2010-0103; reference:url,www.virustotal.com/analisis/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf-1268074309; classtype:trojan-activity; sid:16486; rev:4; )
02550 alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 ( msg:"MALWARE-BACKDOOR Arucer backdoor traffic - yes command attempt"; flow:to_server,established; content:"|C2 E5 E5 E5 9E A0 D7 A4 A6 D0 D5 DD DC C8 D6 DD D7 D5 C8 D1 D6 83 80 C8 DD A4 D1 A1 C8 A4 D2 D5 D7 DD A3 A4 A1 DD A6 D7 DD 98 E5|"; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2010-0103; reference:url,www.virustotal.com/analisis/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf-1268074309; classtype:trojan-activity; sid:16487; rev:3; )
02551 alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 ( msg:"MALWARE-BACKDOOR Arucer backdoor traffic - write file attempt"; flow:to_server,established; content:"|C2 E5 E5 E5 9E DC DD A1 DC D0 DD A3 A6 C8 A1 D5 A4 D7 C8 D1 83 D4 86 C8 A7 DD D1 D4 C8 D7 D6 D7 A4 A7 D6 D0 D2 A0 D2 A6 DD 98 E5|"; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2010-0103; reference:url,www.virustotal.com/analisis/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf-1268074309; classtype:trojan-activity; sid:16488; rev:3; )
02552 alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 ( msg:"MALWARE-BACKDOOR Arucer backdoor traffic - NOP command attempt"; flow:to_server,established; content:"|C2 E5 E5 E5 9E D2 DD D6 A0 A4 A6 A7 A3 C8 A0 A3 DD A7 C8 D1 DC DD 80 C8 A4 D5 D0 DC C8 A3 D5 A7 D0 A7 A1 D4 D7 D3 D1 D4 A0 98 E5|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:cve,2010-0103; reference:url,www.virustotal.com/analisis/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf-1268074309; classtype:trojan-activity; sid:25015; rev:1; )
02561 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Unix.Backdoor.Cdorked backdoor command attempt"; flow:to_server,established; content:"SECID="; http_cookie; content:"SECID=",depth 6; http_method; content:"POST"; http_raw_header; pcre:"/^Cookie\x3a\s?SECID=[^\x3b]+?$/m"; http_uri; pcre:"/\?[a-f0-9]{4}$/mi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26529; rev:3; service:http; )
02585 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC known command and control traffic - Pushbot"; flow:to_server,established; content:"User-Agent|3A| cvc_v105"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:23261; rev:3; service:http; )
02594 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kbot variant outbound connection"; flow:to_server,established; http_uri; content:"s_get_host.php?ver="; pkt_data; content:"HTTP/1.0"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/5f281de6faf1793f622f049f2359e09fd4fbd744f43e3fd0fdb0cbcc812fa3af/analysis/; classtype:trojan-activity; sid:22058; rev:4; service:http; )
02601 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX Flashback malware outbound connection"; flow:to_server,established; http_uri; content:"/auupdate/",fast_pattern; http_header; content:"User-Agent|3A|"; base64_decode:relative; base64_data; pkt_data; content:"|7C|x86_64|7C|10."; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:22034; rev:3; service:http; )
02602 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Apple OSX Flashback malware outbound connection"; flow:to_server,established; http_uri; content:"/auupdate/",fast_pattern; http_header; content:"User-Agent|3A|"; base64_decode:relative; base64_data; pkt_data; content:"|7C|i386|7C|10."; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:22033; rev:3; service:http; )
02621 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kelihos variant outbound connection"; flow:to_server,established; http_uri; content:"/wsouth1.exe"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.abuse.ch/?p=3658; reference:url,www.virustotal.com/file/bdec740dcbda605694bfa2bc9f463bec4e401f331d1452a5437222cf53b9d5d0/analysis/; classtype:trojan-activity; sid:21565; rev:2; service:http; )
02622 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kelihos variant outbound connection"; flow:to_server,established; http_uri; content:"/jucheck.exe"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.abuse.ch/?p=3658; reference:url,www.virustotal.com/latest-report.html?resource=B49BCE1778F76F7D59909790B93CBB86; classtype:trojan-activity; sid:21564; rev:2; service:http; )
02623 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.Kelihos variant outbound connection"; flow:to_server,established; http_uri; content:"/rtce0"; content:".exe",distance 0; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.abuse.ch/?p=3658; reference:url,www.virustotal.com/latest-report.html?resource=B49BCE1778F76F7D59909790B93CBB86; classtype:trojan-activity; sid:21563; rev:2; service:http; )
02629 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC W32.Dofoil variant outbound payload request"; flow:to_server,established; http_uri; content:".exe"; pkt_data; content:"HTTP/1.0"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; content:!"Accept|3A|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3cf5e228deffb924d84ffbc8975f9cf1f62837078793bced52be6a3adf2d6d47/analysis/; classtype:trojan-activity; sid:21538; rev:3; service:http; )
02653 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Murofet variant outbound connection"; flow:to_server,established; http_uri; content:".php?w=",nocase; content:"&n=",distance 0; pcre:"/\.php\x3fw\x3d\d+\x26n\x3d\d+/"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/aeab4913c8bb1f7f9e40258c323878969b439cf411bb2acab991bba975ada54e/analysis/; classtype:trojan-activity; sid:21440; rev:6; service:http; )
02662 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.FakeAV TDSS/PurpleHaze outbound connection - base64 encoded"; flow:to_server,established; http_header; content:"Accept-Language|3A 20|en-US|0D 0A|User-Agent|3A 20|Mozilla/4.0|20|(compatible"; content:!"Referer"; pkt_data; pkt_data; content:"GET /",depth 5; base64_decode:relative; base64_data; content:"cl|7C|1.6|7C|"; content:"|7C|161",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html; classtype:trojan-activity; sid:21318; rev:5; service:http; )
02686 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Taidoor outbound connection"; flow:to_server,established; content:".php?id=0",nocase; http_uri; content:"111D30",fast_pattern,nocase; pcre:"/^\/[a-z]{5}\.php\?id=0\d{5}111D30[a-zA-Z0-9]{6}$/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0611; reference:url,contagiodump.blogspot.com/2011/06/jun-22-cve-2011-0611-pdf-swf-fruits-of.html; reference:url,www.virustotal.com/file-scan/report.html?id=145d64f38564eafa4fb5da0722c0e7348168024d32ada5cfb37a49f5811cb6b8-1315612892; classtype:trojan-activity; sid:20204; rev:4; service:http; )
02690 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Waledac outbound connection"; flow:to_server,established; http_method; content:"POST",nocase; http_uri; content:".png"; pkt_data; content:"|0A|a=",nocase; content:"&b=AAAAAA",distance 0,fast_pattern,nocase; http_uri; pcre:"/\x2F[a-z]+\x2epng/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=6075bdd818db6d78a0ecd889383e09c61900c1735a00c5948dde4e27d17a4c65-1245685985; classtype:trojan-activity; sid:19995; rev:3; service:http; )
02701 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.KukuBot.A outbound connection"; flow:to_server,established; http_uri; content:"/mrow_pin/?id",nocase; pkt_data; content:"|0A|User|2D|Agent|3A 20|KUKU v",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=d9c46ecfc91366f43bf1a8e0172465fb3918cf3cf9339de82d47f5d8b1c84a75-1311886018; classtype:trojan-activity; sid:19730; rev:3; service:http; )
02712 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC FakeAV variant traffic"; flow:to_server; http_uri; content:"/1020",depth 5; pkt_data; content:"Windows NT 5.1)|0D 0A|"; content:"Accept: */*|0D 0A|",within 13; content:"Connection: close|0D 0A 0D 0A|",within 21; http_uri; pcre:"/\x2f1020\d{6,16}$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=01631197b30df842136af481372f266ebbd9eabb392d4a6554b88d4e23433363-1309345508; classtype:trojan-activity; sid:19657; rev:5; service:http; )
02713 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Savnut.B outbound connection"; flow:to_server,established; content:"&id=",nocase; content:"&version",distance 0,nocase; content:"&vendor=",distance 0,nocase; content:"&do=",distance 0,nocase; content:"&check=chck",distance 0,fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=4aad64ad4f2517983051818a818e449599f79ade89af672d0e90af53dcfff044-1307979492; classtype:trojan-activity; sid:19590; rev:5; service:http; )
02731 alert tcp $HOME_NET any -> $EXTERNAL_NET 80 ( msg:"MALWARE-CNC Ozdok botnet communication with C&C server"; flow:to_server,established; content:"|DB FD 37 7F 11 01 B9 E5|",depth 8,offset 2; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.threatexpert.com/report.aspx?md5=254127ba9396a3b52c3755cce44ade03; classtype:trojan-activity; sid:18715; rev:4; )
02733 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Night Dragon keepalive message"; flow:to_server,established; content:"|68 57 24 13|",depth 4,offset 12; content:"|03 50|",depth 2; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:trojan-activity; sid:18459; rev:3; service:http; )
02734 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Night Dragon initial beacon"; flow:to_server,established; content:"|68 57 24 13|",depth 4,offset 12; content:"|01 50|",depth 2; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:trojan-activity; sid:18458; rev:3; service:http; )
02776 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent.alqt variant outbound connection"; flow:to_server,established; content:"|47 68 30 73 74|",depth 5; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=9c86fa9e7b4a8b10cc2a21d5b89ae310; classtype:trojan-activity; sid:19484; rev:6; service:http; )
02790 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Downloader Win.Trojan.FraudLoad.emq outbound connection"; flow:to_server,established; http_uri; content:"/fff9999.php"; pkt_data; content:"mgjmnfgbdfb|2E|com"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=3794798f5eeb53dd71001e4454f006c871eb7c9085e1bf5336efa07b70d7b38d-1246897098; classtype:trojan-activity; sid:19348; rev:6; service:http; )
02793 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Clob bot traffic"; flow:to_server; content:"/l1/ms32clod.dll",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=1474e6d74aa29127c5d6df716650d724; classtype:trojan-activity; sid:16289; rev:2; service:http; )
02794 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.tdss.1.gen install-time detection - yournewsblog.net"; flow:to_server,established; http_uri; content:"/tdss/"; pkt_data; content:"Host|3A| yournewsblog.net",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rootkit.TDss.Gen&threatid=414535; reference:url,www.threatexpert.com/files/TDSSserv.sys.html; reference:url,www.threatexpert.com/report.aspx?uid=cffa846b-93ba-438d-8715-0665b6cd9627; classtype:trojan-activity; sid:16268; rev:5; service:http; )
02795 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan.tdss.1.gen install-time detection - findzproportal1.com"; flow:to_server,established; http_uri; content:"/botmon/readdata/"; pkt_data; content:"Host|3A| findzproportal1.com",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rootkit.TDss.Gen&threatid=414535; reference:url,www.threatexpert.com/files/TDSSserv.sys.html; reference:url,www.threatexpert.com/report.aspx?uid=cffa846b-93ba-438d-8715-0665b6cd9627; classtype:trojan-activity; sid:16269; rev:5; service:http; )
02797 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC y3k 1.2 variant outbound connection icq notification"; flow:to_server,established; content:"from=Y3K",nocase; content:"Server",distance 0,nocase; content:"fromemail=y3k",distance 0,nocase; content:"subject=Y3K",distance 0,nocase; content:"online",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7116; rev:7; service:http; )
02800 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; content:"POST"; content:"|78 9C 2B 4B 2D B2 35 54 CB C9 4F CF CC B3 CD 2E CD CE 49 4C CE 48 2D 53 CB 4D 4C 2E CA 2F 4E 2D 8E 2F|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/14429942c5fa23cb0364880280c92f2122f22a60cd3f5c1cff3662ecfd92a8d5/analysis/; classtype:trojan-activity; sid:24169; rev:1; service:http; )
02811 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Nomno variant outbound connection"; flow:to_server,established; content:"c|3D|"; content:"shell|5F|exec"; http_cookie; content:"c|3D|"; content:"shell|5F|exec"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,service http; reference:url,www.virustotal.com/file/2f4624795d22528e629a83dc40b01810e89ea9e3c0e584ec4db1286f091b7eb7/analysis/; classtype:trojan-activity; sid:24285; rev:3; service:http; )
02823 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; content:"/images2/",nocase; isdataat:500,relative; http_uri; pcre:"/^\/images2\/[0-9a-fA-F]{500,}/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:24494; rev:2; service:http; )
02829 alert tcp $HOME_NET any -> $EXTERNAL_NET 81 ( msg:"MALWARE-CNC Win.Backdoor.MautoitRAT variant outbound connection"; flow:to_server,established; content:"SISTEMA= "; content:"PASS= "; content:"COMPUTER= "; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file/4245935950f1423fee4531a945634985ac15e04f5a99d5b1599449c5078ac366/analysis/; classtype:trojan-activity; sid:24523; rev:2; )
02849 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC ZeroAccess Clickserver callback"; flow:to_server,established; http_raw_uri; bufferlen:95; pkt_data; content:" HTTP/1.0|0D 0A|Host:"; http_uri; pcre:"/^\x2f[A-Z\d]{83}\x3d[A-Z\d]{10}$/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:25054; rev:3; service:http; )
02851 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WIN.Trojan.Macnsed variant outbound connection"; flow:to_server,established; content:"/gtskinfo.aspx"; content:"ver=",nocase; content:"m=",nocase; content:"p=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/f32f4af269d5cfd038d7f3c421d4d725fcbd8469a7c8327845dbf03626aef0f2/analysis/; classtype:trojan-activity; sid:25071; rev:2; service:http; )
02857 alert tcp $HOME_NET any -> $EXTERNAL_NET [110,8080] ( msg:"MALWARE-CNC Win.Trojan.Basutra variant outbound connection"; flow:to_server,established; content:"|7E 77 6F 6F 6F 6F|",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service pop3; reference:url,www.virustotal.com/file/1F8FB6C3EEEB6F17A6D08094B3154DF2C517BFB52698E72DBF8D197A201941A3/analysis/; classtype:trojan-activity; sid:25249; rev:1; service:pop3; )
02879 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; http_uri; content:"/insert.php"; pkt_data; content:"nome_pc=",nocase; content:"opcao=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:25609; rev:1; service:http; )
02882 alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] ( msg:"MALWARE-CNC Win.Trojan.Reventon variant outbound communication"; flow:to_server,established; dsize:<7; content:"|9A 02 00 00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/25c690dac0d17f9ba304e5e68c1da2381685b1aa0aa3cd503589bbc59daf81eb/analysis/; classtype:trojan-activity; sid:25627; rev:3; service:http; )
02894 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan Banker FTC variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:18; http_uri; content:"/listas/out/si.php"; pkt_data; content:"HTTP/1.0|0D 0A|",depth 10,offset 24; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Banker-FTC/detailed-analysis.aspx; classtype:trojan-activity; sid:25829; rev:2; service:http; )
02930 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Shiz outbound connection"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/login.php",depth 10; http_header; content:"Referer|3A| http://www.google.com"; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 2.0|3B|"; pkt_data; pkt_data; content:"HTTP/1.0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,camas.comodo.com/cgi-bin/submit?file=58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6; reference:url,www.virustotal.com/en/file/58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6/analysis/1368563326/; classtype:trojan-activity; sid:26657; rev:2; service:http; )
02941 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Cbeplay Ransomware outbound connection - Abnormal HTTP Headers"; flow:to_server,established; content:"POST /index.php HTTP/1.1|0D 0A|Content-Type: multipart/form-data|3B| boundary=",depth 70; http_header; content:"|0D 0A|Connection: close|0D 0A|Cache-Control: no-cache|0D 0A|Content-Length: "; http_client_body; content:"|3B| name=|22|data|22 3B| filename=|22|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-moved.html; classtype:trojan-activity; sid:26696; rev:2; service:http; )
02951 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; http_uri; content:"/imagens/",depth 9; content:".jpg",distance 0; pkt_data; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26722; rev:1; service:http; )
02952 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan Downloader7"; flow:to_server,established; content:".lavaibrasilok.com|0D 0A 0D 0A|"; http_header; content:"|3B| MSIE "; content:!"Accept-Language:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader7.25647.html; classtype:trojan-activity; sid:26723; rev:1; service:http; )
02981 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Blocker outbound connection HTTP Header Structure"; flow:to_server,established; http_raw_uri; bufferlen:11; http_method; content:"GET"; http_uri; content:"/index.html"; pkt_data; content:".info|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; pcre:"/HTTP\/1.[01]\r\nUser\x2dAgent\x3a\x20[ -~]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.info\r\n/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26775; rev:1; service:http; )
03002 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Gozi Trojan HTTP Header Structure"; flow:to_server,established; http_raw_uri; bufferlen:255<>260; pkt_data; content:"= HTTP/1."; http_uri; content:".php?"; http_raw_uri; pcre:"/^\/[a-z]{2,20}\.php\?[a-z]{2,10}\x3d[a-zA-Z0-9\x2f\x2b]+\x3d$/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26924; rev:1; service:http; )
03018 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Cyvadextr variant outbound connection"; flow:to_server,established; http_uri; content:"fetch.py"; pkt_data; content:"method|3D|POST|26|encoded|5F|path",nocase; http_client_body; content:"|26|headers|3D|"; content:"|26|postdata|3D|"; content:"|26|version|3D|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/33774900681b25519d0b023d6d78a043cc2dff0a21d6f6df89e314c91118c0fd/analysis; classtype:trojan-activity; sid:26987; rev:1; service:http; )
03019 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"/opt.dat"; http_header; content:"User-Agent:Mozilla/4.0|0D 0A|"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/FFF7840FFB18110BBED8872DEFB6F6DA7243DD840A1A611016C44312CB40974C/analysis/; classtype:trojan-activity; sid:26995; rev:1; service:http; )
03020 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"/svc.dat"; http_header; content:"User-Agent:Mozilla/4.0|0D 0A|"; pkt_data; content:"HTTP/1.0"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/FFF7840FFB18110BBED8872DEFB6F6DA7243DD840A1A611016C44312CB40974C/analysis/; classtype:trojan-activity; sid:26996; rev:1; service:http; )
03026 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Phoenot variant outbound connection"; flow:to_server,established; http_uri; content:"mylogs.php"; pkt_data; content:"&username="; content:"&os="; content:"logs="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/f2ad0b3639f89dcbe53f7c5917a95e61e53c4e83c54b71c545d277c5a8790404/analysis/; classtype:trojan-activity; sid:27012; rev:1; service:http; )
03028 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Epipenwa variant outbound connection attempt"; flow:to_server,established; content:"/whisperings/whisperings.asp"; http_client_body; content:"name="; content:"&userid="; content:"&other="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/4f0532e15ced95a1cebc13dd268dcbe7c609d4da237d9e46916678f288d3d9c6/analysis; classtype:trojan-activity; sid:27014; rev:2; service:http; )
03033 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dalbot outbound connection"; flow:to_server,established; content:"Cookie: CAQGBgoFD1"; http_cookie; content:"CAQGBgoFD1"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/dbf9d2a7659d09ea7ef2d38f30fa4cfb/analysis/; classtype:trojan-activity; sid:27057; rev:1; service:http; )
03039 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Win.Kraziomel Download - 000.jpg"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:"/000.jpg"; pkt_data; content:"HTTP/1.0|0D 0A|Host: "; content:!"|3A 20|",distance 0; metadata:impact_flag red,policy balanced-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/33525f8cf5ca951095d4af7376e026821b81557526d4846916805387fb9c5bb2/analysis/; classtype:trojan-activity; sid:27533; rev:1; service:http; )
03055 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER NeoSploit Malvertising - URI Requested"; flow:to_server,established; http_raw_uri; bufferlen:>62; pkt_data; content:"GET /?"; http_uri; pcre:"/\/\?[0-9a-f]{60,66}[\;\d]*$/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:23058; rev:2; service:http; )
03083 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Trackware e2give runtime detection - redirect affiliate site request 1"; flow:to_server,established; http_uri; content:"/fs-bin/click?",nocase; content:"id=",nocase; content:"offerid=",nocase; content:"type=",nocase; pkt_data; content:"Referer|3A| e2give.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5908; rev:8; service:http; )
03084 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Trackware e2give runtime detection - check update"; flow:to_server,established; http_uri; content:"/go/check?",nocase; content:"build=",nocase; content:"source=",nocase; pkt_data; content:"Host|3A| e2give.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5907; rev:8; service:http; )
03354 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-SOCIAL XBOX Marketplace http request"; flow:to_server,established; http_uri; content:"/global"; content:"/marketplace"; pkt_data; content:"User-Agent|3A| Xbox Live Client/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:policy-violation; sid:15171; rev:5; service:http; )
03355 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-SOCIAL XBOX Netflix client activity"; flow:to_server,established; content:"User-Agent|3A| NETFLIX360|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:policy-violation; sid:15170; rev:5; service:http; )
03401 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware.MediaGetInstaller outbound connection - source ip infected"; flow:to_server,established; content:"MediagetDownloaderInfo"; http_cookie; content:"MediagetDownloaderInfo"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/72e86852d56b35cf19ae86c9fb37f8b65b8e3038a9a1e2c77532f254fe4f662a/analysis/; classtype:misc-activity; sid:21645; rev:3; service:http; )
03416 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker yok supersearch outbound connection - target website display"; flow:to_server,established; http_uri; content:"/related_bottom_v2.php",fast_pattern,nocase; content:"key=",nocase; content:"No="; pkt_data; content:"Host|3A|",nocase; content:"related.yok.com",distance 0,nocase; pcre:"/^Host\x3a[^\r\n]*related\x2Eyok\x2Ecom/smi"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Yok.SuperSearch&threatid=44407; classtype:misc-activity; sid:8359; rev:12; service:http; )
03417 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker yok supersearch outbound connection - addressbar keyword search hijack"; flow:to_server,established; http_uri; content:"/go3.php",nocase; content:"key=",nocase; content:"NO=",nocase; content:"PID=",nocase; content:"UN=",nocase; pkt_data; content:"Host|3A|",nocase; content:"www.yok.com",distance 0,nocase; pcre:"/^Host\x3a[^\r\n]*www\x2Eyok\x2Ecom/smi"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Yok.SuperSearch&threatid=44407; classtype:misc-activity; sid:8358; rev:9; service:http; )
03420 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - side search"; flow:to_server,established; http_uri; content:"/sidesearch.htm",nocase; pkt_data; content:"Host|3A| sidesearch.dropspam.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5936; rev:8; service:http; )
03421 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - search request 3"; flow:to_server,established; content:"/search.cgi",nocase; content:"source=lifestyle",nocase; content:"query=",distance 0,nocase; content:"select=",distance 0,nocase; content:"Host|3A| desksearch.dropspam.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5935; rev:7; service:http; )
03422 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - search request 2"; flow:to_server,established; http_uri; content:"/search.cgi?",nocase; content:"tbid=",nocase; content:"query=",nocase; pkt_data; content:"Host|3A| search.dropspam.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5934; rev:8; service:http; )
03423 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker dropspam outbound connection - search request 1"; flow:to_server,established; http_uri; content:"/search.cgi?",nocase; content:"source=",nocase; content:"query=",nocase; pkt_data; content:"Host|3A| search.dropspam.com"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5933; rev:8; service:http; )
03427 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Hijacker shopathomeselect outbound connection"; flow:to_server,established; content:"SAHSelect=GUID=",nocase; content:"CustomerID=",nocase; content:"stealth=",nocase; content:"InstallerLocation="; content:"LastPrefs=",nocase; content:"AgentVersion=",nocase; content:"CTG=",nocase; content:"WSS_GW=",nocase; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074921; classtype:misc-activity; sid:5807; rev:8; service:http; )
03442 alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server serverdown Authentication bypass attempt"; flow:to_server,established; content:"error-serverdown.jsp"; pcre:"/^[a-zA-Z]+\s+\x2Ferror-serverdown\x2Ejsp.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15156; rev:5; service:http; )
03443 alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server png Authentication bypass attempt"; flow:to_server,established; content:"|2F|.png"; pcre:"/^[a-zA-Z]+\s+\x2F\x2Epng.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15155; rev:6; service:http; )
03444 alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server gif Authentication bypass attempt"; flow:to_server,established; content:"|2F|.gif"; pcre:"/^[a-zA-Z]+\s+\x2F\x2Egif.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15154; rev:6; service:http; )
03445 alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server setup Authentication bypass attempt"; flow:to_server,established; content:"setup/setup-"; pcre:"/^[A-Z]+\s+\x2Fsetup\x2Fsetup-.*?\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6509; classtype:attempted-admin; sid:15153; rev:5; service:http; )
03446 alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server setup-index Authentication bypass attempt"; flow:to_server,established; content:"setup/index.jsp"; pcre:"/^[a-zA-Z]+\s+\x2Fsetup\x2F\index\x2Ejsp.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15152; rev:5; service:http; )
03447 alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server logout Authentication bypass attempt"; flow:to_server,established; content:"index.jsp?logout=true"; pcre:"/^[a-zA-Z]+\s+\x2Findex\x2Ejsp\x3Flogout\x3Dtrue.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15151; rev:5; service:http; )
03448 alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] ( msg:"PUA-OTHER Jive Software Openfire Jabber Server login Authentication bypass attempt"; flow:to_server,established; content:"login.jsp"; pcre:"/^[a-zA-Z]+\s+\x2Flogin\x2Ejsp.*\x2E\x2E\x2F/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15150; rev:5; service:http; )
03456 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Trackware myway speedbar / mywebsearch toolbar runtime detection - track activity 1"; flow:to_server,established; http_uri; content:"/tr.js?",nocase; content:"a=",nocase; content:"r=",nocase; pkt_data; content:"Host|3A| c4.myway.com"; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy security-ips alert,service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5801; rev:11; service:http; )
03459 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"%2E%2E/"; http_raw_uri; content:"%2E%2E/"; pkt_data; pcre:"/\/(\\|%5C)%2E%2E\//"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17502; rev:6; service:http; )
03460 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/%2E%2E"; http_raw_uri; content:"/%2E%2E"; pkt_data; pcre:"/\/%2E%2E(\\|%5C)\//"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17501; rev:6; service:http; )
03461 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/..%5C/"; http_raw_uri; content:"/..%5C/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17500; rev:5; service:http; )
03462 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/..|5C|/"; http_raw_uri; content:"/..|5C|/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17499; rev:5; service:http; )
03463 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/|5C|../"; http_raw_uri; content:"/|5C|../"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17498; rev:6; service:http; )
03464 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/%5C../"; http_raw_uri; content:"/%5C../"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17391; rev:7; service:http; )
03467 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache mod_isapi dangling pointer exploit attempt - public shell code"; flow:to_server,established; content:"1|C0|1|C9|d|8B|q0|8B|v|0C 8B|v|1C 8B|V|08 8B|~ |8B|6f9O|14|u|F2|f|B9 01|mf|81 E9 94|lf9|0F|f|89 C1|u|E1 89 E5 EB|q`|8B|l|24 24 8B|E<|8B|T|05|x|01 EA 8B|J|18 8B|Z |01 EB E3|4I|8B|4|8B 01 EE|1|FF|1|C0 FC AC 84 C0|t|07 C1 CF 0D 01 C7 EB F4 3B 7C 24 28|u|E1 8B|Z|24 01 EB|f|8B 0C|K|8B|Z|1C 01 EB 8B 04 8B 01 E8 89|D|24 1C|a|C3 AD|PR|E8 AA FF FF FF 89 07|f|81 C4 0C 01|f|81 EC 04 01|f|81 C7 08 01|f|81 EF 04 01|9|CE|u|DE C3 EB 10|^|8D|}|04 89 F1 80 C1 0C E8 CD FF FF FF EB 3B E8 EB FF FF FF|n|7C|.|E1 1E|<?|D7|t|1E|H|CD|1|D2|X|88|P|07 EB|/1|D2|Y|88|Q|01 EB|.QP|FF|U|04 EB|,1|D2|Y|88|Q|09 EB|3QP|89 C6 FF|U|08|S|FF|U|0C E8 D1 FF FF FF|sos.txtN|E8 CC FF FF FF|wN|E8 CD FF FF FF E8 CF FF FF FF|pwn-isapiN|E8 C8 FF FF FF 90 90 90 90|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38494; reference:cve,2010-0425; classtype:attempted-admin; sid:16479; rev:3; service:http; )
03468 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache APR apr_fn match infinite loop denial of service attempt"; flow:to_server,established; content:"P=*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0419; reference:url,issues.apache.org/bugzilla/show_bug.cgi?id=51219; classtype:attempted-dos; sid:19709; rev:2; service:http; )
03476 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache mod_log_config cookie handling denial of service attempt"; flow:to_server,established; content:"Cookie|3A| =|0D 0A 0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,51705; reference:cve,2012-0021; classtype:denial-of-service; sid:24697; rev:2; service:http; )
03483 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS Microsoft Windows IIS 5.0 WebDav Request Directory Security Bypass"; flow:to_server,established; content:"POST",nocase; content:"|25 32 35 25 33 37 25 33 30 25 32 35 25 33 37 25|",within 16,distance 2; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35232; reference:cve,2009-1122; classtype:attempted-admin; sid:17525; rev:4; service:http; )
03489 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS WebDAV Request Directory Security Bypass attempt"; flow:to_server,established; content:"/%c0%af/"; pcre:"/^(GET|OPTIONS|HEAD|POST|PUT|DELETE|CONNECT|PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK)[^\r\n]*\s+[^\r\n]*\x2f\x25c0\x25af\x2f/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34993; reference:cve,2009-1535; classtype:attempted-admin; sid:17564; rev:2; service:http; )
03491 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|",within 255; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-007; classtype:attempted-admin; sid:2091; rev:15; service:http; )
03579 alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 ( msg:"SERVER-ORACLE Oracle Secure Enterprise Search search_p_groups cross-site scripting attempt"; flow:to_server,established; content:"search|2F|query|2F|search",nocase; content:"search_p_groups|3D|",distance 0,nocase; pcre:"/^[^\x26\s]*(\x3e|\x253e)/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35681; reference:cve,2009-1968; classtype:attempted-user; sid:16717; rev:2; service:http; )
03598 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-ORACLE Oracle Database Application Express Component APEX password hash disclosure attempt"; flow:to_server,established; content:"select%20user_name,web_password2%20from"; content:"WWV_FLOW_USERS",distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34461; reference:cve,2009-0981; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html; classtype:misc-attack; sid:15488; rev:3; service:http; )
03612 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER HP OpenView Network Node Manager ovlaunch host field overflow attempt"; flow:to_server,established; http_uri; content:"ovlaunch.exe",nocase; pkt_data; content:"host|3A|",nocase; isdataat:300,relative; pcre:"/^host\x3a\s*[^\r\n]{300}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33668; reference:cve,2008-4562; classtype:attempted-user; sid:16204; rev:3; service:http; )
03638 alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 ( msg:"SERVER-OTHER Oracle BEA Weblogic server console-help.portal cross-site scripting attempt"; flow:to_server,established; content:"|2F|consolehelp|2F|console-help|2E|portal",nocase; content:"searchQuery|3D|",distance 0,nocase; pcre:"/^[^\x26\s]*(\x3e|\x253e)/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35673; reference:cve,2009-1975; classtype:attempted-user; sid:16710; rev:2; service:http; )
03699 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Rails JSON to YAML parsing deserialization attempt"; flow:to_server,established; http_header; content:"application/json"; pkt_data; content:"!ruby/hash"; content:"ActionController",within 30; content:"NamedRouteCollection",within 90; metadata:policy balanced-ips alert,policy security-ips drop,service http; reference:cve,2013-0333; classtype:attempted-user; sid:25552; rev:1; service:http; )
03700 alert tcp $EXTERNAL_NET any -> $HOME_NET 9000 ( msg:"SERVER-OTHER RaySharp CCTV derivative command injection attempt"; flow:to_server,established; content:"REMOTE HI_SRDK_NET_SetPppoeAttr",depth 40,fast_pattern; content:"udhcpc",distance 0; pcre:"/\x3b\s*udhcpc\s*\x3b.*\x26/smi"; metadata:policy balanced-ips drop; reference:url,community.rapid7.com/community/metasploit/blog/2013/01/23/ray-sharp-cctv-dvr-password-retrieval-remote-root; reference:url,console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html; classtype:attempted-admin; sid:25557; rev:1; )
03724 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Trend Micro OfficeScan Server cgiRecvFile overflow attempt"; flow:to_server,established; http_uri; content:"/cgi/cgiRecvFile.exe"; pkt_data; content:"ComputerName"; pcre:"/ComputerName\s*\x3d\s*\x22[^\x22]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31139; reference:cve,2008-2437; classtype:attempted-admin; sid:15510; rev:3; service:http; )
03770 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Microsoft Windows .NET Chart Control directory traversal attempt"; flow:to_server,established; content:"charImg.axd?"; http_uri; content:"i=/",distance 0; http_raw_uri; content:".."; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1977; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-066; classtype:attempted-recon; sid:19694; rev:5; service:http; )
03773 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Adobe ColdFusion locale directory traversal attempt"; flow:to_server,established; http_uri; content:"CFIDE",fast_pattern; pkt_data; content:"locale=",nocase; content:"../../../",distance 0; content:"%00",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42342; reference:cve,2010-2861; classtype:attempted-admin; sid:18464; rev:6; service:http; )
03776 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt"; flow:to_server,established; content:"/cgiChkMasterPwd.exe"; content:"CRYPT",nocase; isdataat:512,relative; pcre:"/TMlogonEncrypted=(\!|\%21)CRYPT(\!|\%21)[A-Z0-9]{512}/i"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,28020; reference:cve,2008-1365; reference:url,secunia.com/advisories/29124; classtype:web-application-attack; sid:13591; rev:6; )
03782 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM nnmRptConfig.exe CGI Host parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/nnmRptConfig|2E|exe"; http_client_body; content:"Action|3D|Create",nocase; pkt_data; content:"Template|3D|"; isdataat:1000,relative; http_client_body; pcre:"/Template\x3D[^\x0D\x0A]{1000}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3848; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20240; rev:5; service:http; )
03784 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP libtidy null pointer dereference attempt"; flow:to_server,established; content:"<?"; content:"Tidy",distance 0; content:"diagnose"; pcre:"/(?P<var>\x24\w+)\s*=\s*(new Tidy|Tidy->new)\x28\s*[\x22\x27]\x2a[\x22\x27]\s*\x29.{1,256}(?P=var)->diagnose/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-4153; classtype:attempted-dos; sid:23995; rev:3; service:http; )
03785 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP zend_strndup null pointer dereference attempt"; flow:to_server,established; content:"define|28|",nocase; content:"str_repeat|28|"; pcre:"/<\?(php)?.{1,256}define\s*\x28\s*str_repeat\s*\x28\s*[\x22\x27][^\x22\x27]+[\x22\x27]\s*\x2c\s*\x24argv/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-4153; classtype:attempted-dos; sid:23994; rev:4; service:http; )
03797 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP TikiWiki jhot.php script file upload attempt"; flow:to_server,established; http_uri; content:"/jhot.php",nocase; pkt_data; content:"Content-Disposition|3A|",nocase; content:"filename=",nocase; pcre:"/^Content-Disposition\x3A[^\r\n]*filename=(?P<q1>\x22|\x27|)[^\r\n]*?\x2Ephp(?P=q1)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19819; reference:cve,2006-4602; reference:url,tikiwiki.org/tiki-read_article.php?articleid=136; classtype:attempted-user; sid:17597; rev:4; service:http; )
03798 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Joomla invalid token administrative password reset attempt"; flow:to_server,established; http_uri; content:"task=confirmreset",nocase; content:"option=com_user"; pkt_data; content:"token=%27&",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30667; reference:cve,2008-3681; reference:url,developer.joomla.org/security/news/241-20080801-core-password-remind-functionality.html; classtype:attempted-admin; sid:14610; rev:5; service:http; )
03811 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM ovlogin.exe CGI Host parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/snmpviewer|2E|exe"; pkt_data; content:"Host|3A|",nocase; isdataat:121,relative; http_header; pcre:"/Host\x3A\s*[^\x0D\x0A]{121}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-4180; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20177; rev:3; service:http; )
03814 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Virtual Server Agent command injection attempt"; flow:to_server,established; http_uri; content:"/RPC2",fast_pattern,nocase; http_client_body; content:"<?xml"; pkt_data; content:"params",distance 0; pcre:"/\x3C\s*param\s*\x3E\s*\x3C\s*value\s*\x3E\s*\x3C\s*string\s*\x3E[^\x3C]*[\x2C\x3B]/smiR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,44031; reference:cve,2010-3582; reference:cve,2010-3585; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html; classtype:attempted-admin; sid:19441; rev:4; service:http; )
03819 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/snmpviewer|2E|exe"; pkt_data; content:"app|3D|",nocase; isdataat:300,relative; content:"act|3D|",nocase; isdataat:300,relative; pcre:"/act\x3D[^\x26\x3F\x3B\x0D\x0A]{300}/i"; pcre:"/app\x3D[^\x26\x3F\x3B\x0D\x0A]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1552; classtype:attempted-user; sid:19140; rev:3; service:http; )
03820 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI MaxAge parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/getnnmdata|2E|exe"; pkt_data; content:"MaxAge|3D|",nocase; isdataat:300,relative; pcre:"/MaxAge\x3D[^\x26\x3F\x3B\x0D\x0A]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1553; classtype:attempted-user; sid:19139; rev:3; service:http; )
03821 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI hostname parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/getnnmdata|2E|exe"; pkt_data; content:"Hostname|3D|",nocase; isdataat:300,relative; pcre:"/Hostname\x3D[^\x26\x3F\x3B\x0D\x0A\s]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1555; classtype:attempted-user; sid:19138; rev:3; service:http; )
03822 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI ICount parameter buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OvCgi/getnnmdata|2E|exe"; pkt_data; content:"ICount|3D|",nocase; isdataat:300,relative; pcre:"/ICount\x3D\x2D[^\x26\x3F\x3B\x0D\x0A\s]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1554; classtype:attempted-user; sid:19137; rev:3; service:http; )
03824 alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP Jboss default configuration unauthorized application add attempt"; flow:to_server,established; http_uri; content:"/jmx-console/HtmlAdaptor?",nocase; content:"action=inspectMBean",nocase; content:"name=jboss.deployment|3A|type=DeploymentScanner,flavor=URL",nocase; pkt_data; content:"addURL|28|",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; classtype:web-application-attack; sid:18932; rev:3; service:http; )
03851 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt"; flow:to_server,established; content:"/zenworks-fileupload/?",nocase; pcre:"/(filename|type)=[^\x26]*?\x2E\x2E/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39914; reference:url,www.novell.com/support/viewContent.do?externalId=7005573; classtype:attempted-admin; sid:18793; rev:4; service:http; )
03852 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt"; flow:to_server,established; http_uri; content:"/zenworks/UploadServlet",fast_pattern,nocase; pkt_data; content:"filename=",nocase; pcre:"/^[^\x26]*?\x2E\x2E/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39914; reference:url,www.novell.com/support/viewContent.do?externalId=7005573; classtype:attempted-admin; sid:18792; rev:3; service:http; )
03860 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell iManager getMultiPartParameters unauthorized file upload attempt"; flow:to_server,established; http_uri; content:"/nps/servlet/modulemanager",nocase; pkt_data; content:"Content-Disposition",nocase; pcre:"/^[^\n]*filename[^\x3B]*([\x5C\x2F]\x2E\x2E|\x2E\x2E[\x5C\x2F])/Ri"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43635; classtype:attempted-admin; sid:18311; rev:3; service:http; )
03870 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovalarm.exe Accept-Language buffer overflow attempt"; flow:to_server,established; http_uri; content:"/OVCgi/ovalarm.exe",nocase; pkt_data; content:"OVABverbose=",nocase; pcre:"/^(?!false|off|no|0)/iR"; pcre:"/(OvAcceptLang|Accept-Language)\s*[\x3D\x3A]\s*[^\n]{69}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37261; reference:cve,2009-4179; classtype:attempted-user; sid:16604; rev:4; service:http; )
03873 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Java System Web Server 7.0u7 authorization digest heap overflow"; flow:to_server,established; http_method; content:!"GET",nocase; content:!"POST",nocase; pkt_data; content:"Authorization",nocase; content:"Digest",distance 0,fast_pattern,nocase; pcre:"/^Authorization\s*\x3A\s*Digest\s+([^\n\x2C]*\x2C){15}/im"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37896; reference:cve,2010-0387; classtype:attempted-user; sid:16392; rev:4; service:http; )
03874 alert tcp $EXTERNAL_NET any -> $HOME_NET [8008,8010,8028,8030] ( msg:"SERVER-WEBAPP Novell eDirectory HTTP request content-length heap buffer overflow attempt"; flow:to_server,established; content:"POST /SOAP",depth 10,nocase; pcre:"/^Content-Length\s*\x3A\s/mi"; content:"-",within 1; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4478; classtype:attempted-user; sid:16195; rev:6; service:http; )
03875 alert tcp $EXTERNAL_NET any -> $HOME_NET [8008,8010,8028,8030] ( msg:"SERVER-WEBAPP Novell eDirectory HTTP request content-length heap buffer overflow attempt"; flow:to_server,established; content:"POST /SOAP",depth 10,nocase; pcre:"/^Content-Length\s*\x3A\s*[1-9][0-9]{8}/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4478; classtype:attempted-user; sid:16194; rev:4; service:http; )
03914 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP PHPmyadmin brute force login attempt - User-Agent User-Agent"; flow:to_server; content:"User-Agent: User-Agent: Mozilla/"; content:"/phpmyadmin/index.php?lang=en&server=1&pma_username=root"; detection_filter:track by_src, count 30, seconds 4; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:25907; rev:1; service:http; )
03935 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP nginx URI parsing buffer overflow attempt"; flow:to_server,established; content:"GET |2F 25|23|2E 2E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36384; reference:cve,2009-2629; classtype:attempted-admin; sid:17528; rev:5; service:http; )
03938 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP CA XOsoft Multiple Products entry_point.aspx buffer overflow attempt"; flow:to_server,established; http_uri; content:"/entry_point.aspx",nocase; pkt_data; content:"txt_user_name_p|3D|",nocase; isdataat:300,relative; pcre:"/txt_user_name_p\x3D[^\x26\x3F\x3B]{300}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39238; reference:cve,2010-1223; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=232869; classtype:attempted-user; sid:19136; rev:3; service:http; )
END OF CODE