Adding Docker Container

2020-02-24 08:56:30 -05:00
commit 36eb702282
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -0,0 +1,55 @@
+FROM debian:buster-slim
+ENV VERSION 2.9.15.1
+
+RUN mkdir -p /root/pcaps/
+COPY labs /root/
+COPY tools /root/
+WORKDIR /root/src/
+
+RUN  apt-get update && \
+  apt-get -y install \
+  build-essential \
+  vim \
+  curl \
+  gcc \
+  flex \
+  bison \
+  pkg-config \
+  libpcap0.8 \
+  libpcap0.8-dev \
+  libpcre3 \
+  libpcre3-dev \
+  libdumbnet1 \
+  libdumbnet-dev \
+  libdaq2 \
+  libdaq-dev \
+  zlib1g \
+  zlib1g-dev \
+  liblzma5 \
+  liblzma-dev \
+  luajit \
+  libluajit-5.1-dev \
+  libssl1.1 \
+  libssl-dev \
+  tcpreplay && \
+  apt-get clean && \
+  curl -L -O https://snort.org/downloads/snort/snort-$VERSION.tar.gz && \
+  tar xf ./snort-$VERSION.tar.gz && \
+  cd ./snort-$VERSION && \
+  ./configure --enable-sourcefire --enable-open-appid && \
+  make -j$(nproc) && \
+  make install && \
+  ldconfig && \
+  cd /root && \
+  rm -rf /root/src && \
+  touch /root/pcaps/local.rules && \
+  echo 'export TERM=xterm-256color' >> ~/.bashrc
+
+# rule syntax file
+COPY include/hog.vim /root/.vim/syntax/hog.vim
+# colorscheme
+COPY include/ir_black.vim /root/.vim/colors/ir_black.vim
+# vimrc
+COPY include/vimrc /root/.vimrc
+
+CMD /bin/bash
--- a/docker/build.sh
+++ b/docker/build.sh
@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+docker build -t snort2 .
--- a/docker/connect.sh
+++ b/docker/connect.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+set -e 
+
+OPTIND=1
+
+show_help() {
+  echo "$0 -c <conf dir>"
+}
+
+while getopts ":p:c:q" opt; do
+  case "$opt" in
+    h|/?)
+      echo "Unknown argument $OPTARG"
+      show_help
+      exit 0
+      ;;
+    c)
+      conf="$(realpath $OPTARG)"
+      ;;
+  esac
+done
+shift $((OPTIND-1))
+echo "Conf: $conf"
+
+if [[ -z $conf ]]; then
+  echo "snort conf is required"
+  show_help
+  exit 1
+fi
+
+if [[ ! -d $conf ]]; then
+  echo "snort conf directoy is not accessible: $conf"
+  exit 1
+fi
+
+
+docker run -it \
+  -v $conf:/etc/snort \
+  snort2 \
+  /bin/bash
+
--- a/docker/etc/attribute_table.dtd
+++ b/docker/etc/attribute_table.dtd
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!ELEMENT SNORT_ATTRIBUTES ((ATTRIBUTE_MAP, ATTRIBUTE_TABLE))>
+<!ELEMENT ATTRIBUTE_MAP ((ENTRY*))>
+<!ELEMENT ENTRY ((ID, VALUE))>
+<!ELEMENT ID (#PCDATA)>
+<!ELEMENT VALUE (#PCDATA)>
+<!ELEMENT ATTRIBUTE_TABLE ((HOST*))>
+<!ELEMENT HOST ((IP, OPERATING_SYSTEM, (SERVICES | CLIENTS)*))>
+<!ELEMENT IP (#PCDATA)>
+<!ELEMENT OPERATING_SYSTEM ((NAME, VENDOR, VERSION, FRAG_POLICY, STREAM_POLICY))>
+<!ELEMENT NAME (((ATTRIBUTE_VALUE | ATTRIBUTE_ID), CONFIDENCE?))>
+<!ELEMENT VERSION (((ATTRIBUTE_VALUE | ATTRIBUTE_ID), CONFIDENCE?))>
+<!ELEMENT VENDOR (((ATTRIBUTE_VALUE | ATTRIBUTE_ID), CONFIDENCE?))>
+<!ELEMENT FRAG_POLICY (#PCDATA)>
+<!ELEMENT STREAM_POLICY (#PCDATA)>
+<!ELEMENT CLIENTS ((CLIENT*))>
+<!ELEMENT CLIENT (((PROTOCOL | (IPPROTO, PROTOCOL)), APPLICATION))>
+<!ELEMENT SERVICES ((SERVICE*))>
+<!ELEMENT SERVICE ((PORT, IPPROTO, PROTOCOL, APPLICATION?))>
+<!ELEMENT PORT (((ATTRIBUTE_VALUE | ATTRIBUTE_ID), CONFIDENCE?))>
+<!ELEMENT PROTOCOL (((ATTRIBUTE_VALUE | ATTRIBUTE_ID), CONFIDENCE?))>
+<!ELEMENT IPPROTO (((ATTRIBUTE_VALUE | ATTRIBUTE_ID), CONFIDENCE?))>
+<!ELEMENT APPLICATION (((ATTRIBUTE_VALUE | ATTRIBUTE_ID), CONFIDENCE?),VERSION?)>
+<!ELEMENT ATTRIBUTE_VALUE (#PCDATA)>
+<!ELEMENT ATTRIBUTE_ID (#PCDATA)>
+<!ELEMENT CONFIDENCE (#PCDATA)>
--- a/docker/etc/classification.config
+++ b/docker/etc/classification.config
@@ -0,0 +1,70 @@
+# $Id$
+# The following includes information for prioritizing rules
+# 
+# Each classification includes a shortname, a description, and a default
+# priority for that classification.
+#
+# This allows alerts to be classified and prioritized.  You can specify
+# what priority each classification has.  Any rule can override the default
+# priority for that rule.
+#
+# Here are a few example rules:
+# 
+#   alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow"; 
+#	dsize: > 128; classtype:attempted-admin; priority:10;
+#
+#   alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
+#	      content:"expn root"; nocase; classtype:attempted-recon;)
+#
+# The first rule will set its type to "attempted-admin" and override 
+# the default priority for that type to 10.
+#
+# The second rule set its type to "attempted-recon" and set its
+# priority to the default for that type.
+# 
+
+#
+# config classification:shortname,short description,priority
+#
+
+config classification: not-suspicious,Not Suspicious Traffic,3
+config classification: unknown,Unknown Traffic,3
+config classification: bad-unknown,Potentially Bad Traffic, 2
+config classification: attempted-recon,Attempted Information Leak,2
+config classification: successful-recon-limited,Information Leak,2
+config classification: successful-recon-largescale,Large Scale Information Leak,2
+config classification: attempted-dos,Attempted Denial of Service,2
+config classification: successful-dos,Denial of Service,2
+config classification: attempted-user,Attempted User Privilege Gain,1
+config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
+config classification: successful-user,Successful User Privilege Gain,1
+config classification: attempted-admin,Attempted Administrator Privilege Gain,1
+config classification: successful-admin,Successful Administrator Privilege Gain,1
+
+
+# NEW CLASSIFICATIONS
+config classification: rpc-portmap-decode,Decode of an RPC Query,2
+config classification: shellcode-detect,Executable Code was Detected,1
+config classification: string-detect,A Suspicious String was Detected,3
+config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2
+config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2
+config classification: system-call-detect,A System Call was Detected,2
+config classification: tcp-connection,A TCP Connection was Detected,4
+config classification: trojan-activity,A Network Trojan was Detected, 1
+config classification: unusual-client-port-connection,A Client was Using an Unusual Port,2
+config classification: network-scan,Detection of a Network Scan,3
+config classification: denial-of-service,Detection of a Denial of Service Attack,2
+config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,2
+config classification: protocol-command-decode,Generic Protocol Command Decode,3
+config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,2
+config classification: web-application-attack,Web Application Attack,1
+config classification: misc-activity,Misc activity,3
+config classification: misc-attack,Misc Attack,2
+config classification: icmp-event,Generic ICMP event,3
+config classification: inappropriate-content,Inappropriate Content was Detected,1
+config classification: policy-violation,Potential Corporate Privacy Violation,1
+config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2
+config classification: sdf,Sensitive Data was Transmitted Across the Network,2
+config classification: file-format,Known malicious file or file based exploit,1
+config classification: malware-cnc,Known malware command and control traffic,1
+config classification: client-side-exploit,Known client side exploit attempt,1
--- a/docker/etc/file_magic.conf
+++ b/docker/etc/file_magic.conf
@@ -0,0 +1,168 @@
+#### file_magic.conf
+file type:XLW; id:1; category:Office Documents; msg:"Excel spreadsheet subheader (MS Office)"; rev:1; content:| 09 08 10 00 00 06 05 00  |; offset:512; group:office;
+file type:POSIX_TAR; id:2; category:Archive; msg:"POSIX Tape Archive file"; rev:1; content:| 75 73 74 61 72 00 20 20 |; offset:257; 
+file type:OLD_TAR; id:3; category:Archive; msg:"Pre-POSIX Tape Archive file"; rev:1; content:| 75 73 74 61 72 20 |; offset:257; 
+file type:MOV; id:4; category:Multimedia; msg:"QuickTime movie file"; rev:1; content:| 66 72 65 65  |; offset:4; group:video;
+file type:MOV; id:5; category:Multimedia; msg:"QuickTime movie file"; rev:1; content:| 6D 6F 6F 76  |; offset:4; group:video;
+file type:MOV; id:6; category:Multimedia; msg:"QuickTime movie file"; rev:1; content:| 6D 64 61 74  |; offset:4; group:video;
+file type:MOV; id:7; category:Multimedia; msg:"QuickTime movie file"; rev:1; content:| 70 6E 6F 74  |; offset:4; group:video;
+file type:MOV; id:8; category:Multimedia; msg:"QuickTime movie file"; rev:1; content:| 66 74 79 70  |; offset:4; group:video;
+file type:LHA; id:9; category:Archive; msg:"File compressed with lha utility/algorithm (lha, lzh)"; rev:1; content:| 2D 6C 68 |; offset:2; 
+file type:ISO; id:10; category:System files; msg:"Disc Image file based on ISO-9660 standard (iso)c"; rev:1; content:| 43 44 30 30 31 |; offset:32769; 
+file type:ISO; id:11; category:System files; msg:"Disc Image file based on ISO-9660 standard (iso)c"; rev:1; content:| 43 44 30 30 31 |; offset:34817; 
+file type:ISO; id:12; category:System files; msg:"Disc Image file based on ISO-9660 standard (iso)c"; rev:1; content:| 43 44 30 30 31 |; offset:36865; 
+file type:S3M; id:13; category:Multimedia; msg:"S3M audio module format"; rev:1; content:| 53 43 52 4d |; offset:44; group:audio;
+file type:FLIC; id:14; category:Multimedia; msg:"FLIC Animation file"; rev:2; content:|11 AF|; offset:4; content:|40 01|; offset:8; content:|c8 00|; offset:10; content:|00 00|; offset:20; content:|00 00 00 00 00 00 00 00|; offset:42; 
+file type:FLIC; id:15; category:Multimedia; msg:"FLIC Animation file"; rev:2; content:|12 AF|; offset:4; content:|40 01|; offset:8; content:|c8 00|; offset:10; content:|00 00|; offset:20; content:|00 00 00 00 00 00 00 00|; offset:42; 
+file type:MSEXE; id:21; category:Executables,Dynamic Analysis Capable; msg:"Windows/DOS executable file "; rev:1; content:| 4D 5A|; offset:0; 
+file type:PDF; id:22; category:PDF files; msg:"PDF file "; rev:1; content:| 25 50 44 46|; offset:0; 
+file type:RTF; id:23; category:Office Documents; msg:"Rich text format word processing file "; rev:1; content:| 7B 5C 72 74 66 31|; offset:0; 
+file type:RIFF; id:24; category:Multimedia; msg:"Resource Interchange File Format"; rev:1; content:| 52 49 46 46|; offset:0; 
+file type:MSCHM; id:25; category:Office Documents; msg:"Microsoft Compiled HTML Help File"; rev:1; content:| 49 54 53 46|; offset:0; 
+file type:MSCAB; id:26; category:Archive; msg:"Microsoft Windows CAB"; rev:1; content:| 4D 53 43 46|; offset:0; 
+file type:MSOLE2; id:27; category:Office Documents; msg:"Microsoft Office applications OLE Document "; rev:1; content:| D0 CF 11 E0 A1 B1 1A E1|; offset:0; 
+file type:MSSZDD; id:28; category:Archive; msg:"SZDD file format"; rev:1; content:| 53 5A 44 44 88 F0 27 33 |; offset:0; 
+file type:ZIP; id:29; category:Archive; msg:"PKZIP archive file"; rev:1; content:| 50 4B 03 04 |; offset:0; 
+file type:RAR; id:30; category:Archive; msg:"WinRAR compressed archive file"; rev:1; content:| 52 61 72 21 1A 07 00 |; offset:0; 
+file type:7Z; id:31; category:Archive; msg:"7-Zip compressed file"; rev:1; content:| 37 7A BC AF 27 1C |; offset:0; 
+file type:BZ; id:32; category:Archive; msg:"bzip2 compressed archive"; rev:1; content:| 42 5A 68 |; offset:0; 
+file type:GZ; id:33; category:Archive; msg:"GZ"; rev:1; content:| 1F 8B 08 |; offset:0; 
+file type:ARJ; id:34; category:Archive; msg:"Compressed archive file"; rev:1; content:| 60 EA 00 00 |; offset:0; 
+file type:ISHIELD_MSI; id:35; category:Executables; msg:"Install Shield v5.x or 6.x compressed file"; rev:1; content:| 49 53 63 28 |; offset:0; 
+file type:BINHEX; id:36; category:Executables; msg:"Macintosh BinHex 4 Compressed Archive"; rev:1; content:| 28 54 68 69 73 20 66 69 6C 65 20 6D 75 73 74 20 62 65 20 63 6F 6E 76 65 72 74 65 64 20 77 69 74 68 20 42 69 6E 48 65 78 20 |; offset:0; 
+file type:MAIL; id:37; category:Office Documents; msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; rev:1; content:| 46 72 6F 6D 20 20 20 |; offset:0; 
+file type:MAIL; id:38; category:Office Documents; msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; rev:1; content:| 46 72 6F 6D 20 3F 3F 3F |; offset:0; 
+file type:MAIL; id:39; category:Office Documents; msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; rev:1; content:| 46 72 6F 6D 3A 20 |; offset:0; 
+file type:MAIL; id:40; category:Office Documents; msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; rev:1; content:| 52 65 74 75 72 6E 2D 50 61 74 68 3A 20 |; offset:0; 
+file type:MAIL; id:41; category:Office Documents; msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; rev:1; content:| 58 2D |; offset:0; 
+file type:TNEF; id:42; category:Office Documents; msg:"Transport Neutral Encapsulation Format, an E-mail attachment format"; rev:1; content:| 78 9F 3E 22 |; offset:0; 
+file type:BINARY_DATA; id:43; category:Executables; msg:"Universal Binary/Java Bytecode"; rev:1; content:| CA FE BA BE|; offset:0; 
+file type:UUENCODED; id:44; category:Encoded; msg:"UUencoded file"; rev:1; content:| 62 65 67 69 6E |; offset:0; 
+file type:SCRENC; id:45; category:Encoded; msg:"Script encoder file"; rev:1; content:| 23 40 7E 5E |; offset:0; 
+file type:ELF; id:46; category:Executables; msg:"Executable and Linking Format executable file (Linux/Unix)"; rev:1; content:| 7F 45 4C 46|; offset:0; 
+file type:MACHO; id:47; category:Executables; msg:"Mach object file format "; rev:1; content:| CE FA ED FE |; offset:0; 
+file type:MACHO; id:48; category:Executables; msg:"Mach object file format "; rev:1; content:| CF FA ED FE |; offset:0; 
+file type:MACHO; id:49; category:Executables; msg:"Mach object file format "; rev:1; content:| FE ED FA CE |; offset:0; 
+file type:MACHO; id:50; category:Executables; msg:"Mach object file format "; rev:1; content:| FE ED FA CF |; offset:0; 
+file type:SIS; id:51; category:Archive; msg:"Software Installation Script, an archive for Symbian OS"; rev:1; content:| 19 04 00 10 |; offset:0; 
+file type:SWF; id:52; category:Multimedia; msg:"Flash file "; rev:1; content:| 43 57 53 |; offset:0; 
+file type:SWF; id:53; category:Multimedia; msg:"Flash file "; rev:1; content:| 46 57 53 |; offset:0; 
+file type:SWF; id:54; category:Multimedia; msg:"Flash file "; rev:1; content:| 58 46 49 52|; offset:0; 
+file type:CPIO_ODC; id:55; category:Archive; msg:"Archive created with the cpio utility- standard ASCII format"; rev:1; content:| 30 37 30 37 30 37 |; offset:0; 
+file type:CPIO_NEWC; id:56; category:Archive; msg:"Archive created with the cpio utility- new ASCII (aka SVR4) format"; rev:1; content:| 30 37 30 37 30 31 |; offset:0; 
+file type:CPIO_CRC; id:57; category:Archive; msg:"Archive created with the cpio utility- CRC format"; rev:1; content:| 30 37 30 37 30 32 |; offset:0; 
+file type:MPEG; id:58; category:Multimedia; msg:"MPEG video file"; rev:1; content:| 00 00 01 B3|; offset:0; group:video;
+file type:MPEG; id:59; category:Multimedia; msg:"MPEG video file"; rev:1; content:| 00 00 01 BA|; offset:0; group:video;
+file type:EPS; id:60; category:PDF files; msg:"Adobe encapsulated PostScript file"; rev:1; content:| 25 21 50 53 2D 41 64 6F 62 65 2D |; offset:0; 
+file type:RMF; id:61; category:Multimedia; msg:"RealNetworks  RealMedia streaming media file"; rev:1; content:| 2E 52 4D 46 |; offset:0; 
+file type:GIF; id:62; category:Graphics; msg:"GIF"; rev:1; content:| 47 49 46 38 37 61 |; offset:0; group:multimedia;
+file type:GIF; id:63; category:Graphics; msg:"GIF"; rev:1; content:| 47 49 46 38 39 61 |; offset:0; group:multimedia;
+file type:MP3; id:64; category:Multimedia; msg:"MPEG-1 Audio Layer 3 (MP3) audio file"; rev:1; content:| 49 44 33 |; offset:0; group:audio;
+file type:MP3; id:65; category:Multimedia; msg:"MPEG-1 Audio Layer 3 (MP3) audio file"; rev:1; content:| FF FB 90 |; offset:0; group:audio;
+file type:OGG; id:66; category:Multimedia; msg:"Ogg Vorbis Codec compressed Multimedia file"; rev:1; content:| 4F 67 67 53 |; offset:0; group:audio;
+file type:RIFX; id:67; category:Multimedia; msg:"RIFX audio format"; rev:1; content:| 52 49 46 58  |; offset:0; group:audio;
+file type:SYMANTEC; id:68; category:System files; msg:"Symantec files"; rev:1; content:| 58 2D 53 79 6D 61 6E 74 65 63 2D |; offset:0; 
+file type:PNG; id:69; category:Graphics; msg:"Portable Network Graphics file"; rev:1; content:| 89 50 4E 47 0D 0A 1A 0A |; offset:0; group:multimedia;
+file type:JPEG; id:70; category:Graphics; msg:"JPEG/JFIF graphics file"; rev:1; content:| FF D8 FF E0 |; offset:0; group:multimedia;
+file type:JARPACK; id:72; category:Executables; msg:"Jar pack file"; rev:1; content:| CA FE D0 0D |; offset:0; 
+file type:JAR; id:73; category:Archive; msg:"Java archive file"; rev:3; content:| 50 4B 03 04 |; offset:0; content:| 4D 45 54 41 2D 49 4E 46 2F |; offset:30; 
+file type:FLV; id:74; category:Multimedia; msg:"Flash video file"; rev:1; content:| 46 4C 56 01 |; offset:0; group:video;
+file type:WAV; id:76; category:Multimedia; msg:"Waveform Audio File Format"; rev:1; content:| 62 65 61 74 |; offset:0; group:audio;
+file type:WAV; id:77; category:Multimedia; msg:"Waveform Audio File Format"; rev:1; content:| 4D 58 43 33  |; offset:0; group:audio;
+file type:FFMPEG; id:78; category:Multimedia; msg:"ffmpeg Multimedia framework"; rev:1; content:| 34 58 4D 56  |; offset:0; 
+file type:DMG; id:79; category:System files; msg:"Apple Disk Image"; rev:1; content:| 45 52 02 00   |; offset:0; 
+file type:DMG; id:80; category:System files; msg:"Apple Disk Image"; rev:1; content:| 32 49 4D 47    |; offset:0; 
+file type:IVR; id:81; category:Multimedia; msg:"RealPlayer video file"; rev:1; content:| 2E 52 45 43  |; offset:0; group:video;
+file type:IVR; id:82; category:Multimedia; msg:"RealPlayer video file"; rev:1; content:| 2E 52 31 4D  |; offset:0; group:video;
+file type:RA; id:83; category:Multimedia; msg:"RealAudio file"; rev:1; content:| 2E 52 4D 46 00 00 00 12 00  |; offset:0; group:audio;
+file type:RA; id:84; category:Multimedia; msg:"RealAudio file"; rev:1; content:| 2E 72 61 FD 00  |; offset:0; group:audio;
+file type:VMDK; id:85; category:System files; msg:"Virtual Machine Disk"; rev:1; content:| 43 4F 57 44 |; offset:0; 
+file type:VMDK; id:86; category:System files; msg:"Virtual Machine Disk"; rev:1; content:|4B 44 4D |; offset:0; 
+file type:VMDK; id:87; category:System files; msg:"Virtual Machine Disk"; rev:1; content:| 23 20 44 69 73 6B 20 44 65 73 63 72 69 70 74 6F |; offset:0; 
+file type:VMDK; id:88; category:System files; msg:"Virtual Machine Disk"; rev:1; content:| 2E 03 00 00 01 |; offset:0; 
+file type:FLAC; id:89; category:Multimedia; msg:"Free Lossless Audio Codec file"; rev:1; content:| 66 4C 61 43 00 00 00 22 |; offset:0; group:audio;
+file type:S3M; id:90; category:Multimedia; msg:"S3M audio module format"; rev:1; content:| 53 43 52 4d  |; offset:0; group:audio;
+file type:ASF; id:91; category:Multimedia; msg:"Microsoft Windows Media Audio/Video File "; rev:1; content:| 30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C |; offset:0; group:audio;
+file type:MSWORD_MAC5; id:93; category:Office Documents; msg:"Microsoft Word for Mac 5"; rev:1; content:| FE 37 00 23|; offset:0; group:office;
+file type:SYLKc; id:94; category:System files; msg:"Microsoft symbolic Link"; rev:1; content:| 49 44 3B 50  |; offset:0; 
+file type:WP; id:95; category:Office Documents; msg:"WordPerfect text and graphics file"; rev:1; content:| FF 57 50 43|; offset:0; 
+file type:WP; id:96; category:Office Documents; msg:"WordPerfect text and graphics file"; rev:1; content:| 81 CD AB|; offset:0; 
+file type:TIFF; id:97; category:Graphics; msg:"Tagged Image File Format file"; rev:1; content:| 49 49 2A 00|; offset:0; group:multimedia;
+file type:TIFF; id:98; category:Graphics; msg:"Tagged Image File Format file"; rev:1; content:| 49 20 49|; offset:0; group:multimedia;
+file type:TIFF; id:99; category:Graphics; msg:"Tagged Image File Format file"; rev:1; content:| 4D 4D 00 2A|; offset:0; group:multimedia;
+file type:TIFF; id:100; category:Graphics; msg:"Tagged Image File Format file"; rev:1; content:| 4D 4D 00 2B|; offset:0; group:multimedia;
+file type:MWL; id:101; category:Office Documents; msg:"Metastock technical analysis program for traders"; rev:1; content:| 5b 4d 65 74 61 53 74 6f 63 6b |; offset:0; 
+file type:MDB; id:102; category:Office Documents; msg:"Microsoft Access file"; rev:1; content:| 00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74 20 44 42 |; offset:0; 
+file type:ACCDB; id:103; category:Office Documents; msg:"Microsoft Access 2007 file"; rev:1; content:| 00 01 00 00 53 74 61 6E 64 61 72 64 20 41 43 45 20 44 42|; offset:0; 
+file type:MNY; id:104; category:Office Documents; msg:"Microsoft Money file"; rev:1; content:| 00 01 00 00 4D 53 49 53 41 4D 20 44 61 74 61 62 61 73 65|; offset:0; 
+file type:REC; id:105; category:Multimedia; msg:"RealNetworks Realplayer REC"; rev:1; content:| 2e 72 65 63 00 |; offset:0; 
+file type:R1M; id:106; category:Multimedia; msg:"RealNetworks Realplayer R1M"; rev:1; content:| 2e 72 31 6d |; offset:0; 
+file type:WAB; id:107; category:Office Documents; msg:"Outlook address file"; rev:1; content:| 9C CB CB 8D 13 75 D2 11 91 58 00 C0 4F 79 56 A4 |; offset:0; group:office;
+file type:WAB; id:108; category:Office Documents; msg:"Outlook address file"; rev:1; content:| 81 32 84 C1 85 05 D0 11 B2 90 00 AA 00 3C F6 76 |; offset:0; group:office;
+file type:M3U; id:109; category:Multimedia; msg:"Multimedia playlists"; rev:1; content:| 23 45 58 54 4d 33 55 |; offset:0; 
+file type:MKV; id:110; category:Multimedia; msg:"Matroska stream file"; rev:1; content:| 1A 45 DF A3 93 42 82 88 6D 61 74 72 6F 73 6B 61|; offset:0; 
+file type:IMG_PICT; id:111; category:Graphics; msg:"ChromaGraph Graphics Card Bitmap Graphic file"; rev:1; content:| 50 49 43 54 00 08 |; offset:0; group:multimedia;
+file type:AMF; id:112; category:Multimedia; msg:"Advanced Module Format for digital music"; rev:1; content:| 41 4d 46 |; offset:0; group:audio;
+file type:WEBM; id:113; category:Multimedia; msg:"WebM audio-video format"; rev:1; content:| 1A 45 DF A3|; offset:0; group:audio,video;
+file type:MAYA; id:114; category:Graphics; msg:"Autodesk Maya"; rev:1; content:| 2f 2f 4d 61 79 61 |; offset:0; 
+file type:MIDI; id:115; category:Multimedia; msg:"Musical Instrument Digital Interface (MIDI) sound file"; rev:1; content:| 4D 54 68 64 |; offset:0; group:audio;
+file type:PLS; id:116; category:Multimedia; msg:"multimedia playlists"; rev:1; content:| 5b 70 6c 61 79 6c 69 73 74 5d |; offset:0; 
+file type:SMIL; id:117; category:Multimedia; msg:"Synchronized Multimedia Integration Language"; rev:1; content:| 3c 73 6d 69 6c 3e |; offset:0; 
+file type:SAMI; id:119; category:Multimedia; msg:"Synchronized Accessible Media Interchange"; rev:1; content:| 3c 53 41 4d 49 |; offset:0; 
+file type:NEW_OFFICE; id:120; category:Office Documents; msg:"Microsoft Office Open XML Format (OOXML) Document (DOCX, PPTX, XLSX)"; rev:1; content:|50 4B 03 04 14 00 06 00|; offset:0; group:office;
+file type:DWG; id:130; category:Graphics; msg:"Autodesk AutoCAD file (dwg) "; rev:1; content:| 41 43 31 30 |; offset:0; 
+file type:MDI; id:132; category:Office Documents; msg:"Microsoft Document Imaging file (mdi)"; rev:1; content:| 45 50 |; offset:0; 
+file type:PGD; id:133; category:System files; msg:"PGP disk image(PGD)"; rev:1; content:| 50 47 50 64 4D 41 49 4E |; offset:0; 
+file type:PSD; id:134; category:Graphics; msg:"Photoshop image file (PSD)"; rev:1; content:|38 42 50 53 |; offset:0; 
+file type:9XHIVE; id:135; category:System files; msg:"Windows 9x registry hive (REG)"; rev:1; content:| 43 52 45 47 |; offset:0; 
+file type:REG; id:136; category:System files; msg:"Windows Registry and Registry Undo files (REG)"; rev:1; content:| 52 45 47 45 44 49 54 |; offset:0; 
+file type:WMF; id:137; category:Graphics; msg:"Windows graphics metafile "; rev:1; content:| 01 00 09 00 00 03 |; offset:0; 
+file type:WRI; id:138; category:Office Documents; msg:"Windows Write document file (wri) "; rev:1; content:| BE 00 00 00 AB 00 00 00 00 00 00 00 00|; offset:0; 
+file type:RPM; id:139; category:Executables; msg:"RedHat Package Manager file"; rev:1; content:| ED AB EE DB |; offset:0; 
+file type:ONE; id:140; category:Office Documents; msg:"Microsoft OneNote note"; rev:1; content:| E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3 |; offset:0; group:office;
+file type:MP4; id:141; category:Multimedia; msg:"MPEG-4 video files"; rev:1; content:| 00 00 00 18 66 74 79 70 33 67 70 35 |; offset:0; group:video;
+file type:MP4; id:142; category:Multimedia; msg:"MPEG-4 video files"; rev:1; content:| 00 00 00 14 66 74 79 70 69 73 6F 6D |; offset:0; group:video;
+file type:PCAP; id:143; category:System files; msg:"Packet capture file"; rev:1; content:| D4 C3 B2 A1 |; offset:0; 
+file type:PCAP; id:144; category:System files; msg:"Packet capture file"; rev:1; content:|34 CD B2 A1 |; offset:0; 
+file type:PCAP; id:145; category:System files; msg:"Packet capture file"; rev:1; content:|A1 B2 C3 D4 |; offset:0; 
+file type:PCAP; id:146; category:System files; msg:"Packet capture file"; rev:1; content:|A1 B2 CD 34 |; offset:0; 
+file type:PCAP; id:147; category:System files; msg:"Packet capture file"; rev:1; content:|52 54 53 53 |; offset:0; 
+file type:BMP; id:148; category:Graphics; msg:"Bitmap image file"; rev:1; content:|42  4D |; offset:0; group:multimedia;
+file type:ICO; id:149; category:Graphics; msg:"Windows icon file"; rev:1; content:| 00 00 01 00 |; offset:0; 
+file type:TORRENT; id:150; category:Executables; msg:"BitTorrent File"; rev:1; content:| 64 38 3A 61 6E 6E 6F 75 6E 63 65  |; offset:0; 
+file type:AMR; id:151; category:Multimedia; msg:"Adaptive Multi-Rate Codec File"; rev:1; content:| 23 21 41 4D 52|; offset:0; 
+file type:SIT; id:152; category:Archive; msg:"StuffIt compressed archive"; rev:1; content:| 53 49 54 21 00|; offset:0; 
+file type:PST; id:153; category:Office Documents; msg:"Microsoft Outlook Personal Folder File"; rev:1; content:| 21 42 44 4E |; offset:0; group:office;
+file type:HLP; id:154; category:Office Documents; msg:"Windows Help file"; rev:1; content:| 4C 4E 02 00 |; offset:0; 
+file type:HLP; id:155; category:Office Documents; msg:"Windows Help file"; rev:1; content:| 3F 5F 03 00 |; offset:0; 
+file type:AUTORUN; id:156; category:Executables; msg:"Windows Autorun setup file"; rev:1; content:| 5B 61 75 74 6F 72 75 6E 5D 0D 0A |; offset:0; 
+file type:JPEG; id:157; category:Graphics; msg:"JPEG/JFIF graphics file"; rev:1; content:| FF D8 FF E1 |; offset:0; group:multimedia;
+file type:ARJ; id:158; category:Archive; msg:"Compressed archive file"; rev:1; content:| 60 EA |; offset:0; 
+file type:MP3; id:159; category:Multimedia; msg:"MPEG-1 Audio Layer 3 (MP3) audio file"; rev:1; content:| FF FA |; offset:0; group:audio;
+file type:SIT; id:160; category:Archive; msg:"StuffIt compressed archive"; rev:1; content:| 53 74 75 66 66 49 74 20 |; offset:0; 
+file type:NTHIVE; id:161; category:System files; msg:"Windows NT registry hive (REG)"; rev:1; content:| 72 65 67 66 |; offset:0; 
+file type:WMF; id:162; category:Graphics; msg:"Windows graphics metafile "; rev:1; content:| D7 CD C6 9A |; offset:0; 
+file type:SIS; id:163; category:Archive; msg:"Software Installation Script, an archive for Symbian OS"; rev:1; content:| 7A 1A 20 10 |; offset:0; 
+file type:WRI; id:164; category:Office Documents; msg:"Windows Write document file (wri) "; rev:1; content:| 31 BE|; offset:0; 
+file type:WRI; id:165; category:Office Documents; msg:"Windows Write document file (wri) "; rev:1; content:| 32 BE|; offset:0; 
+file type:WAV; id:166; category:Multimedia; msg:"Waveform Audio File Format"; rev:1; content:| 52 49 46 46 |; offset:0; content:| 57 41 56 45 66 6D 74 20 |; offset:8; group:audio;
+file type:MP4; id:167; category:Multimedia; msg:"MPEG-4 video files"; rev:1; content:| 66 74 79 70 6D 70 34 32 |; offset:4; group:video;
+file type:MP4; id:168; category:Multimedia; msg:"MPEG-4 video files"; rev:1; content:| 66 74 79 70 33 67 70 35 |; offset:4; group:video;
+file type:MP4; id:169; category:Multimedia; msg:"MPEG-4 video files"; rev:1; content:| 66 74 79 70 4D 53 4E 56 |; offset:4; group:video;
+file type:DICM; id:170; category:Multimedia; msg:"Digital Imaging and Communications in Medicine"; rev:1; content:| 44 49 43 4D |; offset:128; 
+file type:ZIP_ENC; id:171; category:Archive; msg:"PKZIP encrypted archive file"; rev:1; content:| 50 4B 03 04 |; offset:0; content:| 01 |; offset:6; 
+file type:EICAR; id:273; category:Executables; msg:"Standard Anti-Virus Test File"; rev:1; content:| 58 35 4F 21 50 25 |; offset:0; 
+file type:XPS; id:275; category:Office Documents; msg:"Microsoft XML Paper Specification Document"; rev:1; content:| 50 4B 03 04 |; offset:0; content:| 46 69 78 65 64 44 6F 63 75 6D |; offset:30; 
+file type:XPS; id:277; category:Office Documents; msg:"Microsoft XML Paper Specification Document"; rev:1; content:| 50 4B 03 04 |; offset:0; content:| 44 6F 63 75 6D 65 6E 74 73 2F |; offset:30; 
+file type:XPS; id:278; category:Office Documents; msg:"Microsoft XML Paper Specification Document"; rev:1; content:| 50 4B 03 04 |; offset:0; content:| 4D 65 74 61 64 61 74 61 2F |; offset:30; 
+file type:DMP; id:279; category:System files; msg:"Windows crash dump file"; rev:1; content:|4D 44 4D 50 93 A7|; offset:0; 
+file type:DMP; id:280; category:System files; msg:"Windows crash dump file"; rev:1; content:|50 41 47 45 44 55 36 34|; offset:0; 
+file type:DMP; id:281; category:System files; msg:"Windows crash dump file"; rev:1; content:|50 41 47 45 44 55 4D 50|; offset:0; 
+file type:PDF; id:282; category:PDF files; msg:"PDF file "; rev:1; content:| 25 50 44 46 2D 31 2E 30|; offset:0; ver:1.0; 
+file type:PDF; id:283; category:PDF files; msg:"PDF file "; rev:1; content:| 25 50 44 46 2D 31 2E 31|; offset:0; ver:1.1; 
+file type:PDF; id:284; category:PDF files; msg:"PDF file "; rev:1; content:| 25 50 44 46 2D 31 2E 32|; offset:0; ver:1.2; 
+file type:PDF; id:285; category:PDF files; msg:"PDF file "; rev:1; content:| 25 50 44 46 2D 31 2E 33|; offset:0; ver:1.3; 
+file type:PDF; id:286; category:PDF files; msg:"PDF file "; rev:1; content:| 25 50 44 46 2D 31 2E 34|; offset:0; ver:1.4; 
+file type:PDF; id:287; category:PDF files; msg:"PDF file "; rev:1; content:| 25 50 44 46 2D 31 2E 35|; offset:0; ver:1.5; 
+file type:PDF; id:288; category:PDF files; msg:"PDF file "; rev:1; content:| 25 50 44 46 2D 31 2E 36|; offset:0; ver:1.6; 
+file type:PDF; id:289; category:PDF files; msg:"PDF file "; rev:1; content:| 25 50 44 46 2D 31 2E 37|; offset:0; ver:1.7; 
--- a/docker/etc/gen-msg.map
+++ b/docker/etc/gen-msg.map
@@ -0,0 +1,530 @@
+# $Id$
+# GENERATORS -> msg map
+# Format: generatorid || alertid || MSG
+
+1 || 1 || snort general alert
+2 || 1 || tag: Tagged Packet
+3 || 1 || snort dynamic alert
+100 || 1 || spp_portscan: Portscan Detected
+100 || 2 || spp_portscan: Portscan Status
+100 || 3 || spp_portscan: Portscan Ended
+101 || 1 || spp_minfrag: minfrag alert
+102 || 1 || http_decode: Unicode Attack
+102 || 2 || http_decode: CGI NULL Byte Attack
+102 || 3 || http_decode: large method attempted
+102 || 4 || http_decode: missing uri
+102 || 5 || http_decode: double encoding detected
+102 || 6 || http_decode: illegal hex values detected
+102 || 7 || http_decode: overlong character detected
+103 || 1 || spp_defrag: Fragmentation Overflow Detected
+103 || 2 || spp_defrag: Stale Fragments Discarded
+104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded
+104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted
+105 || 1 || spp_bo: Back Orifice Traffic Detected
+105 || 2 || spp_bo: Back Orifice Client Traffic Detected
+105 || 3 || spp_bo: Back Orifice Server Traffic Detected
+105 || 4 || spp_bo: Back Orifice Snort Buffer Attack
+106 || 1 || spp_rpc_decode: Fragmented RPC Records
+106 || 2 || spp_rpc_decode: Multiple Records in one packet
+106 || 3 || spp_rpc_decode: Large RPC Record Fragment
+106 || 4 || spp_rpc_decode: Incomplete RPC segment
+106 || 5 || spp_rpc_decode: Zero-length RPC Fragment
+110 || 1 || spp_unidecode: CGI NULL Attack
+110 || 2 || spp_unidecode: Directory Traversal
+110 || 3 || spp_unidecode: Unknown Mapping
+110 || 4 || spp_unidecode: Invalid Mapping
+111 || 1 || spp_stream4: Stealth Activity Detected
+111 || 2 || spp_stream4: Evasive Reset Packet
+111 || 3 || spp_stream4: Retransmission
+111 || 4 || spp_stream4: Window Violation
+111 || 5 || spp_stream4: Data on SYN Packet
+111 || 6 || spp_stream4: Full XMAS Stealth Scan
+111 || 7 || spp_stream4: SAPU Stealth Scan
+111 || 8 || spp_stream4: FIN Stealth Scan
+111 || 9 || spp_stream4: NULL Stealth Scan
+111 || 10 || spp_stream4: NMAP XMAS Stealth Scan
+111 || 11 || spp_stream4: VECNA Stealth Scan
+111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection
+111 || 13 || spp_stream4: SYN FIN Stealth Scan
+111 || 14 || spp_stream4: TCP forward overlap detected
+111 || 15 || spp_stream4: TTL Evasion attempt
+111 || 16 || spp_stream4: Evasive retransmitted data attempt
+111 || 17 || spp_stream4: Evasive retransmitted data with the data split attempt
+111 || 18 || spp_stream4: Multiple acked
+111 || 19 || spp_stream4: Shifting to Emergency Session Mode
+111 || 20 || spp_stream4: Shifting to Suspend Mode
+111 || 21 || spp_stream4: TCP Timestamp option has value of zero
+111 || 22 || spp_stream4: Too many overlapping TCP packets
+111 || 23 || spp_stream4: Packet in established TCP stream missing ACK
+111 || 24 || spp_stream4: Evasive FIN Packet
+111 || 25 || spp_stream4: SYN on established
+112 || 1 || spp_arpspoof: Directed ARP Request
+112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC
+112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST
+112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack
+113 || 1 || spp_frag2: Oversized Frag
+113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack
+113 || 3 || spp_frag2: TTL evasion detected
+113 || 4 || spp_frag2: overlap detected
+113 || 5 || spp_frag2: Duplicate first fragments
+113 || 6 || spp_frag2: memcap exceeded
+113 || 7 || spp_frag2: Out of order fragments
+113 || 8 || spp_frag2: IP Options on Fragmented Packet
+113 || 9 || spp_frag2: Shifting to Emegency Session Mode
+113 || 10 || spp_frag2: Shifting to Suspend Mode
+114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected
+114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected
+114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected
+114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected
+115 || 1 || spp_asn1: Indefinite ASN.1 length encoding
+115 || 2 || spp_asn1: Invalid ASN.1 length encoding
+115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow
+115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow
+115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length
+116 || 1 || snort_decoder: WARNING: Not IPv4 datagram
+116 || 2 || snort_decoder: WARNING: hlen < IP_HEADER_LEN
+116 || 3 || snort_decoder: WARNING: IP dgm len < IP Hdr len
+116 || 4 || snort_decoder: WARNING: Bad IPv4 Options
+116 || 5 || snort_decoder: WARNING: Truncated IPv4 Options
+116 || 6 || snort_decoder: WARNING: IP dgm len > captured len
+116 || 45 || snort_decoder: WARNING: TCP packet len is smaller than 20 bytes
+116 || 46 || snort_decoder: WARNING: TCP Data Offset is less than 5
+116 || 47 || snort_decoder: WARNING: TCP Data Offset is longer than payload
+116 || 54 || snort_decoder: WARNING: Tcp Options found with bad lengths
+116 || 55 || snort_decoder: WARNING: Truncated Tcp Options
+116 || 56 || snort_decoder: WARNING: T/TCP Detected
+116 || 57 || snort_decoder: WARNING: Obsolete TCP options
+116 || 58 || snort_decoder: WARNING: Experimental TCP options
+116 || 59 || snort_decoder: WARNING: TCP Window Scale Option Scale Invalid (> 14)
+116 || 95 || snort_decoder: WARNING: Truncated UDP Header
+116 || 96 || snort_decoder: WARNING: Invalid UDP header, length field < 8
+116 || 97 || snort_decoder: WARNING: Short UDP packet, length field > payload length
+116 || 98 || snort_decoder: WARNING: Long UDP packet, length field < payload length
+116 || 105 || snort_decoder: WARNING: ICMP Header Truncated
+116 || 106 || snort_decoder: WARNING: ICMP Timestamp Header Truncated
+116 || 107 || snort_decoder: WARNING: ICMP Address Header Truncated
+116 || 108 || snort_decoder: WARNING: Unknown Datagram decoding problem
+116 || 109 || snort_decoder: WARNING: Truncated ARP Packet
+116 || 110 || snort_decoder: WARNING: Truncated EAP Header
+116 || 111 || snort_decoder: WARNING: EAP Key Truncated
+116 || 112 || snort_decoder: WARNING: EAP Header Truncated
+116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected
+116 || 130 || snort_decoder: WARNING: Bad VLAN Frame
+116 || 131 || snort_decoder: WARNING: Bad LLC header
+116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info
+116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header
+116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info
+116 || 140 || snort_decoder: WARNING: Bad Token Ring Header
+116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header
+116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header
+116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header
+116 || 150 || snort_decoder: WARNING: Bad Traffic Loopback IP
+116 || 151 || snort_decoder: WARNING: Bad Traffic Same Src/Dst IP
+116 || 160 || snort_decoder: WARNING: GRE header length > payload length
+116 || 161 || snort_decoder: WARNING: Multiple encapsulations in packet
+116 || 162 || snort_decoder: WARNING: Invalid GRE version
+116 || 163 || snort_decoder: WARNING: Invalid GRE v.0 header
+116 || 164 || snort_decoder: WARNING: Invalid GRE v.1 PPTP header
+116 || 165 || snort_decoder: WARNING: GRE Trans header length > payload length
+116 || 170 || snort_decoder: WARNING: Bad MPLS Frame
+116 || 171 || snort_decoder: WARNING: MPLS Label 0 Appears in Nonbottom Header
+116 || 172 || snort_decoder: WARNING: MPLS Label 1 Appears in Bottom Header
+116 || 173 || snort_decoder: WARNING: MPLS Label 2 Appears in Nonbottom Header
+116 || 174 || snort_decoder: WARNING: Bad use of label 3
+116 || 175 || snort_decoder: WARNING: MPLS Label 4, 5,.. or 15 Appears in Header
+116 || 176 || snort_decoder: WARNING: Too Many MPLS headers
+116 || 250 || snort_decoder: WARNING: ICMP Original IP Header Truncated
+116 || 251 || snort_decoder: WARNING: ICMP Original IP Header Not IPv4
+116 || 252 || snort_decoder: WARNING: ICMP Original Datagram Length < Original IP Header Length
+116 || 253 || snort_decoder: WARNING: ICMP Original IP Payload < 64 bits
+116 || 254 || snort_decoder: WARNING: ICMP Original IP Payload > 576 bytes
+116 || 255 || snort_decoder: WARNING: ICMP Original IP Fragmented and Offset Not 0
+116 || 270 || snort_decoder: WARNING: IPV6 packet exceeded TTL limit
+116 || 271 || snort_decoder: WARNING: IPv6 header claims to not be IPv6
+116 || 272 || snort_decoder: WARNING: IPV6 truncated extension header
+116 || 273 || snort_decoder: WARNING: IPV6 truncated header
+116 || 274 || snort_decoder: WARNING: IPV6 dgm len < IPV6 Hdr len
+116 || 275 || snort_decoder: WARNING: IPV6 dgm len > captured len
+116 || 276 || snort_decoder: WARNING: IPv6 packet with destination address ::0
+116 || 277 || snort_decoder: WARNING: IPv6 packet with multicast source address
+116 || 278 || snort_decoder: WARNING: IPv6 packet with reserved multicast destination address
+116 || 279 || snort_decoder: WARNING: IPv6 header includes an undefined option type
+116 || 280 || snort_decoder: WARNING: IPv6 address includes an unassigned multicast scope value
+116 || 281 || snort_decoder: WARNING: IPv6 header includes an invalid value for the "next header" field
+116 || 282 || snort_decoder: WARNING: IPv6 header includes a routing extension header followed by a hop-by-hop header
+116 || 283 || snort_decoder: WARNING: IPv6 header includes two routing extension headers
+116 || 285 || snort_decoder: WARNING: ICMPv6 packet of type 2 (message too big) with MTU field < 1280
+116 || 286 || snort_decoder: WARNING: ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code 
+116 || 287 || snort_decoder: WARNING: ICMPv6 router solicitation packet with a code not equal to 0
+116 || 288 || snort_decoder: WARNING: ICMPv6 router advertisement packet with a code not equal to 0
+116 || 289 || snort_decoder: WARNING: ICMPv6 router solicitation packet with the reserved field not equal to 0
+116 || 290 || snort_decoder: WARNING: ICMPv6 router advertisement packet with the reachable time field set > 1 hour
+116 || 291 || snort_decoder: WARNING: IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack
+116 || 292 || snort_decoder: WARNING: IPv6 header has destination options followed by a routing header
+116 || 293 || snort_decoder: WARNING: Two or more IP (v4 and/or v6) encapsulation layers present
+116 || 294 || snort_decoder: WARNING: truncated Encapsulated Security Payload (ESP) header
+116 || 295 || snort_decoder: WARNING: IPv6 header includes an option which is too big for the containing header.
+116 || 296 || snort_decoder: WARNING: IPv6 packet includes out-of-order extension headers
+116 || 297 || snort_decoder: WARNING: Two or more GTP encapsulation layers are present
+116 || 298 || snort_decoder: WARNING: GTP header length is invalid
+116 || 400 || snort_decoder: WARNING: XMAS Attack Detected
+116 || 401 || snort_decoder: WARNING: Nmap XMAS Attack Detected
+116 || 402 || snort_decoder: WARNING: DOS NAPTHA Vulnerability Detected
+116 || 403 || snort_decoder: WARNING: Bad Traffic SYN to multicast address
+116 || 404 || snort_decoder: WARNING: IPV4 packet with zero TTL
+116 || 405 || snort_decoder: WARNING: IPV4 packet with bad frag bits (Both MF and DF set)
+116 || 406 || snort_decoder: WARNING: Invalid IPv6 UDP packet, checksum zero
+116 || 407 || snort_decoder: WARNING: IPV4 packet frag offset + length exceed maximum
+116 || 408 || snort_decoder: WARNING: IPV4 packet from 'current net' source address
+116 || 409 || snort_decoder: WARNING: IPV4 packet to 'current net' dest address
+116 || 410 || snort_decoder: WARNING: IPV4 packet from multicast source address
+116 || 411 || snort_decoder: WARNING: IPV4 packet from reserved source address
+116 || 412 || snort_decoder: WARNING: IPV4 packet to reserved dest address
+116 || 413 || snort_decoder: WARNING: IPV4 packet from broadcast source address
+116 || 414 || snort_decoder: WARNING: IPV4 packet to broadcast dest address
+116 || 415 || snort_decoder: WARNING: ICMP4 packet to multicast dest address
+116 || 416 || snort_decoder: WARNING: ICMP4 packet to broadcast dest address
+116 || 417 || snort_decoder: WARNING: ICMP4 source quence
+116 || 418 || snort_decoder: WARNING: ICMP4 type other
+116 || 419 || snort_decoder: WARNING: TCP urgent pointer exceeds payload length or no payload
+116 || 420 || snort_decoder: WARNING: TCP SYN with FIN
+116 || 421 || snort_decoder: WARNING: TCP SYN with RST
+116 || 422 || snort_decoder: WARNING: TCP PDU missing ack for established session
+116 || 423 || snort_decoder: WARNING: TCP has no SYN, ACK, or RST
+116 || 424 || snort_decoder: WARNING: truncated eth header
+116 || 425 || snort_decoder: WARNING: truncated IP4 header
+116 || 426 || snort_decoder: WARNING: truncated ICMP4 header
+116 || 427 || snort_decoder: WARNING: truncated ICMP6 header
+116 || 428 || snort_decoder: WARNING: IPV4 packet below TTL limit
+116 || 429 || snort_decoder: WARNING: IPV6 packet has zero hop limit
+116 || 430 || snort_decoder: WARNING: IPV4 packet both DF and offset set
+116 || 431 || snort_decoder: WARNING: ICMP6 type not decoded
+116 || 432 || snort_decoder: WARNING: ICMP6 packet to multicast address
+116 || 433 || snort_decoder: WARNING: DDOS shaft synflood
+116 || 434 || snort_decoder: WARNING: ICMP PING NMAP
+116 || 435 || snort_decoder: WARNING: ICMP icmpenum v1.1.1
+116 || 436 || snort_decoder: WARNING: ICMP redirect host
+116 || 437 || snort_decoder: WARNING: ICMP redirect net
+116 || 438 || snort_decoder: WARNING: ICMP traceroute ipopts
+116 || 439 || snort_decoder: WARNING: ICMP Source Quench
+116 || 440 || snort_decoder: WARNING: Broadscan Smurf Scanner
+116 || 441 || snort_decoder: WARNING: ICMP Destination Unreachable Communication Administratively Prohibited
+116 || 442 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited
+116 || 443 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited
+116 || 444 || snort_decoder: WARNING: MISC IP option set
+116 || 445 || snort_decoder: WARNING: MISC Large UDP Packet
+116 || 446 || snort_decoder: WARNING: BAD-TRAFFIC TCP port 0 traffic
+116 || 447 || snort_decoder: WARNING: BAD-TRAFFIC UDP port 0 traffic
+116 || 448 || snort_decoder: WARNING: BAD-TRAFFIC IP reserved bit set
+116 || 449 || snort_decoder: WARNING: BAD-TRAFFIC Unassigned/Reserved IP protocol
+116 || 450 || snort_decoder: WARNING: BAD-TRAFFIC Bad IP protocol
+116 || 451 || snort_decoder: WARNING: ICMP PATH MTU denial of service attempt
+116 || 452 || snort_decoder: WARNING: BAD-TRAFFIC linux ICMP header dos attempt
+116 || 453 || snort_decoder: WARNING: IPV6 ISATAP spoof
+116 || 454 || snort_decoder: WARNING: PGM NAK overflow
+116 || 455 || snort_decoder: WARNING: IGMP options dos
+116 || 456 || snort_decoder: WARNING: too many IPV6 extension headers
+116 || 457 || snort_decoder: WARNING: ICMPv6 packet of type 1 (destination unreachable) with non-RFC 4443 code 
+116 || 458 || snort_decoder: WARNING: bogus fragmentation packet. Possible BSD attack
+116 || 459 || snort_decoder: WARNING: zero length fragment
+116 || 460 || snort_decoder: WARNING: ICMPv6 node info query/response packet with a code greater than 2
+116 || 461 || snort_decoder: WARNING: Deprecated IPv6 Type 0 Routing Header
+116 || 462 || snort_decoder: WARNING: ERSpan Header version mismatch
+116 || 463 || snort_decoder: WARNING: captured < ERSpan Type2 Header Length
+116 || 464 || snort_decoder: WARNING: captured < ERSpan Type3 Header Length
+116 || 467 || snort_decoder: WARNING: truncated FabricPath header
+117 || 1 || spp_portscan2: Portscan detected
+118 || 1 || spp_conversation: Bad IP protocol
+119 || 1 || http_inspect: ASCII ENCODING
+119 || 2 || http_inspect: DOUBLE DECODING ATTACK
+119 || 3 || http_inspect: U ENCODING
+119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING
+119 || 5 || http_inspect: BASE36 ENCODING
+119 || 6 || http_inspect: UTF-8 ENCODING
+119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING
+119 || 8 || http_inspect: MULTI_SLASH ENCODING
+119 || 9 || http_inspect: IIS BACKSLASH EVASION
+119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL
+119 || 11 || http_inspect: DIRECTORY TRAVERSAL
+119 || 12 || http_inspect: APACHE WHITESPACE (TAB)
+119 || 13 || http_inspect: NON-RFC HTTP DELIMITER
+119 || 14 || http_inspect: NON-RFC DEFINED CHAR
+119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY
+119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING
+119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED
+119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL
+119 || 19 || http_inspect: LONG HEADER
+119 || 20 || http_inspect: MAX HEADERS
+119 || 21 || http_inspect: MULTIPLE CONTENT LENGTH HEADER FIELDS
+119 || 22 || http_inspect: CHUNK SIZE MISMATCH DETECTED
+119 || 23 || http_inspect: INVALID IP IN TRUE-CLIENT-IP/XFF HEADER
+119 || 24 || http_inspect: MULTIPLE HOST HEADERS DETECTED 
+119 || 25 || http_inspect: HOSTNAME EXCEEDS 255 CHARACTERS
+119 || 26 || http_inspect: HEADER PARSING SPACE SATURATION
+119 || 27 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS
+119 || 28 || http_inspect: POST W/O CONTENT-LENGTH OR CHUNKS
+119 || 29 || http_inspect: MULTIPLE TRUE IPS IN A SESSION
+119 || 30 || http_inspect: BOTH TRUE_CLIENT_IP AND XFF HDRS PRESENT
+119 || 31 || http_inspect: UNKNOWN METHOD
+119 || 32 || http_inspect: SIMPLE REQUEST
+119 || 33 || http_inspect: UNESCAPED SPACE IN HTTP URI 
+119 || 34 || http_inspect: TOO MANY PIPELINED REQUESTS
+120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT
+120 || 2 || http_inspect: INVALID STATUS CODE IN HTTP RESPONSE
+120 || 3 || http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
+120 || 4 || http_inspect: HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
+120 || 5 || http_inspect: HTTP RESPONSE HAS UTF-7 CHARSET
+120 || 6 || http_inspect: HTTP RESPONSE GZIP DECOMPRESSION FAILED
+120 || 7 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS
+120 || 8 || http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
+120 || 9 || http_inspect: JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
+120 || 10 || http_inspect: JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
+120 || 11 || http_inspect: MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
+120 || 12 || http_inspect: SWF FILE ZLIB DECOMPRESSION FAILURE
+120 || 13 || http_inspect: SWF FILE LZMA DECOMPRESSION FAILURE
+120 || 14 || http_inspect: PDF FILE DEFLATE DECOMPRESSION FAILURE
+120 || 15 || http_inspect: PDF FILE UNSUPPORTED COMPRESSION TYPES
+120 || 16 || http_inspect: PDF FILE CASCADED COMPRESSION
+120 || 17 || http_inspect: PDF FILE PARSE FAILURE
+120 || 18 || http_inspect: PROTOCOL-OTHER HTTP server response before client request
+120 || 19 || http_inspect: MULTIPLE CONTENT LENGTH IN HTTP RESPONSE
+120 || 20 || http_inspect: MULTIPLE CONTENT ENCODING IN HTTP RESPONSE
+120 || 21 || http_inspect: MULTIPLE COLON BETWEEN KEY AND VALUE IN HTTP RESPONSE HEADER
+120 || 22 || http_inspect: INVALID CHARACTER BETWEEN KEY AND VALUE IN HTTP RESPONSE HEADER
+120 || 23 || http_inspect: TRANSFER ENCODING:CHUNKED IN HTTP 1.0 REQUEST/RESPONSE HEADER
+120 || 24 || http_inspect: PARTIAL DECOMPRESSION FAILURE IN HTTP RESPONSE BODY
+120 || 25 || http_inspect: INVALID HEADER FOLDING
+120 || 26 || http_inspect: JUNK LINE BEFORE HTTP RESPONSE HEADER
+120 || 27 || http_inspect: NO END OF HEADER IN HTTP RESPONSE
+120 || 28 || http_inspect: INVALID CHUNK SIZE OR CHUNK SIZE FOLLOWED BY JUNK CHARACTERS 
+121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded
+121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded
+121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded
+121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded
+122 || 1 || portscan: TCP Portscan
+122 || 2 || portscan: TCP Decoy Portscan
+122 || 3 || portscan: TCP Portsweep
+122 || 4 || portscan: TCP Distributed Portscan
+122 || 5 || portscan: TCP Filtered Portscan
+122 || 6 || portscan: TCP Filtered Decoy Portscan
+122 || 7 || portscan: TCP Filtered Portsweep
+122 || 8 || portscan: TCP Filtered Distributed Portscan
+122 || 9 || portscan: IP Protocol Scan
+122 || 10 || portscan: IP Decoy Protocol Scan
+122 || 11 || portscan: IP Protocol Sweep
+122 || 12 || portscan: IP Distributed Protocol Scan
+122 || 13 || portscan: IP Filtered Protocol Scan
+122 || 14 || portscan: IP Filtered Decoy Protocol Scan
+122 || 15 || portscan: IP Filtered Protocol Sweep
+122 || 16 || portscan: IP Filtered Distributed Protocol Scan
+122 || 17 || portscan: UDP Portscan
+122 || 18 || portscan: UDP Decoy Portscan
+122 || 19 || portscan: UDP Portsweep
+122 || 20 || portscan: UDP Distributed Portscan
+122 || 21 || portscan: UDP Filtered Portscan
+122 || 22 || portscan: UDP Filtered Decoy Portscan
+122 || 23 || portscan: UDP Filtered Portsweep
+122 || 24 || portscan: UDP Filtered Distributed Portscan
+122 || 25 || portscan: ICMP Sweep
+122 || 26 || portscan: ICMP Filtered Sweep
+122 || 27 || portscan: Open Port
+123 || 1 || frag3: IP Options on fragmented packet
+123 || 2 || frag3: Teardrop attack
+123 || 3 || frag3: Short fragment, possible DoS attempt
+123 || 4 || frag3: Fragment packet ends after defragmented packet
+123 || 5 || frag3: Zero-byte fragment
+123 || 6 || frag3: Bad fragment size, packet size is negative
+123 || 7 || frag3: Bad fragment size, packet size is greater than 65536
+123 || 8 || frag3: Fragmentation overlap
+123 || 9 || frag3: IPv6 BSD mbufs remote kernel buffer overflow
+123 || 10 || frag3: Bogus fragmentation packet. Possible BSD attack
+123 || 11 || frag3: TTL value less than configured minimum, not using for reassembly
+123 || 12 || frag3: Number of overlapping fragments exceed configured limit
+123 || 13 || frag3: Fragments smaller than configured min_fragment_length
+124 || 1 || smtp: Attempted command buffer overflow
+124 || 2 || smtp: Attempted data header buffer overflow
+124 || 3 || smtp: Attempted response buffer overflow
+124 || 4 || smtp: Attempted specific command buffer overflow
+124 || 5 || smtp: Unknown command
+124 || 6 || smtp: Illegal command
+124 || 7 || smtp: Attempted header name buffer overflow
+124 || 8 || smtp: Attempted X-Link2State command buffer overflow
+124 || 9 || smtp: No memory available for decoding. Max Mime Mem exceeded.
+124 || 10 || smtp: Base64 Decoding failed
+124 || 11 || smtp: Quoted-Printable Decoding failed
+124 || 12 || smtp: Non-Encoded MIME attachment Extraction failed
+124 || 13 || smtp: Unix-to-Unix Decoding failed
+124 || 14 || smtp: Cyrus SASL authentication attack
+125 || 1 || ftp_pp: Telnet command on FTP command channel
+125 || 2 || ftp_pp: Invalid FTP command
+125 || 3 || ftp_pp: FTP parameter length overflow
+125 || 4 || ftp_pp: FTP malformed parameter
+125 || 5 || ftp_pp: Possible string format attempt in FTP command/parameter
+125 || 6 || ftp_pp: FTP response length overflow
+125 || 7 || ftp_pp: FTP command channel encrypted
+125 || 8 || ftp_pp: FTP bounce attack
+125 || 9 || ftp_pp: Evasive Telnet command on FTP command channel
+126 || 1 || telnet_pp: Telnet consecutive AYT overflow
+126 || 2 || telnet_pp: Telnet data encrypted
+126 || 3 || telnet_pp: Subnegotiation Begin without matching Subnegotiation End
+128 || 1 || ssh: Gobbles exploit
+128 || 2 || ssh: SSH1 CRC32 exploit
+128 || 3 || ssh: Server version string overflow
+128 || 4 || ssh: Protocol mismatch
+128 || 5 || ssh: Bad message direction
+128 || 6 || ssh: Payload size incorrect for the given payload
+128 || 7 || ssh: Failed to detect SSH version string
+129 || 1 || stream5: SYN on established session
+129 || 2 || stream5: Data on SYN packet
+129 || 3 || stream5: Data sent on stream not accepting data
+129 || 4 || stream5: TCP Timestamp is outside of PAWS window
+129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0
+129 || 6 || stream5: Window size (after scaling) larger than policy allows
+129 || 7 || stream5: Limit on number of overlapping TCP packets reached
+129 || 8 || stream5: Data sent on stream after TCP Reset
+129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address
+129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address
+129 || 11 || stream5: TCP Data with no TCP Flags set
+129 || 12 || stream5: TCP Small Segment Threshold Exceeded
+129 || 13 || stream5: TCP 4-way handshake detected
+129 || 14 || stream5: TCP Timestamp is missing
+129 || 15 || stream5: Reset outside window
+129 || 16 || stream5: FIN number is greater than prior FIN
+129 || 17 || stream5: ACK number is greater than prior FIN
+129 || 18 || stream5: Data sent on stream after TCP Reset received
+129 || 19 || stream5: TCP window closed before receiving data
+129 || 20 || stream5: TCP session without 3-way handshake
+130 || 1 || dcerpc: Maximum memory usage reached
+131 || 1 || dns: Obsolete DNS RData Type
+131 || 2 || dns: Experimental DNS RData Type
+131 || 3 || dns: Client RData TXT Overflow
+133 || 1 || dcerpc2: Memory cap exceeded
+133 || 2 || dcerpc2: SMB - Bad NetBIOS Session Service session type
+133 || 3 || dcerpc2: SMB - Bad SMB message type
+133 || 4 || dcerpc2: SMB - Bad SMB Id (not "\xffSMB" for SMB1 or not "\xfeSMB" for SMB2)
+133 || 5 || dcerpc2: SMB - Bad word count or structure size for command
+133 || 6 || dcerpc2: SMB - Bad byte count for command
+133 || 7 || dcerpc2: SMB - Bad format type for command
+133 || 8 || dcerpc2: SMB - Bad AndX or data offset in command
+133 || 9 || dcerpc2: SMB - Zero total data count in command
+133 || 10 || dcerpc2: SMB - NetBIOS data length less than SMB header length
+133 || 11 || dcerpc2: SMB - Remaining NetBIOS data length less than command length
+133 || 12 || dcerpc2: SMB - Remaining NetBIOS data length less than command byte count
+133 || 13 || dcerpc2: SMB - Remaining NetBIOS data length less than command data size
+133 || 14 || dcerpc2: SMB - Remaining total data count less than this command data size
+133 || 15 || dcerpc2: SMB - Total data sent greater than command total data expected
+133 || 16 || dcerpc2: SMB - Byte count less than command data size
+133 || 17 || dcerpc2: SMB - Invalid command data size for byte count
+133 || 18 || dcerpc2: SMB - Excessive Tree Connect requests with pending Tree Connect responses
+133 || 19 || dcerpc2: SMB - Excessive Read requests with pending Read responses
+133 || 20 || dcerpc2: SMB - Excessive command chaining
+133 || 21 || dcerpc2: SMB - Multiple chained login requests
+133 || 22 || dcerpc2: SMB - Multiple chained tree connect requests
+133 || 23 || dcerpc2: SMB - Chained/Compounded login followed by logoff
+133 || 24 || dcerpc2: SMB - Chained/Compounded tree connect followed by tree disconnect
+133 || 25 || dcerpc2: SMB - Chained/Compounded open pipe followed by close pipe
+133 || 26 || dcerpc2: SMB - Invalid share access
+133 || 27 || dcerpc2: Connection-oriented DCE/RPC - Invalid major version
+133 || 28 || dcerpc2: Connection-oriented DCE/RPC - Invalid minor version
+133 || 29 || dcerpc2: Connection-oriented DCE/RPC - Invalid pdu type
+133 || 30 || dcerpc2: Connection-oriented DCE/RPC - Fragment length less than header size
+133 || 31 || dcerpc2: Connection-oriented DCE/RPC - Remaining fragment length less than size needed
+133 || 32 || dcerpc2: Connection-oriented DCE/RPC - No context items specified
+133 || 33 || dcerpc2: Connection-oriented DCE/RPC - No transfer syntaxes specified
+133 || 34 || dcerpc2: Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client
+133 || 35 || dcerpc2: Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size
+133 || 36 || dcerpc2: Connection-oriented DCE/RPC - Alter Context byte order different from Bind
+133 || 37 || dcerpc2: Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request
+133 || 38 || dcerpc2: Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request
+133 || 39 || dcerpc2: Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request
+133 || 40 || dcerpc2: Connectionless DCE/RPC - Invalid major version
+133 || 41 || dcerpc2: Connectionless DCE/RPC - Invalid pdu type
+133 || 42 || dcerpc2: Connectionless DCE/RPC - Data length less than header size
+133 || 43 || dcerpc2: Connectionless DCE/RPC - Bad sequence number
+#133 || 44 || dcerpc2: SMB - Invalid SMB version 1 seen
+#133 || 45 || dcerpc2: SMB - Invalid SMB version 2 seen
+#133 || 46 || dcerpc2: SMB - Invalid user, tree connect, file binding
+#133 || 47 || dcerpc2: SMB - Excessive command compounding
+133 || 48 || dcerpc2: SMB - Zero data count
+133 || 49 || dcerpc2: SMB - Data count mismatch
+133 || 50 || dcerpc2: SMB - Maximum number of outstanding requests exceeded
+133 || 51 || dcerpc2: SMB - Outstanding requests with the same MID
+133 || 52 || dcerpc2: SMB - Deprecated dialect negotiated
+133 || 53 || dcerpc2: SMB - Deprecated command used
+133 || 54 || dcerpc2: SMB - Unusual command used
+133 || 55 || dcerpc2: SMB - Invalid setup count
+133 || 56 || dcerpc2: SMB - Client attempted multiple dialect negotiations on session
+133 || 57 || dcerpc2: SMB - Client attempted to create or set a file's attributes to readonly/hidden/system
+133 || 58 || dcerpc2: SMB - File offset provided is greater than file size specified
+133 || 59 || dcerpc2: SMB - Nextcommand specified in SMB2 header is beyond payload boundary
+134 || 1 || ppm: rule tree disabled
+134 || 2 || ppm: rule tree enabled
+134 || 3 || ppm: packet aborted
+135 || 1 || internal: syn received
+135 || 2 || internal: session established
+135 || 3 || internal: session cleared
+136 || 1 || reputation: Packet is blacklisted
+136 || 2 || reputation: Packet is whitelisted
+137 || 1 || spp_ssl: Invalid Client HELLO after Server HELLO Detected
+137 || 2 || spp_ssl: Invalid Server HELLO without Client HELLO Detected
+137 || 3 || spp_ssl: Heartbeat Read Overrun Attempt Detected
+137 || 4 || spp_ssl: Large Heartbeat Response Detected
+138 || 2 || sensitive_data: sensitive data - Credit card numbers
+138 || 3 || sensitive_data: sensitive data - U.S. social security numbers with dashes
+138 || 4 || sensitive_data: sensitive data - U.S. social security numbers without dashes
+138 || 5 || sensitive_data: sensitive data - eMail addresses
+138 || 6 || sensitive_data: sensitive data - U.S. phone numbers
+139 || 1 || sensitive_data: sensitive data global threshold exceeded
+140 || 1 || sip: Maximum sessions reached 
+140 || 2 || sip: Empty request URI 
+140 || 3 || sip: URI is too long
+140 || 4 || sip: Empty call-Id
+140 || 5 || sip: Call-Id is too long
+140 || 6 || sip: CSeq number is too large or negative
+140 || 7 || sip: Request name in CSeq is too long 
+140 || 8 || sip: Empty From header
+140 || 9 || sip: From header is too long
+140 || 10 || sip: Empty To header
+140 || 11 || sip: To header is too long
+140 || 12 || sip: Empty Via header 
+140 || 13 || sip: Via header is too long
+140 || 14 || sip: Empty Contact
+140 || 15 || sip: Contact is too long
+140 || 16 || sip: Content length is too large or negative
+140 || 17 || sip: Multiple SIP messages in a packet
+140 || 18 || sip: Content length mismatch
+140 || 19 || sip: Request name is invalid
+140 || 20 || sip: Invite replay attack
+140 || 21 || sip: Illegal session information modification
+140 || 22 || sip: Response status code is not a 3 digit number
+140 || 23 || sip: Empty Content type
+140 || 24 || sip: SIP version other than 2.0, 1.0, and 1.1 are invalid
+140 || 25 || sip: Mismatch in Method of request and the CSEQ header
+140 || 26 || sip: The method is unknown
+140 || 27 || sip: Maximum dialogs in a session reached 
+141 || 1 || imap: Unknown IMAP4 command
+141 || 2 || imap: Unknown IMAP4 response
+141 || 3 || imap: No memory available for decoding. Memcap exceeded.
+141 || 4 || imap: Base64 Decoding failed
+141 || 5 || imap: Quoted-Printable Decoding failed
+141 || 6 || imap: Non-Encoded MIME attachment Extraction failed
+141 || 7 || imap: Unix-to-Unix Decoding failed
+142 || 1 || pop: Unknown POP3 command
+142 || 2 || pop: Unknown POP3 response
+142 || 3 || pop: No memory available for decoding. Memcap exceeded.
+142 || 4 || pop: Base64 Decoding failed
+142 || 5 || pop: Quoted-Printable Decoding failed
+142 || 6 || pop: Non-Encoded MIME attachment Extraction failed
+142 || 7 || pop: Unix-to-Unix Decoding failed
+143 || 1 || gtp: Message length is invalid
+143 || 2 || gtp: Information element length is invalid
+143 || 3 || gtp: Information elements are out of order
+144 || 1 || modbus: Length in Modbus MBAP header does not match the length needed for the given Modbus function.
+144 || 2 || modbus: Modbus protocol ID is non-zero.
+144 || 3 || modbus: Reserved Modbus function code in use.
+145 || 1 || dnp3: DNP3 Link-Layer Frame contains bad CRC.
+145 || 2 || dnp3: DNP3 Link-Layer Frame was dropped.
+145 || 3 || dnp3: DNP3 Transport-Layer Segment was dropped during reassembly.
+145 || 4 || dnp3: DNP3 Reassembly Buffer was cleared without reassembling a complete message.
+145 || 5 || dnp3: DNP3 Link-Layer Frame uses a reserved address.
+145 || 6 || dnp3: DNP3 Application-Layer Fragment uses a reserved function code.
--- a/docker/etc/preproc_rules/decoder.rules
+++ b/docker/etc/preproc_rules/decoder.rules
@@ -0,0 +1,150 @@
+alert ( msg:"DECODE_NOT_IPV4_DGRAM"; sid:1; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode;)
+alert ( msg:"DECODE_IPV4_INVALID_HEADER_LEN"; sid:2; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV4_DGRAM_LT_IPHDR"; sid:3; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV4OPT_BADLEN"; sid:4; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV4OPT_TRUNCATED"; sid:5; gid:116; rev:1; metadata:rule-type decode; reference:cve,2005-0048; reference:url,www.microsoft.com/technet/security/bulletin/ms05-019.mspx; classtype:protocol-command-decode;)
+alert ( msg:"DECODE_IPV4_DGRAM_GT_IPHDR"; sid:6; gid:116; rev:1; metadata:rule-type decode;classtype:protocol-command-decode; )
+alert ( msg:"DECODE_TCP_DGRAM_LT_TCPHDR"; sid:45; gid:116; rev:1; metadata:rule-type decode;classtype:protocol-command-decode; )
+alert ( msg:"DECODE_TCP_INVALID_OFFSET"; sid:46; gid:116; rev:1; metadata:rule-type decode; reference:cve,2004-0816; classtype:bad-unknown; )
+alert ( msg:"DECODE_TCP_LARGE_OFFSET"; sid:47; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; )
+alert ( msg:"DECODE_TCPOPT_BADLEN"; sid:54; gid:116; rev:1; metadata:rule-type decode; reference:bugtraq,14811; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_TCPOPT_TRUNCATED"; sid:55; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_TCPOPT_TTCP"; sid:56; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_TCPOPT_OBSOLETE"; sid:57; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_TCPOPT_EXPERIMENT"; sid:58; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_TCPOPT_WSCALE_INVALID"; sid:59; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_UDP_DGRAM_LT_UDPHDR"; sid:95; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_UDP_DGRAM_INVALID_LENGTH"; sid:96; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_UDP_DGRAM_SHORT_PACKET"; sid:97; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_UDP_DGRAM_LONG_PACKET"; sid:98; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ICMP_DGRAM_LT_ICMPHDR"; sid:105; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR"; sid:106; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ICMP_DGRAM_LT_ADDRHDR"; sid:107; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV4_DGRAM_UNKNOWN"; sid:108; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ARP_TRUNCATED"; sid:109; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; )
+alert ( msg:"DECODE_EAPOL_TRUNCATED"; sid:110; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; )
+alert ( msg:"DECODE_EAPKEY_TRUNCATED"; sid:111; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; )
+alert ( msg:"DECODE_EAP_TRUNCATED"; sid:112; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; )
+alert ( msg:"DECODE_BAD_PPPOE"; sid:120; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; )
+alert ( msg:"DECODE_BAD_VLAN"; sid:130; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; )
+alert ( msg:"DECODE_BAD_VLAN_ETHLLC"; sid:131; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; )
+alert ( msg:"DECODE_BAD_VLAN_OTHER"; sid:132; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; )
+alert ( msg:"DECODE_BAD_80211_ETHLLC"; sid:133; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; )
+alert ( msg:"DECODE_BAD_80211_OTHER"; sid:134; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; )
+alert ( msg:"DECODE_BAD_TRH"; sid:140; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; )
+alert ( msg:"DECODE_BAD_TR_ETHLLC"; sid:141; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; )
+alert ( msg:"DECODE_BAD_TR_MR_LEN"; sid:142; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; )
+alert ( msg:"DECODE_BAD_TRHMR"; sid:143; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; )
+alert ( msg:"DECODE_BAD_TRAFFIC_LOOPBACK"; sid:150; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; )
+alert ( msg:"DECODE_BAD_TRAFFIC_SAME_SRCDST"; sid:151; gid:116; rev:1; metadata:rule-type decode; reference:cve,1999-0016; reference:cve,2005-0688; reference:bugtraq,2666; reference:url,www.microsoft.com/technet/security/bulletin/ms05-019.mspx; classtype:bad-unknown; )
+alert ( msg:"DECODE_GRE_DGRAM_LT_GREHDR"; sid:160; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_GRE_MULTIPLE_ENCAPSULATION"; sid:161; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_GRE_INVALID_VERSION"; sid:162; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_GRE_INVALID_HEADER"; sid:163; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_GRE_V1_INVALID_HEADER"; sid:164; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR"; sid:165; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ICMP_ORIG_IP_TRUNCATED"; sid:250; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; )
+alert ( msg:"DECODE_ICMP_ORIG_IP_VER_MISMATCH"; sid:251; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP"; sid:252; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ICMP_ORIG_PAYLOAD_LT_64"; sid:253; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ICMP_ORIG_PAYLOAD_GT_576"; sid:254; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET"; sid:255; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV6_MIN_TTL"; sid:270; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV6_IS_NOT"; sid:271; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV6_TRUNCATED_EXT"; sid:272; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; )
+alert ( msg:"DECODE_IPV6_TRUNCATED"; sid:273; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; )
+alert ( msg:"DECODE_IPV6_DGRAM_LT_IPHDR"; sid:274; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV6_DGRAM_GT_IPHDR"; sid:275; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV6_DST_ZERO"; sid:276; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV6_SRC_MULTICAST"; sid:277; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV6_DST_RESERVED_MULTICAST"; sid:278; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV6_BAD_OPT_TYPE"; sid:279; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV6_BAD_MULTICAST_SCOPE"; sid:280; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV6_BAD_NEXT_HEADER"; sid:281; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV6_ROUTE_AND_HOPBYHOP"; sid:282; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV6_TWO_ROUTE_HEADERS"; sid:283; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ICMPV6_TOO_BIG_BAD_MTU"; sid:285; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ICMPV6_UNREACHABLE_BAD_CODE"; sid:286; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ICMPV6_SOLICITATION_BAD_CODE"; sid:287; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ICMPV6_ADVERT_BAD_CODE"; sid:288; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ICMPV6_SOLICITATION_BAD_RESERVED"; sid:289; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ICMPV6_ADVERT_BAD_REACHABLE"; sid:290; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV6_TUNNELED_IPV4_TRUNCATED"; sid:291; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-dos; reference:cve,2008-2136;  reference:bugtraq,29235; )
+alert ( msg:"DECODE_IPV6_DSTOPTS_WITH_ROUTING"; sid:292; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IP_MULTIPLE_ENCAPSULATION"; sid:293; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ESP_HEADER_TRUNC"; sid:294; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV6_BAD_OPT_LEN"; sid:295; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV6_UNORDERED_EXTENSIONS"; sid:296; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_GTP_MULTIPLE_ENCAPSULATION"; sid:297; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_GTP_BAD_LEN_STR"; sid:298; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_BAD_MPLS"; sid:170; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_BAD_MPLS_LABEL0"; sid:171; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_BAD_MPLS_LABEL1"; sid:172; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_BAD_MPLS_LABEL2"; sid:173; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_BAD_MPLS_LABEL3"; sid:174; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_MPLS_RESERVEDLABEL"; sid:175; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_MPLS_LABEL_STACK"; sid:176; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_TCP_XMAS"; sid: 400; gid: 116; rev: 1; metadata: rule-type decode ; classtype:attempted-recon; reference:bugtraq,7700; reference:cve,2003-0393; )
+alert ( msg:"DECODE_TCP_NMAP_XMAS"; sid: 401; gid: 116; rev: 1; metadata: rule-type decode ; classtype:attempted-recon; reference:bugtraq,7700; reference:cve,2003-0393; )
+alert ( msg:"DECODE_DOS_NAPTHA"; sid: 402; gid: 116; rev: 1; metadata: rule-type decode ; classtype:attempted-dos; reference:bugtraq,2022; reference:cve,2000-1039; reference:nessus,275; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx; )
+alert ( msg:"DECODE_SYN_TO_MULTICAST"; sid: 403; gid: 116; rev: 1; metadata: rule-type decode ; classtype:bad-unknown; )
+alert ( msg:"DECODE_ZERO_TTL"; sid: 404; gid: 116; rev: 1; metadata: rule-type decode ; classtype:misc-activity; reference:url,support.microsoft.com/kb/q138268; reference:url,tools.ietf.org/html/rfc1122; )
+alert ( msg:"DECODE_BAD_FRAGBITS"; sid: 405; gid: 116; rev: 1; metadata: rule-type decode ; classtype:misc-activity; )
+alert ( msg:"DECODE_UDP_IPV6_ZERO_CHECKSUM"; sid:406; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IP4_LEN_OFFSET"; sid:407; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_IP4_SRC_THIS_NET"; sid:408; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_IP4_DST_THIS_NET"; sid:409; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_IP4_SRC_MULTICAST"; sid:410; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_IP4_SRC_RESERVED"; sid:411; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_IP4_DST_RESERVED"; sid:412; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_IP4_SRC_BROADCAST"; sid:413; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_IP4_DST_BROADCAST"; sid:414; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_ICMP4_DST_MULTICAST"; sid:415; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_ICMP4_DST_BROADCAST"; sid:416; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_ICMP4_TYPE_OTHER"; sid:418; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_TCP_BAD_URP"; sid:419; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_TCP_SYN_FIN"; sid:420; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_TCP_SYN_RST"; sid:421; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_TCP_MUST_ACK"; sid:422; gid:116; rev:2; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_TCP_NO_SYN_ACK_RST"; sid:423; gid:116; rev:2; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_ETH_HDR_TRUNC"; sid:424; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_IP4_HDR_TRUNC"; sid:425; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_ICMP4_HDR_TRUNC"; sid:426; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_ICMP6_HDR_TRUNC"; sid:427; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_IP4_MIN_TTL"; sid:428; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_IP6_ZERO_HOP_LIMIT"; sid:429; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_IP4_DF_OFFSET"; sid:430; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_ICMP6_TYPE_OTHER"; sid:431; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_ICMP6_DST_MULTICAST"; sid:432; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_TCP_SHAFT_SYNFLOOD"; sid:433; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-dos; reference:cve,2000-0138; )
+alert ( msg:"DECODE_ICMP_PING_NMAP"; sid:434; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; )
+alert ( msg:"DECODE_ICMP_ICMPENUM"; sid:435; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; )
+alert ( msg:"DECODE_ICMP_REDIRECT_HOST"; sid:436; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; )
+alert ( msg:"DECODE_ICMP_REDIRECT_NET"; sid:437; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; )
+alert ( msg:"DECODE_ICMP_TRACEROUTE_IPOPTS"; sid:438; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; )
+alert ( msg:"DECODE_ICMP_SOURCE_QUENCH"; sid:439; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; )
+alert ( msg:"DECODE_ICMP_BROADSCAN_SMURF_SCANNER"; sid:440; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; )
+alert ( msg:"DECODE_ICMP_DST_UNREACH_ADMIN_PROHIBITED"; sid:441; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; )
+alert ( msg:"DECODE_ICMP_DST_UNREACH_DST_HOST_PROHIBITED"; sid:442; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; )
+alert ( msg:"DECODE_ICMP_DST_UNREACH_DST_NET_PROHIBITED"; sid:443; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; )
+alert ( msg:"DECODE_IP_OPTION_SET"; sid:444; gid:116; rev:1; metadata:rule-type decode; classtype: bad-unknown; )
+alert ( msg:"DECODE_UDP_LARGE_PACKET"; sid:445; gid:116; rev:1; metadata:rule-type decode; classtype: bad-unknown; )
+alert ( msg:"DECODE_TCP_PORT_ZERO"; sid:446; gid:116; rev:1; metadata:rule-type decode; classtype: misc-activity; )
+alert ( msg:"DECODE_UDP_PORT_ZERO"; sid:447; gid:116; rev:1; metadata:rule-type decode; classtype: misc-activity; )
+alert ( msg:"DECODE_IP_RESERVED_FRAG_BIT"; sid:448; gid:116; rev:1; metadata:rule-type decode; classtype: misc-activity; )
+alert ( msg:"DECODE_IP_UNASSIGNED_PROTO"; sid:449; gid:116; rev:1; metadata:rule-type decode; classtype: non-standard-protocol; )
+alert ( msg:"DECODE_IP_BAD_PROTO"; sid:450; gid:116; rev:1; metadata:rule-type decode; classtype: non-standard-protocol; )
+alert ( msg:"DECODE_ICMP_PATH_MTU_DOS"; sid:451; gid:116; rev:1; metadata:rule-type decode; reference:bugtraq,13124; reference:cve,2004-1060; classtype:attempted-dos;)
+alert ( msg:"DECODE_ICMP_DOS_ATTEMPT"; sid:452; gid:116; rev:1; metadata:rule-type decode; reference:url,www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.3; reference:cve,2006-0454; reference:bugtraq,16532; classtype:denial-of-service;)
+alert ( msg:"DECODE_IPV6_ISATAP_SPOOF"; sid:453; gid:116; rev:1; metadata:rule-type decode; reference:cve,2010-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS10-029.mspx; classtype:misc-attack; )
+alert ( msg:"DECODE_PGM_NAK_OVERFLOW"; sid:454; gid:116; rev:1; metadata:rule-type decode; reference:url,www.microsoft.com/technet/security/bulletin/ms06-052.mspx; reference:cve,2006-3442; reference:bugtraq,19922; classtype:attempted-admin; )
+alert ( msg:"DECODE_IGMP_OPTIONS_DOS"; sid:455; gid:116; rev:1; metadata:rule-type decode; reference:url,www.microsoft.com/technet/security/bulletin/ms06-007.mspx; reference:cve,2006-0021; reference:bugtraq,16645; classtype:attempted-dos; )
+alert ( msg:"DECODE_IP6_EXCESS_EXT_HDR"; sid:456; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )
+alert ( msg:"DECODE_ICMPV6_UNREACHABLE_NON_RFC_4443_CODE"; sid:457; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV6_BAD_FRAG_PKT"; sid:458; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ZERO_LENGTH_FRAG"; sid:459; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ICMPV6_SOLICITATION_BAD_CODE"; sid:460; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_IPV6_ROUTE_ZERO"; sid:461; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ERSPAN_HDR_VERSION_MISMATCH_STR"; sid:462; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ERSPAN2_DGRAM_LT_HDR_STR"; sid:463; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
+alert ( msg:"DECODE_ERSPAN3_DGRAM_LT_HDR_STR"; sid:464; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )
--- a/docker/etc/preproc_rules/deleted.rules
+++ b/docker/etc/preproc_rules/deleted.rules
@@ -0,0 +1,9 @@
+#alert ( msg: "DELETED HI_CLIENT_BASE36"; sid: 5; gid: 119; rev: 2; metadata: rule-type preproc, service http ; classtype:bad-unknown; )
+#alert ( msg: "DELETED DCERPC_MEMORY_OVERFLOW"; sid: 1; gid: 130; rev: 2; metadata: rule-type preproc ; classtype:attempted-dos; )
+#alert ( msg: "DELETED SMTP_DECODE_MEMCAP_EXCEEDED"; sid: 9; gid: 124; rev: 2; metadata: rule-type preproc, service smtp ; classtype:unknown; )
+#alert ( msg: "DELETED ARPSPOOF_UNICAST_ARP_REQUEST"; sid: 1; gid: 112; rev: 2; metadata: rule-type preproc ; classtype:protocol-command-decode; )
+#alert ( msg: "DELETED ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC"; sid: 2; gid: 112; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; )
+#alert ( msg: "DELETED ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST"; sid: 3; gid: 112; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; )
+#alert ( msg: "DELETED ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; )
+#alert ( msg: "DELETED FRAG3_IPV6_BAD_FRAG_PKT"; sid: 10; gid: 123; rev: 2; metadata: rule-type preproc ; classtype:attempted-admin; reference:cve,2007-1365; )
+#alert ( msg: "DELETED FRAG3_IPV6_BSD_ICMP_FRAG"; sid: 9; gid: 123; rev: 2; metadata: rule-type preproc ; classtype:attempted-admin; reference:cve,2007-1365; )
--- a/docker/etc/preproc_rules/preprocessor.rules
+++ b/docker/etc/preproc_rules/preprocessor.rules
@@ -0,0 +1,268 @@
+alert ( msg: "TAG_LOG_PKT"; sid: 1; gid: 2; rev: 1; metadata: rule-type preproc ; classtype:not-suspicious; )
+alert ( msg: "BO_TRAFFIC_DETECT"; sid: 1; gid: 105; rev: 1; metadata: rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660; )
+alert ( msg: "BO_CLIENT_TRAFFIC_DETECT"; sid: 2; gid: 105; rev: 1; metadata: rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660; )
+alert ( msg: "BO_SERVER_TRAFFIC_DETECT"; sid: 3; gid: 105; rev: 1; metadata: rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660;)
+alert ( msg: "BO_SNORT_BUFFER_ATTACK"; sid: 4; gid: 105; rev: 1; metadata: rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,2005-3252; )
+alert ( msg: "RPC_FRAG_TRAFFIC"; sid: 1; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc ; classtype:protocol-command-decode; )
+alert ( msg: "RPC_MULTIPLE_RECORD"; sid: 2; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc ; classtype:protocol-command-decode; )
+alert ( msg: "RPC_LARGE_FRAGSIZE"; sid: 3; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc, policy security-ips alert ; classtype:bad-unknown; )
+alert ( msg: "RPC_INCOMPLETE_SEGMENT"; sid: 4; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc, policy security-ips alert ; classtype:bad-unknown; )
+alert ( msg: "RPC_ZERO_LENGTH_FRAGMENT"; sid: 5; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc, policy security-ips alert ; classtype:bad-unknown; )
+alert ( msg: "ARPSPOOF_UNICAST_ARP_REQUEST"; sid: 1; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; )
+alert ( msg: "ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC"; sid: 2; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST"; sid: 3; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "HI_CLIENT_ASCII"; sid: 1; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; reference:cve,2009-1535; reference:url,www.microsoft.com/technet/security/bulletin/ms09-020.mspx; reference:url,docs.idsresearch.org/http_ids_evasions.pdf; )
+alert ( msg: "HI_CLIENT_DOUBLE_DECODE"; sid: 2; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; reference:cve,2009-1122; reference:url,www.microsoft.com/technet/security/bulletin/ms09-020.mspx; )
+alert ( msg: "HI_CLIENT_U_ENCODE"; sid: 3; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; )
+alert ( msg: "HI_CLIENT_BARE_BYTE"; sid: 4; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; )
+alert ( msg: "HI_CLIENT_UTF_8"; sid: 6; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; reference:cve,2008-2938; reference:cve,2009-1535; reference:url,www.microsoft.com/technet/security/bulletin/ms09-020.mspx; )
+alert ( msg: "HI_CLIENT_IIS_UNICODE"; sid: 7; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; reference:cve,2009-1535; )
+alert ( msg: "HI_CLIENT_MULTI_SLASH"; sid: 8; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; )
+alert ( msg: "HI_CLIENT_IIS_BACKSLASH"; sid: 9; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; )
+alert ( msg: "HI_CLIENT_SELF_DIR_TRAV"; sid: 10; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; )
+alert ( msg: "HI_CLIENT_DIR_TRAV"; sid: 11; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; reference:cve,2001-0333; reference:cve,2002-1744; reference:cve,2008-5515; )
+alert ( msg: "HI_CLIENT_APACHE_WS"; sid: 12; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; )
+alert ( msg: "HI_CLIENT_IIS_DELIMITER"; sid: 13; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; )
+alert ( msg: "HI_CLIENT_NON_RFC_CHAR"; sid: 14; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; )
+alert ( msg: "HI_CLIENT_OVERSIZE_DIR"; sid: 15; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; reference:cve,2007-0774; reference:bugtraq,22791; reference:cve,2010-3281; reference:bugtraq,43338; reference:cve,2011-5007; )
+alert ( msg: "HI_CLIENT_LARGE_CHUNK"; sid: 16; gid: 119; rev: 2; metadata: rule-type preproc, service http ; classtype:attempted-admin; reference:cve,2013-2028; )
+alert ( msg: "HI_CLIENT_PROXY_USE"; sid: 17; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:protocol-command-decode; )
+alert ( msg: "HI_CLIENT_WEBROOT_DIR"; sid: 18; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; reference:cve,2001-0333; reference:cve,2002-1744; reference:cve,2008-5515; reference:cve,2015-0666; )
+alert ( msg: "HI_CLIENT_LONG_HEADER"; sid: 19; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; reference:cve,2009-4873; )
+alert ( msg: "HI_CLIENT_MAX_HEADERS"; sid: 20; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_CLIENT_MULTIPLE_CONTLEN"; sid: 21; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_CHUNK_SIZE_MISMATCH"; sid: 22; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_CLIENT_INVALID_TRUEIP"; sid:23; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_CLIENT_MULTIPLE_HOST_HDRS"; sid:24; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_CLIENT_LONG_HOSTNAME"; sid:25; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_CLIENT_EXCEEDS_SPACES"; sid:26; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos;reference:cve,2004-0942; )
+alert ( msg: "HI_CLIENT_CONSECUTIVE_SMALL_CHUNK_SIZES"; sid: 27; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_CLIENT_UNBOUNDED POST"; sid: 28; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_CLIENT_MULTIPLE_TRUEIP_IN_SESSION"; sid: 29; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_CLIENT_BOTH_TRUEIP_XFF_HDRS"; sid: 30; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_CLIENT_UNKNOWN_METHOD"; sid: 31; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_CLIENT_SIMPLE_REQUEST"; sid: 32; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_CLIENT_UNESCAPED_SPACE_IN_URI"; sid:33; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_CLIENT_PIPELINE_MAX "; sid: 34; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_ANOM_SERVER_ALERT"; sid: 1; gid: 120; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; )
+alert ( msg: "HI_SERVER_INVALID_STATCODE"; sid: 2; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_SERVER_NO_CONTLEN"; sid: 3; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_SERVER_UTF_NORM_FAIL"; sid: 4; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_SERVER_UTF7"; sid: 5; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_SERVER_DECOMPR_FAILED"; sid: 6; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_SERVER_CONSECUTIVE_SMALL_CHUNK_SIZES"; sid: 7; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_CLISRV_MSG_SIZE_EXCEPTION"; sid: 8; gid: 120; rev: 2; metadata: rule-type preproc ; classtype:unknown; reference:cve,2013-2028; )
+alert ( msg: "HI_SERVER_JS_OBFUSCATION_EXCD"; sid: 9; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_SERVER_JS_EXCESS_WS"; sid: 10; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "HI_SERVER_MIXED_ENCODINGS "; sid: 11; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
+alert ( msg: "PSNG_TCP_PORTSCAN"; sid: 1; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_TCP_DECOY_PORTSCAN"; sid: 2; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_TCP_PORTSWEEP"; sid: 3; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_TCP_DISTRIBUTED_PORTSCAN"; sid: 4; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_TCP_FILTERED_PORTSCAN"; sid: 5; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_TCP_FILTERED_DECOY_PORTSCAN"; sid: 6; gid: 122; rev: 1; metadata: rule-type preproc ;  classtype:attempted-recon; )
+alert ( msg: "PSNG_TCP_PORTSWEEP_FILTERED"; sid: 7; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_TCP_FILTERED_DISTRIBUTED_PORTSCAN"; sid: 8; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_IP_PORTSCAN"; sid: 9; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_IP_DECOY_PORTSCAN"; sid: 10; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_IP_PORTSWEEP"; sid: 11; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_IP_DISTRIBUTED_PORTSCAN"; sid: 12; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_IP_FILTERED_PORTSCAN"; sid: 13; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_IP_FILTERED_DECOY_PORTSCAN"; sid: 14; gid: 122; rev: 1; metadata: rule-type preproc ;  classtype:attempted-recon;)
+alert ( msg: "PSNG_IP_PORTSWEEP_FILTERED"; sid: 15; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_IP_FILTERED_DISTRIBUTED_PORTSCAN"; sid: 16; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_UDP_PORTSCAN"; sid: 17; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_UDP_DECOY_PORTSCAN"; sid: 18; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_UDP_PORTSWEEP"; sid: 19; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_UDP_DISTRIBUTED_PORTSCAN"; sid: 20; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_UDP_FILTERED_PORTSCAN"; sid: 21; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_UDP_FILTERED_DECOY_PORTSCAN"; sid: 22; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_UDP_PORTSWEEP_FILTERED"; sid: 23; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN"; sid: 24; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_ICMP_PORTSWEEP"; sid: 25; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_ICMP_PORTSWEEP_FILTERED"; sid: 26; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "PSNG_OPEN_PORT"; sid: 27; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )
+alert ( msg: "FRAG3_IPOPTIONS"; sid: 1; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; )
+alert ( msg: "FRAG3_TEARDROP"; sid: 2; gid: 123; rev: 1; metadata: rule-type preproc ; reference:cve,1999-0015; reference:bugtraq,124; classtype:attempted-dos; )
+alert ( msg: "FRAG3_SHORT_FRAG"; sid: 3; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; )
+alert ( msg: "FRAG3_ANOMALY_OVERSIZE"; sid: 4; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos; )
+alert ( msg: "FRAG3_ANOMALY_ZERO"; sid: 5; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos; )
+alert ( msg: "FRAG3_ANOMALY_BADSIZE_SM"; sid: 6; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; )
+alert ( msg: "FRAG3_ANOMALY_BADSIZE_LG"; sid: 7; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; )
+alert ( msg: "FRAG3_ANOMALY_OVLP"; sid: 8; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; )
+alert ( msg: "FRAG3_IPV6_BSD_ICMP_FRAG"; sid: 9; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:attempted-admin; reference:cve,2007-1365; )
+alert ( msg: "FRAG3_IPV6_BAD_FRAG_PKT"; sid: 10; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:attempted-admin; reference:cve,2007-1365; )
+alert ( msg: "FRAG3_MIN_TTL"; sid: 11; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "FRAG3_EXCESSIVE_OVERLAP"; sid: 12; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos; )
+alert ( msg: "FRAG3_TINY_FRAGMENT"; sid: 13; gid: 123; rev: 2; metadata: rule-type preproc ; reference:cve,2005-0209; classtype:attempted-dos; )
+alert ( msg: "SMTP_COMMAND_OVERFLOW"; sid: 1; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2001-0260; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; )
+alert ( msg: "SMTP_DATA_HDR_OVERFLOW"; sid: 2; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2002-1337; reference:cve,2010-4344; )
+alert ( msg: "SMTP_RESPONSE_OVERFLOW"; sid: 3; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-user; reference:cve,2002-1090; )
+alert ( msg: "SMTP_SPECIFIC_CMD_OVERFLOW"; sid: 4; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; )
+alert ( msg: "SMTP_UNKNOWN_CMD"; sid: 5; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:protocol-command-decode; )
+alert ( msg: "SMTP_ILLEGAL_CMD"; sid: 6; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:protocol-command-decode; )
+alert ( msg: "SMTP_HEADER_NAME_OVERFLOW"; sid: 7; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2004-0105; )
+alert ( msg: "SMTP_XLINK2STATE_OVERFLOW"; sid: 8; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; )
+alert ( msg: "SMTP_B64_DECODING_FAILED"; sid: 10; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; )
+alert ( msg: "SMTP_QP_DECODING_FAILED"; sid: 11; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; )
+alert ( msg: "SMTP_BITENC_DECODING_FAILED"; sid: 12; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; )
+alert ( msg: "SMTP_UU_DECODING_FAILED"; sid: 13; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; )
+alert ( msg: "SMTP_AUTH_ATTACK"; sid: 14; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; )
+alert ( msg: "FTPP_FTP_TELNET_CMD"; sid: 1; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:protocol-command-decode; reference:cve,2010-3867; reference:cve,2010-3972; reference:cve,2010-4221; reference:url,www.microsoft.com/technet/security/bulletin/MS11-004.mspx; )
+alert ( msg: "FTPP_FTP_INVALID_CMD"; sid: 2; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:bad-unknown; reference:cve,2010-4221; )
+alert ( msg: "FTPP_FTP_PARAMETER_LENGTH_OVERFLOW"; sid: 3; gid: 125; rev: 1; metadata: rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2004-0286; reference:url,www.kb.cert.org/vuls/id/276653; reference:cve,1999-0368; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,2006-5815; reference:bugtraq,20992; )
+alert ( msg: "FTPP_FTP_MALFORMED_PARAMETER"; sid: 4; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:protocol-command-decode; )
+alert ( msg: "FTPP_FTP_PARAMETER_STR_FORMAT"; sid: 5; gid: 125; rev: 1; metadata: rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2000-0573; )
+alert ( msg: "FTPP_FTP_RESPONSE_LENGTH_OVERFLOW"; sid: 6; gid: 125; rev: 1; metadata: rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-user; reference:cve,2007-3161; reference:cve,2010-1465; reference:url,www.kb.cert.org/vuls/id/276653; )
+alert ( msg: "FTPP_FTP_ENCRYPTED"; sid: 7; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:protocol-command-decode; )
+alert ( msg: "FTPP_FTP_BOUNCE"; sid: 8; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:bad-unknown; reference:cve,1999-0017; reference:url,www.kb.cert.org/vuls/id/276653; )
+alert ( msg: "FTPP_FTP_EVASIVE_TELNET_CMD"; sid: 9; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:bad-unknown; )
+alert ( msg: "FTPP_TELNET_AYT_OVERFLOW"; sid: 1; gid: 126; rev: 1; metadata: rule-type preproc, service telnet, policy security-ips drop ; classtype:attempted-admin; reference:cve,2001-0554; )
+alert ( msg: "FTPP_TELNET_ENCRYPTED"; sid: 2; gid: 126; rev: 1; metadata: rule-type preproc, service telnet ; classtype:protocol-command-decode;)
+alert ( msg: "FTPP_TELNET_SUBNEG_BEGIN_NO_END"; sid: 3; gid: 126; rev: 1; metadata: rule-type preproc, service telnet ; classtype:protocol-command-decode; )
+alert ( msg: "SSH_EVENT_RESPOVERFLOW"; sid: 1; gid: 128; rev: 1; metadata: rule-type preproc, service ssh, policy security-ips drop ; reference:cve,2002-0639; reference:cve,2002-0640; classtype:attempted-admin;)
+alert ( msg: "SSH_EVENT_CRC32"; sid: 2; gid: 128; rev: 1; metadata: rule-type preproc, service ssh, policy security-ips drop ; reference:cve,2002-1024; reference:cve,2002-1547; reference:cve,2006-2971; reference:cve,2007-1051; reference:cve,2007-4654; classtype:attempted-admin;)
+alert ( msg: "SSH_EVENT_SECURECRT"; sid: 3; gid: 128; rev: 1; metadata: rule-type preproc, service ssh, policy security-ips drop ; reference:cve,2001-1466; reference:cve,2002-1059; classtype:attempted-admin;)
+alert ( msg: "SSH_EVENT_PROTOMISMATCH"; sid: 4; gid: 128; rev: 1; metadata: rule-type preproc, service ssh ; classtype:non-standard-protocol;)
+alert ( msg: "SSH_EVENT_WRONGDIR"; sid: 5; gid: 128; rev: 1; metadata: rule-type preproc, service ssh ; classtype:non-standard-protocol;)
+alert ( msg: "SSH_EVENT_PAYLOAD_SIZE"; sid: 6; gid: 128; rev: 1; metadata: rule-type preproc, service ssh ; classtype:bad-unknown;)
+alert ( msg: "SSH_EVENT_VERSION"; sid: 7; gid: 128; rev: 1; metadata: rule-type preproc, service ssh ; classtype:non-standard-protocol;)
+alert ( msg: "STREAM5_SYN_ON_EST"; sid: 1; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "STREAM5_DATA_ON_SYN"; sid: 2; gid: 129; rev: 1; metadata: rule-type preproc ; reference: cve,2009-1157; reference: bugtraq, 34429; classtype:protocol-command-decode; )
+alert ( msg: "STREAM5_DATA_ON_CLOSED"; sid: 3; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; )
+alert ( msg: "STREAM5_BAD_TIMESTAMP"; sid: 4; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; reference:cve,2009-1925; )
+alert ( msg: "STREAM5_BAD_SEGMENT"; sid: 5; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "STREAM5_WINDOW_TOO_LARGE"; sid: 6; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "STREAM5_EXCESSIVE_TCP_OVERLAPS"; sid: 7; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "STREAM5_DATA_AFTER_RESET"; sid: 8; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; )
+alert ( msg: "STREAM5_SESSION_HIJACKED_CLIENT"; sid: 9; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:attempted-user; )
+alert ( msg: "STREAM5_SESSION_HIJACKED_SERVER"; sid: 10; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:attempted-user; )
+alert ( msg: "STREAM5_DATA_WITHOUT_FLAGS"; sid: 11; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; )
+alert ( msg: "STREAM5_SMALL_SEGMENT"; sid: 12; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "STREAM5_4WAY_HANDSHAKE"; sid: 13; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "STREAM5_NO_TIMESTAMP"; sid: 14; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "STREAM5_BAD_RST"; sid: 15; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "STREAM5_BAD_FIN"; sid: 16; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "STREAM5_BAD_ACK"; sid: 17; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "STREAM5_DATA_AFTER_RST_RCVD"; sid: 18; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "STREAM5_WINDOW_SLAM"; sid: 19; gid: 129; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; reference:cve,2013-0075; )
+alert ( msg: "DNS_EVENT_OBSOLETE_TYPES"; sid: 1; gid: 131; rev: 1; metadata: rule-type preproc, service dns ; classtype:protocol-command-decode; )
+alert ( msg: "DNS_EVENT_EXPERIMENTAL_TYPES"; sid: 2; gid: 131; rev: 1; metadata: rule-type preproc, service dns ; classtype:protocol-command-decode; )
+alert ( msg: "DNS_EVENT_RDATA_OVERFLOW"; sid: 3; gid: 131; rev: 1; metadata: rule-type preproc, service dns, policy security-ips drop ; classtype:attempted-admin; reference:cve,2006-3441; reference:url,www.microsoft.com/technet/security/bulletin/ms06-041.mspx; )
+alert ( msg: "DCE2_EVENT__MEMCAP"; sid: 1; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: attempted-dos; )
+alert ( msg: "DCE2_EVENT__SMB_BAD_NBSS_TYPE"; sid: 2; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_BAD_TYPE"; sid: 3; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_BAD_ID"; sid: 4; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_BAD_WCT"; sid: 5; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_BAD_BCC"; sid: 6; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_BAD_FORMAT"; sid: 7; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_BAD_OFF"; sid: 8; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_TDCNT_ZERO"; sid: 9; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_NB_LT_SMBHDR"; sid: 10; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_NB_LT_COM"; sid: 11; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_NB_LT_BCC"; sid: 12; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_NB_LT_DSIZE"; sid: 13; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_TDCNT_LT_DSIZE"; sid: 14; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_DSENT_GT_TDCNT"; sid: 15; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_BCC_LT_DSIZE"; sid: 16; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_INVALID_DSIZE"; sid: 17; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_EXCESSIVE_TREE_CONNECTS"; sid: 18; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_EXCESSIVE_READS"; sid: 19; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_EXCESSIVE_CHAINING"; sid: 20; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_MULT_CHAIN_SS"; sid: 21; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_MULT_CHAIN_TC"; sid: 22; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_CHAIN_SS_LOGOFF"; sid: 23; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_CHAIN_TC_TDIS"; sid: 24; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_CHAIN_OPEN_CLOSE"; sid: 25; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_INVALID_SHARE"; sid: 26; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__CO_BAD_MAJ_VERSION"; sid: 27; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__CO_BAD_MIN_VERSION"; sid: 28; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__CO_BAD_PDU_TYPE"; sid: 29; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__CO_FLEN_LT_HDR"; sid: 30; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__CO_FLEN_LT_SIZE"; sid: 31; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__CO_ZERO_CTX_ITEMS"; sid: 32; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__CO_ZERO_TSYNS"; sid: 33; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__CO_FRAG_LT_MAX_XMIT_FRAG"; sid: 34; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__CO_FRAG_GT_MAX_XMIT_FRAG"; sid: 35; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__CO_ALTER_CHANGE_BYTE_ORDER"; sid: 36; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__CO_FRAG_DIFF_CALL_ID"; sid: 37; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__CO_FRAG_DIFF_OPNUM"; sid: 38; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__CO_FRAG_DIFF_CTX_ID"; sid: 39; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__CL_BAD_MAJ_VERSION"; sid: 40; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__CL_BAD_PDU_TYPE"; sid: 41; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__CL_DATA_LT_HDR"; sid: 42; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__CL_BAD_SEQ_NUM"; sid: 43; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_DCNT_ZERO"; sid: 48; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_DCNT_MISMATCH"; sid: 49; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_MAX_REQS_EXCEEDED"; sid: 50; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_REQS_SAME_MID"; sid: 51; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_DEPR_DIALECT_NEGOTIATED"; sid: 52; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_DEPR_COMMAND_USED"; sid: 53; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_UNUSUAL_COMMAND_USED"; sid: 54; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_INVALID_SETUP_COUNT"; sid: 55; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_MULTIPLE_NEGOTIATIONS"; sid: 56; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "DCE2_EVENT__SMB_EVASIVE_FILE_ATTRS"; sid: 57; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )
+alert ( msg: "PPM_EVENT_RULE_TREE_DISABLED"; sid: 1; gid: 134; rev: 1; metadata: rule-type preproc ; classtype: not-suspicious; )
+alert ( msg: "PPM_EVENT_RULE_TREE_ENABLED"; sid: 2; gid: 134; rev: 1; metadata: rule-type preproc ; classtype: not-suspicious; )
+alert ( msg: "INTERNAL_EVENT_SYN_RECEIVED"; sid: 1; gid: 135; rev: 1; metadata: rule-type preproc ; classtype:tcp-connection; )
+alert ( msg: "INTERNAL_EVENT_SESSION_ADD"; sid: 2; gid: 135; rev: 1; metadata: rule-type preproc ; classtype:tcp-connection; )
+alert ( msg: "INTERNAL_EVENT_SESSION_DEL"; sid: 3; gid: 135; rev: 1; metadata: rule-type preproc ; classtype:tcp-connection; )
+alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SSL_INVALID_CLIENT_HELLO"; sid: 1; gid: 137; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-011; reference:cve,2004-0120; reference:bugtraq,10115; )
+alert ( msg: "SSL_INVALID_SERVER_HELLO"; sid: 2; gid: 137; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SDF_COMBO_ALERT"; sid: 1; gid: 139; rev: 1; metadata: rule-type preproc ; classtype:sdf; )
+alert ( msg: "SIP_EVENT_MAX_SESSIONS"; sid: 1; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_EMPTY_REQUEST_URI"; sid: 2; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:cve,2007-1306; )
+alert ( msg: "SIP_EVENT_BAD_URI"; sid: 3; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_EMPTY_CALL_ID"; sid: 4; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_BAD_CALL_ID"; sid: 5; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_BAD_CSEQ_NUM"; sid: 6; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_BAD_CSEQ_NAME"; sid: 7; gid: 140; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; reference:cve,2006-3524; )
+alert ( msg: "SIP_EVENT_EMPTY_FROM"; sid: 8; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_BAD_FROM"; sid: 9; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_EMPTY_TO"; sid: 10; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_BAD_TO"; sid: 11; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_EMPTY_VIA"; sid: 12; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:bugtraq,25446; )
+alert ( msg: "SIP_EVENT_BAD_VIA"; sid: 13; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_EMPTY_CONTACT"; sid: 14; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_BAD_CONTACT"; sid: 15; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_BAD_CONTENT_LEN"; sid: 16; gid: 140; rev: 2; metadata: rule-type preproc ; reference:cve,2014-3360; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-sip; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_MULTI_MSGS"; sid: 17; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_MISMATCH_CONTENT_LEN"; sid: 18; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_INVALID_CSEQ_NAME"; sid: 19; gid: 140; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; reference:cve,2006-3524; )
+alert ( msg: "SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK"; sid: 20; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_AUTH_INVITE_DIFF_SESSION"; sid: 21; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_BAD_STATUS_CODE"; sid: 22; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_EMPTY_CONTENT_TYPE"; sid: 23; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:bugtraq,25300; )
+alert ( msg: "SIP_EVENT_INVALID_VERSION"; sid: 24; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_MISMATCH_METHOD"; sid: 25; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_UNKOWN_METHOD"; sid: 26; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "SIP_EVENT_MAX_DIALOGS_IN_A_SESSION"; sid: 27; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
+alert ( msg: "IMAP_UNKNOWN_CMD"; sid: 1; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; )
+alert ( msg: "IMAP_UNKNOWN_RESP"; sid: 2; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; )
+alert ( msg: "IMAP_MEMCAP_EXCEEDED"; sid: 3; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; )
+alert ( msg: "IMAP_B64_DECODING_FAILED"; sid: 4; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; )
+alert ( msg: "IMAP_QP_DECODING_FAILED"; sid: 5; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; )
+alert ( msg: "IMAP_BITENC_DECODING_FAILED"; sid: 6; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; )
+alert ( msg: "IMAP_UU_DECODING_FAILED"; sid: 7; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; )
+alert ( msg: "POP_UNKNOWN_CMD"; sid: 1; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; )
+alert ( msg: "POP_UNKNOWN_RESP"; sid: 2; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; )
+alert ( msg: "POP_MEMCAP_EXCEEDED"; sid: 3; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; )
+alert ( msg: "POP_B64_DECODING_FAILED"; sid: 4; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; )
+alert ( msg: "POP_QP_DECODING_FAILED"; sid: 5; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; )
+alert ( msg: "POP_BITENC_DECODING_FAILED"; sid: 6; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; )
+alert ( msg: "POP_UU_DECODING_FAILED"; sid: 7; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; )
+alert ( msg: "GTP_EVENT_BAD_MSG_LEN"; sid: 1; gid: 143; rev: 1; metadata: rule-type preproc; classtype:bad-unknown; )
+alert ( msg: "GTP_EVENT_BAD_IE_LEN"; sid: 2; gid: 143; rev: 1; metadata: rule-type preproc; classtype:bad-unknown; )
+alert ( msg: "GTP_EVENT_OUT_OF_ORDER_IE"; sid: 3; gid: 143; rev: 1; metadata: rule-type preproc; classtype:bad-unknown; )
+alert ( msg: "MODBUS_BAD_LENGTH"; sid:1; gid: 144; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; )
+alert ( msg: "MODBUS_BAD_PROTO_ID"; sid:2; gid: 144; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; )
+alert ( msg: "MODBUS_RESERVED_FUNCTION"; sid:3; gid: 144; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; )
+alert ( msg: "DNP3_BAD_CRC"; sid:1; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; )
+alert ( msg: "DNP3_DROPPED_FRAME"; sid:2; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; )
+alert ( msg: "DNP3_DROPPED_SEGMENT"; sid:3; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; )
+alert ( msg: "DNP3_REASSEMBLY_BUFFER_CLEARED"; sid:4; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; )
+alert ( msg: "DNP3_RESERVED_ADDRESS"; sid:5; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; )
+alert ( msg: "DNP3_RESERVED_FUNCTION"; sid:6; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; )
--- a/docker/etc/preproc_rules/sensitive-data.rules
+++ b/docker/etc/preproc_rules/sensitive-data.rules
@@ -0,0 +1,5 @@
+alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,us_social; classtype:sdf; sid:3; gid:138; rev:1;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,us_social_nodashes; classtype:sdf; sid:4; gid:138; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Email Addresses"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,email; classtype:sdf; sid:5; gid:138; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Phone Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,(\d{3}) ?\d{3}-\d{4}; classtype:sdf; sid:6; gid:138; rev:1;)
--- a/docker/etc/reference.config
+++ b/docker/etc/reference.config
@@ -0,0 +1,16 @@
+# $Id$
+# The following defines URLs for the references found in the rules
+#
+# config reference: system URL
+
+config reference: bugtraq   http://www.securityfocus.com/bid/ 
+config reference: cve       http://cve.mitre.org/cgi-bin/cvename.cgi?name=
+config reference: arachNIDS http://www.whitehats.com/info/IDS
+config reference: osvdb	    http://osvdb.org/show/osvdb/
+
+# Note, this one needs a suffix as well.... lets add that in a bit.
+config reference: McAfee    http://vil.nai.com/vil/content/v_
+config reference: nessus    http://cgi.nessus.org/plugins/dump.php3?id=
+config reference: url       http://
+config reference: msb       http://technet.microsoft.com/en-us/security/bulletin/
+
--- a/docker/etc/rules/app-detect.rules
+++ b/docker/etc/rules/app-detect.rules
@@ -0,0 +1,185 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#------------------
+# APP-DETECT RULES
+#------------------
+
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com"; flow:to_server,established; content:"Host|3A| search.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:26287; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org"; flow:to_server,established; content:"Host|3A| search.dnssearch.org|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:26286; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Chocoplayer successful installation"; flow:to_server,established; content:"/post/player.php"; http_uri; content:"type="; http_client_body; content:"mac="; distance:0; http_client_body; content:"os="; distance:0; http_client_body; metadata:policy security-ips drop, service http; reference:url,www.chocoplayer.com; classtype:misc-activity; sid:25981; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"APP-DETECT Ammyy remote access tool"; flow:to_server,established; content:"POST"; http_method; content:"|0A|Host|3A 20|rl.ammyy.com|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.ammyy.com; classtype:policy-violation; sid:25947; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner XSS attempt"; flow:to_server,established; content:">=|5C|xa2"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25365; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt"; flow:to_server,established; content:"<ScRiPt>prompt("; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25364; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner URI injection attempt"; flow:to_server,established; content:"http:/www.acunetix.com"; fast_pattern:only; http_uri; content:"Acunetix-"; nocase; http_header; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25363; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt"; flow:to_server,established; content:"PHNjcmlwdD"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25362; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner RFI attempt"; flow:to_server,established; content:"src=/testasp.vulnweb.com/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25361; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner authentication attempt"; flow:to_server,established; content:"password=g00dPa$$w0rD"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25360; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner probe attempt"; flow:to_server,established; content:"/acunetix-wvs-test-for-some-inexistent-file"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25359; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scan attempt"; flow:to_server,established; flowbits:set,acunetix-scan; content:"Acunetix-"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25358; rev:4;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"APP-DETECT Apple Messages service server request attempt"; flow:to_client,established; ssl_state:server_hello; content:"|2A|.ess.apple.com"; fast_pattern:only; metadata:service http; reference:url,www.apple.com/osx/apps/all.html#messages; classtype:policy-violation; sid:25083; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"APP-DETECT Apple Messages client side certificate request attempt"; flow:to_client,established; ssl_state:server_hello; content:"albert.apple.com"; fast_pattern:only; metadata:service http; reference:url,www.apple.com/osx/apps/all.html#messages; classtype:policy-violation; sid:25082; rev:2;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|courier|04|push|05|apple|03|com|00|"; fast_pattern:only; metadata:service dns; reference:url,www.apple.com/osx/apps/all.html#messages; classtype:policy-violation; sid:25081; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT Apple Messages push.apple.com DNS TXT request attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|push|05|apple|03|com|00 00 10 00 01|"; fast_pattern:only; metadata:service dns; reference:url,www.apple.com/osx/apps/all.html#messages; classtype:policy-violation; sid:25080; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"APP-DETECT Steam game URI handler"; flow:to_client,established; file_data; content:"steam|3A 2F 2F|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,revuln.com/files/ReVuln_Steam_Browser_Protocol_Insecurity.pdf; reference:url,steamcommunity.com; classtype:policy-violation; sid:24397; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Teamviewer remote connection attempt"; flow:to_client; content:"|00 00 00 00 00 00 00 00|"; depth:8; content:"|00 17 24 47 50 00|"; within:6; distance:2; replace:"|00 00 00 00 00 00|"; metadata:service teamview; reference:url,attack.mitre.org/techniques/T1219; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:policy-violation; sid:24098; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Teamviewer remote connection attempt"; flow:to_server,established; content:"|11 30 39|"; depth:3; replace:"|00 00 00|"; metadata:service teamview; reference:url,attack.mitre.org/techniques/T1219; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:policy-violation; sid:24097; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Teamviewer remote connection attempt"; flow:to_client,established; content:"|11 30 39|"; depth:3; replace:"|00 00 00|"; metadata:service teamview; reference:url,attack.mitre.org/techniques/T1219; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:policy-violation; sid:24096; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"APP-DETECT Teamviewer installer download attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"T|00|e|00|a|00|m|00|V|00|i|00|e|00|w|00|e|00|r"; content:"www.teamviewer.com"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1219; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:policy-violation; sid:24095; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"APP-DETECT Teamviewer control server ping"; flow:to_server; content:"teamviewer"; fast_pattern:only; metadata:service dns; reference:url,attack.mitre.org/techniques/T1219; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:policy-violation; sid:24094; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt"; flow:to_client,established; flowbits:isset,kindle.request; content:"application/kindle-chrome-scriptable-plugin"; fast_pattern:only; metadata:service http; reference:url,www.mobileread.com/forums/showthread.php?t=175368; classtype:policy-violation; sid:23617; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Amazon Kindle 3.0 User-Agent string requested"; flow:to_server,established; content:"Kindle/3.0+"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3A[^\r\n]+Kindle\x2F3\x2E0\x2B/Hsmi"; flowbits:set,kindle.request; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23616; rev:4;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT ptunnel icmp proxy"; itype:8; content:"|D5 20 08 80|"; depth:4; reference:url,www.cs.uit.no/~daniels/PingTunnel/; classtype:policy-violation; sid:21853; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT User-Agent known user agent - GetRight"; flow:to_server,established; content:"User-Agent|3A| GetRight"; fast_pattern:only; http_header; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/file/D96B3F575AEFE5E1560BC6B89069C9DE04784DAD449CC7B2F2CE3786CAB99861/analysis/; classtype:trojan-activity; sid:21488; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 24800 (msg:"APP-DETECT Synergy network kvm usage detected"; flow:established; content:"Synergy"; depth:7; offset:4; nocase; flowbits:set,synergy; reference:url,synergy-foss.org; classtype:attempted-admin; sid:21332; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Thunder p2p application activity detection"; flow:to_server,established; content:"GET"; nocase; http_method; content:"thunder"; nocase; http_uri; content:"sandai"; nocase; http_header; metadata:service http; reference:url,en.wikipedia.org/wiki/Xunlei; classtype:policy-violation; sid:21172; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Thunder p2p application activity detection"; flow:to_server,established; content:"GET"; nocase; http_method; content:"thunder"; nocase; http_uri; content:"xunlei"; nocase; http_header; metadata:service http; reference:url,en.wikipedia.org/wiki/Xunlei; classtype:policy-violation; sid:21171; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1978 (msg:"APP-DETECT Apple OSX Remote Mouse usage"; flow:to_server,established; content:"mos "; fast_pattern:only; pcre:"/mos\s{2}\dm\s\d/"; reference:url,pastebin.com/F81NCiYE; classtype:policy-violation; sid:20443; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"APP-DETECT Dropbox desktop software in use"; flow:to_client,established; content:"|30 14 06 03 55 04 03 14 0D 2A|.dropbox.com"; nocase; classtype:policy-violation; sid:18609; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Dropbox desktop software in use"; flow:to_server,established; content:"/subscribe?host_int="; nocase; http_uri; content:"dropbox.com"; nocase; http_header; metadata:service http; classtype:policy-violation; sid:18608; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 17185 (msg:"APP-DETECT VxWorks remote debugging agent login attempt"; content:"|00 00 00 00 00 00 00 02 55 55 55 55 00 00 00 01 00 00 00 01|"; depth:20; offset:4; reference:cve,2010-2965; reference:url,blog.metasploit.com/2010/08/vxworks-vulnerabilities.html; reference:url,www.kb.cert.org/vuls/id/362332; classtype:protocol-command-decode; sid:17110; rev:4;)
+# alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"APP-DETECT Tandberg VCS SSH default key"; flow:to_client,established; content:"|BF E2 52 B5 9A 23 8F E9 FE 10 49 C4 36 BD 31 85 D6 7E 41 C9 15 42 F1 01|"; fast_pattern:only; reference:cve,2009-4510; reference:url,www.tandberg.com/video-conferencing-network-infrastructure/video-communication-server.jsp; reference:url,www.vsecurity.com/resources/advisory/20100409-1/; classtype:misc-activity; sid:16680; rev:8;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"APP-DETECT Nintendo Wii SSL Server Hello"; flow:to_client,established; ssl_state:server_hello; content:"Nintendo of America Inc"; fast_pattern:only; content:"noa.nintendo.com"; classtype:policy-violation; sid:15185; rev:4;)
+# alert udp $HOME_NET 5353 -> 224.0.0.251 5353 (msg:"APP-DETECT Apple iTunes server multicast DNS response"; content:"Library|05|_daap|04|_tcp|05|local"; fast_pattern:only; content:"|00|!"; depth:2; offset:51; content:"|0E|i"; depth:2; offset:65; metadata:service dns; reference:url,www.apple.com/itunes/; reference:url,www.multicastdns.org; classtype:misc-activity; sid:13900; rev:7;)
+# alert tcp $HOME_NET any -> any 3689 (msg:"APP-DETECT Apple iTunes client login attempt"; flow:to_server,established; flowbits:isset,itunes.serverinfo.request; content:"/login"; depth:6; offset:4; nocase; metadata:service http; reference:url,www.apple.com/itunes/; classtype:misc-activity; sid:13899; rev:8;)
+alert tcp $HOME_NET any -> any 3689 (msg:"APP-DETECT Apple iTunes client request for server info"; flow:to_server,established; content:"/server-info"; flowbits:set,itunes.serverinfo.request; flowbits:noalert; metadata:service http; reference:url,www.apple.com/itunes/; classtype:misc-activity; sid:13898; rev:8;)
+# alert tcp $EXTERNAL_NET !22 -> $HOME_NET any (msg:"APP-DETECT SSH server detected on non-standard port"; flow:to_client,established; content:"SSH-"; depth:4; nocase; pcre:"/^SSH-[12]\.\d+/smi"; reference:url,www.ietf.org/rfc/rfc4251.txt; classtype:protocol-command-decode; sid:13586; rev:4;)
+# alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"APP-DETECT failed FTP login attempt"; flow:to_client,established; content:"530 "; depth:4; metadata:policy security-ips alert, service ftp; reference:url,www.ietf.org/rfc/rfc0959.txt; classtype:misc-activity; sid:13360; rev:6;)
+# alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"APP-DETECT failed IMAP login attempt - invalid username/password"; flow:to_client,established; content:"NO LOGIN"; fast_pattern:only; pcre:"/^\s*\w+\s+NO LOGIN/smi"; metadata:policy security-ips alert, service imap; reference:url,www.ietf.org/rfc/rfc3501.txt; classtype:misc-activity; sid:13359; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Google Desktop activity"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Google"; nocase; http_header; content:"Desktop"; nocase; http_header; pcre:"/User-Agent\x3A[^\n\r]+Google[^\n\r]+Desktop/smiH"; metadata:service http; classtype:policy-violation; sid:7861; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443,8200] (msg:"APP-DETECT GoToMyPC remote control attempt"; flow:to_server,established; content:"jedi"; nocase; content:"request="; distance:0; nocase; content:"jedi="; distance:0; nocase; metadata:service http; reference:url,www.gotomypc.com/remote_access/pc_remote_access; classtype:policy-violation; sid:7034; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443,8200] (msg:"APP-DETECT GoToMyPC local service running"; flow:to_server,established; content:"jedi request"; fast_pattern:only; metadata:service http; reference:url,www.gotomypc.com/remote_access/pc_remote_access; classtype:policy-violation; sid:7033; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT GoToMyPC startup"; flow:to_server,established; content:"Jedi?request=ping&jedi=100"; fast_pattern:only; nocase; http_uri; metadata:service http; reference:url,www.gotomypc.com/howItWorks.tmpl; classtype:policy-violation; sid:7032; rev:4;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 5060 (msg:"APP-DETECT Gizmo register VOIP state"; content:"INVITE sip|3A|"; nocase; content:"User-Agent|3A|"; nocase; content:"Gizmo"; fast_pattern:only; pcre:"/^User-Agent\x3A[^\n\r]+Gizmo/smi"; metadata:service sip; reference:url,www.gizmoproject.com; classtype:policy-violation; sid:6407; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Kontiki runtime detection"; flow:to_server,established; content:"User-Agent|3A| Kontiki Client"; fast_pattern:only; http_header; metadata:policy security-ips alert, service http; reference:url,www.extremetech.com/article2/0,3973,365073,00.asp; classtype:policy-violation; sid:5797; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"APP-DETECT remote desktop protocol attempted administrator connection request"; flow:to_server,established; content:"|E0|"; depth:1; offset:5; content:"mstshash=Administr"; distance:0; nocase; reference:bugtraq,14259; reference:cve,2005-1218; reference:url,attack.mitre.org/techniques/T1076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-041; classtype:misc-activity; sid:4060; rev:9;)
+# alert udp any any -> 255.255.255.255 23945 (msg:"APP-DETECT Data Rescue IDA Pro startup license check attempt"; flow:to_server; dsize:40; content:"IDA|00 01 00 00 00|"; depth:8; classtype:policy-violation; sid:3628; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"APP-DETECT distccd remote command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; metadata:ruleset community; reference:url,distcc.samba.org/security.html; classtype:policy-violation; sid:3061; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"APP-DETECT PCAnywhere server response"; content:"ST"; depth:2; metadata:ruleset community; classtype:misc-activity; sid:566; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"APP-DETECT VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; metadata:ruleset community; classtype:misc-activity; sid:560; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT psyBNC access"; flow:to_client,established; content:"Welcome!psyBNC@lam3rz.de"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:493; rev:11;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"APP-DETECT iodine dns tunneling handshake server ACK"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 01 00 01 00|"; depth:5; offset:4; content:"v"; within:1; distance:4; content:"VACK"; within:200; fast_pattern; metadata:service dns; reference:url,code.kryo.se/iodine/README.html; classtype:policy-violation; sid:27046; rev:3;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT OzymanDNS dns tunneling down attempt"; flow:to_server,no_stream; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"id-"; distance:6; fast_pattern; content:"down"; within:10; distance:2; detection_filter:track by_dst, count 8, seconds 1; metadata:impact_flag red, service dns; reference:url,dankaminsky.com/2004/07/29/51/; classtype:policy-violation; sid:27541; rev:4;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT OzymanDNS dns tunneling up attempt"; flow:to_server,no_stream; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"-0"; distance:6; content:"id-"; within:3; distance:1; fast_pattern; content:"up"; within:8; detection_filter:track by_src, count 18, seconds 1; metadata:impact_flag red, service dns; reference:url,dankaminsky.com/2004/07/29/51/; classtype:policy-violation; sid:27540; rev:4;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"APP-DETECT TCP over DNS response attempt"; flow:to_client,no_stream; content:"|C0 0C 00 10 00 01 00 00 00 1E|"; content:!"|00 00 02 00 01|"; distance:0; detection_filter:track by_dst, count 8, seconds 1; pcre:"/[\x5e\x7d\x7b\x21\x5b\x5d\x5f\x60\x24\x25\x2a\x3c\x3e\x23\x3a\x3f\x2b\x7c]{2,50}?/smiR"; metadata:service dns; reference:url,analogbit.com/tcp-over-dns_howto; classtype:policy-violation; sid:27536; rev:4;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"APP-DETECT Heyoka outbound communication attempt"; flow:to_server,no_stream; content:"|01 00 00 00 00 00 00|"; depth:7; offset:5; content:"|FF FF|"; within:2; distance:5; content:"|00 10 00 01|"; within:70; distance:10; detection_filter:track by_src, count 8, seconds 1; metadata:service dns; classtype:policy-violation; sid:27669; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"APP-DETECT Heyoka initial outbound connection attempt"; flow:to_server; content:"PQRSTUVWXYZ|5B 5C 5D 5E 5F A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:27668; rev:2;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"APP-DETECT NSTX DNS tunnel outbound connection attempt"; flow:to_server,no_stream; content:"|01 00 00 00 00 00 00|"; depth:7; offset:5; content:"cT"; within:2; distance:1; fast_pattern; content:"|00 10 00 01|"; within:80; distance:10; detection_filter:track by_src, count 9, seconds 1; metadata:service dns; classtype:policy-violation; sid:27700; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"APP-DETECT Splashtop personal download attempt"; flow:to_server,established; content:"GET"; http_method; content:"/Splashtop_Personal_"; nocase; http_uri; content:".exe"; within:20; distance:3; nocase; http_uri; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27934; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"APP-DETECT Splashtop streamer download attempt"; flow:to_server,established; content:"GET"; http_method; content:"/Splashtop_Streamer_"; nocase; http_uri; content:".exe"; within:20; distance:3; nocase; http_uri; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27933; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Splashtop domain devicevm.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|devicevm|03|com|00|"; fast_pattern:only; metadata:service dns; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:misc-activity; sid:27932; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Splashtop domain splashtop.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|splashtop|03|net|00|"; fast_pattern:only; metadata:service dns; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:misc-activity; sid:27931; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Splashtop domain splashtop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|splashtop|03|com|00|"; fast_pattern:only; metadata:service dns; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:misc-activity; sid:27930; rev:1;)
+# alert tcp $HOME_NET [1024:] -> $EXTERNAL_NET [6783,6784,6785] (msg:"APP-DETECT Splashtop communication attempt"; flow:stateless,no_stream; content:"|17 03 00 00 20|"; depth:5; detection_filter:track by_dst, count 75, seconds 1; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27929; rev:3;)
+# alert tcp $EXTERNAL_NET [6783,6784,6785] -> $HOME_NET [1024:65535] (msg:"APP-DETECT Splashtop connection attempt"; flow:to_client,established; content:"Splashtop Inc. Self CA"; fast_pattern:only; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27928; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"APP-DETECT Splashtop inbound connection negotiation attempt"; flow:to_client,established; dsize:140; content:"|20 00 88 00 00 0C 00 84 00 00 00 00 00 05 01|"; depth:15; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27927; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Splashtop Streamer certificate server connect attempt"; flow:to_server,established; content:"api.splashtop.com"; fast_pattern:only; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27926; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"APP-DETECT Splashtop Personal download attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"S|00|p|00|l|00|a|00|s|00|h|00|t|00|o|00|p|00 20 00|P|00|e|00|r|00|s|00|o|00|n|00|a|00|l|00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27925; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"APP-DETECT Splashtop Streamer download attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"CreateVRootshttp://www.splashtop.com/remotecaRemoveVRootsISCHECKFORPRODUCTUPDATES"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27924; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Splashtop connection negotiation attempt"; flow:to_server,established; dsize:4; content:"|20 00 C8 00|"; depth:4; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27923; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Splashtop outbound connection attempt"; flow:to_server,established; content:"/api/fulong"; fast_pattern:only; http_uri; content:"Referer: ver="; nocase; content:"Host:"; distance:0; nocase; http_header; content:"splashtop.com"; within:20; distance:2; nocase; http_header; metadata:service http; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27922; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"APP-DETECT Dynamic Internet Technology Freegate application zip download attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/loc/software/fg/740/fg740p.zip"; nocase; http_uri; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:28001; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"APP-DETECT Dynamic Internet Technology Freegate application executable download attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/loc/software/fg/740/fg740p.exe"; nocase; http_uri; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:28000; rev:1;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Possible Dynamic Internet Technology Frontgate application PING"; icode:0; itype:8; ttl:1; content:"89|3A 3B|<=>?"; depth:8; offset:24; metadata:policy security-ips alert; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27999; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|15|washingtonchinareview|03|org|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27998; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dongtaiwang|03|net|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27997; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|nbgtr|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27996; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ewsxz|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27995; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dit-inc|02|us|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27994; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|xcder|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27993; rev:1;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com"; flow:to_client; content:"|81 80|"; depth:2; offset:2; content:"|00 01 00 01 00 02 00 02|"; within:8; content:"|0C|ziyouforever"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27992; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|ziyouforever|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27991; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|umikl|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27990; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|mjuyh|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27989; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dongtaiwang|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27988; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|vfrtg|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27987; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|rfvcd|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27986; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|hjuyv|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27985; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|dfgvx|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27984; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"APP-DETECT Dynamic Internet Technology Freegate application zip download attempt"; flow:to_client,established; file_data; flowbits:isset,file.zip; content:"|00 15 00|fg740p.exe"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27983; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"APP-DETECT Dynamic Internet Technology Freegate application executable download attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"D|00|y|00|n|00|a|00|m|00|i|00|c|00 20 00|I|00|n|00|t|00|e|00|r|00|n|00|e|00|t|00 20 00|T|00|e|00|c|00|h|00|n|00|o|00|l|00|o|00|g|00|y|00 2C 00 20 00|I|00|n|00|c"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27982; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT 360.cn SafeGuard local HTTP management console access attempt"; flow:to_server,established; content:"/login.php?refer=%2F"; fast_pattern:only; http_uri; metadata:service http; reference:url,en.wikipedia.org/wiki/360_Safeguard; reference:url,research.zscaler.com/2011/05/is-360cn-evil.html; reference:url,www.alexa.com/siteinfo/360safe.com; reference:url,www.virustotal.com/en/domain/360safe.com/information/; classtype:trojan-activity; sid:28071; rev:2;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|360safe|03|com|00|"; fast_pattern:only; metadata:service dns; reference:url,en.wikipedia.org/wiki/360_Safeguard; reference:url,research.zscaler.com/2011/05/is-360cn-evil.html; reference:url,www.alexa.com/siteinfo/360safe.com; reference:url,www.virustotal.com/en/domain/360safe.com/information/; classtype:trojan-activity; sid:28070; rev:2;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|360|02|cn|00|"; fast_pattern:only; metadata:service dns; reference:url,en.wikipedia.org/wiki/360_Safeguard; reference:url,research.zscaler.com/2011/05/is-360cn-evil.html; reference:url,www.alexa.com/siteinfo/360.cn; reference:url,www.virustotal.com/en/domain/360.cn/information/; classtype:trojan-activity; sid:28069; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT 360.cn Safeguard runtime outbound communication"; flow:to_server,established; content:"/instcomp.htm?soft="; nocase; http_uri; content:"&status="; within:11; nocase; http_uri; content:"&mid="; within:9; nocase; http_uri; pcre:"/\&status=\d{4}\&mid=\w{32}/Ui"; metadata:service http; reference:url,en.wikipedia.org/wiki/360_Safeguard; reference:url,research.zscaler.com/2011/05/is-360cn-evil.html; reference:url,www.alexa.com/siteinfo/360.cn; reference:url,www.virustotal.com/en/domain/360.cn/information/; classtype:misc-activity; sid:28068; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"APP-DETECT Bizhi Sogou Wallpaper application download schema response"; flow:to_client,established; content:"200"; http_stat_code; content:"[sogoubizhi]"; fast_pattern:only; metadata:service http; reference:url,www.virustotal.com/en/domain/bizhi.sogou.com/information/; classtype:misc-activity; sid:28246; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt"; flow:to_server,established; content:"User-Agent: BIZHI_"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/domain/bizhi.sogou.com/information/; classtype:misc-activity; sid:28245; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Foca file scanning attempt"; flow:to_server,established; content:"User-Agent|3A 20|FOCA|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1083; reference:url,www.softwarecrew.com/2011/10/foca-free-3-0-scans-your-website-for-document-based-security-leaks/; classtype:attempted-recon; sid:29354; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Baidu IME runtime detection - remote sync"; flow:to_server,established; content:"/cgi-bin/getmsg.cgi"; fast_pattern:only; http_uri; content:"Referrer|3A| http|3A 2F 2F|sync|2E|ime|2E|baidu|2E|jp"; nocase; http_header; metadata:service http; reference:url,ajw.asahi.com/article/behind_news/social_affairs/AJ201312260081; classtype:attempted-recon; sid:29322; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"APP-DETECT Baidu IME download attempt"; flow:established,to_server; flowbits:isset,file.exe; file_data; content:"|64 3A 5C 63 79 67 77 69 6E 5C 68 6F 6D 65 5C 73 63 6D 70 66 5C 63 6F 6D 70 69 6C 65 72 5F 73 72 63 5C 68 75 61 6E 67 64 69 5F|"; fast_pattern:only; content:"|5F 77 69 6E 33 32 5C 30 5C 61 70 70 5C 67 65 6E 73 6F 66 74 5C 69 6D 65 2D 6A 70 5C 62 61 69 64 75 69 6D 65 5C 6F 75 74 5C 42 61 69 64 75 4A 50 5F 53 65 74 75 70 5F 4D 49 4E 49 2E 70 64 62|"; metadata:service smtp; reference:url,ajw.asahi.com/article/behind_news/social_affairs/AJ201312260081; classtype:policy-violation; sid:29321; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"APP-DETECT Baidu IME download attempt"; flow:established,to_client; flowbits:isset,file.exe; file_data; content:"|64 3A 5C 63 79 67 77 69 6E 5C 68 6F 6D 65 5C 73 63 6D 70 66 5C 63 6F 6D 70 69 6C 65 72 5F 73 72 63 5C 68 75 61 6E 67 64 69 5F|"; fast_pattern:only; content:"|5F 77 69 6E 33 32 5C 30 5C 61 70 70 5C 67 65 6E 73 6F 66 74 5C 69 6D 65 2D 6A 70 5C 62 61 69 64 75 69 6D 65 5C 6F 75 74 5C 42 61 69 64 75 4A 50 5F 53 65 74 75 70 5F 4D 49 4E 49 2E 70 64 62|"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,ajw.asahi.com/article/behind_news/social_affairs/AJ201312260081; classtype:policy-violation; sid:29320; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"APP-DETECT VPN Over DNS application download attempt"; flow:to_server,established; flowbits:isset,file.zip|file.apk; file_data; content:"assets/dns160.png"; fast_pattern:only; content:"assets/dns240.png"; nocase; content:"assets/dns320.png"; within:150; nocase; content:"assets/fond-Snow-UI-Kit-2.png"; within:150; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,vpnoverdns.com; classtype:policy-violation; sid:29383; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"APP-DETECT VPN Over DNS application download attempt"; flow:to_client,established; flowbits:isset,file.zip|file.apk; file_data; content:"assets/dns160.png"; fast_pattern:only; content:"assets/dns240.png"; nocase; content:"assets/dns320.png"; within:150; nocase; content:"assets/fond-Snow-UI-Kit-2.png"; within:150; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,vpnoverdns.com; classtype:policy-violation; sid:29382; rev:3;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT VPN Over DNS outbound traffic attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vpnoverdns|03|com|00|"; fast_pattern:only; metadata:service dns; reference:url,vpnoverdns.com; classtype:policy-violation; sid:29381; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Paros proxy outbound connection attempt"; flow:to_server, established; content:"User-Agent|3A 20|"; http_header; content:"Paros"; distance:0; fast_pattern; http_header; pcre:"/User-Agent\x3a\s[^\x0d\x0a]*Paros/H"; metadata:service http; reference:url,sourceforge.net/projects/paros; classtype:policy-violation; sid:30195; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5279 (msg:"APP-DETECT Anyplace usage attempt"; flow:to_server,established; content:"|AA 25 00 BF A3 5C 37 A4 09 1F C4 04 3F B6 34 E9 EA 45 0B 01 6E B0 9E 53 FF 15 A1 7C A0 4E 17 62|"; fast_pattern:only; reference:url,www.anyplace-control.com; classtype:web-application-activity; sid:30254; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"APP-DETECT Anyplace proxy header detected"; flow:to_server,established; content:"HTTP/1.1 005|0D 0A|VE"; depth:16; metadata:service http; reference:url,www.anyplace-control.com; classtype:web-application-activity; sid:30253; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Ufasoft bitcoin miner possible data upload"; flow:to_server,established; content:"User-Agent|3A| Ufasoft"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,ufasoft.com/open/bitcoin/; classtype:policy-violation; sid:26395; rev:4;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|tnseed|06|ppcoin|03|net|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30875; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|seed2|03|net|09|terracoin|03|org|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30874; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|seed1|07|qrkcoin|03|org|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30873; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|seed1|03|net|09|terracoin|03|org|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30872; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|seed1|0F|metiscoininvest|04|info|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30871; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|seed|06|ppcoin|03|net|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30870; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed.mophides.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|seed|08|mophides|03|com|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30869; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|seed|08|dogecoin|03|com|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30868; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed.dogechain.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|seed|09|dogechain|04|info|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30867; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|seed|09|dglibrary|03|org|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30866; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|seed|0C|bitcoinstats|03|com|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30865; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dvcstable02|07|dvcnode|03|org|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30864; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dvcstable01|07|dvcnode|03|org|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30863; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|03|xpm|0B|altcointech|03|net|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30862; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|03|ppc|0B|altcointech|03|net|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30861; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|03|ltc|07|xurious|03|com|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30860; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|0D|litecointools|03|com|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30859; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|0C|litecoinpool|03|org|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30858; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|0C|koin-project|03|com|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30857; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|0B|feathercoin|03|com|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30856; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|02|fc|0B|altcointech|03|net|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30855; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|09|btcltcftc|03|com|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30854; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|bitseed|03|xf2|03|org|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30853; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [8000,8080,8787,5005] (msg:"APP-DETECT Oracle Java debug wire protocol remote debugging attempt"; flow:to_server,established; dsize:14; content:"JDWP-Handshake"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-6639; reference:url,blog.ioactive.com/2014/04/hacking-java-debug-wire-protocol-or-how.html; reference:url,docs.oracle.com/javase/7/docs/technotes/guides/jpda/jdwp-spec.html; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-dcnm1; classtype:protocol-command-decode; sid:31302; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"APP-DETECT Xolominer outbound connection attempt"; flow:to_server,established; content:"|22|"; depth:1; content:"|00|"; within:1; distance:34; reference:url,www.virustotal.com/en/file/41cff4db42730a6d9b2a8c69ebc94df571c35b5983824747512f23352c9d0aae/analysis/; classtype:policy-violation; sid:31532; rev:1;)
+# alert tcp $HOME_NET any -> $HOME_NET any (msg:"APP-DETECT I2P UPNP query attempt"; flow:to_server, established; content:"/upnphost/udhisapi.dll?content"; fast_pattern:only; content:"User-Agent: I2P Java"; content:"Connection: close"; metadata:service http; reference:url,geti2p.net; classtype:misc-activity; sid:32866; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT I2P DNS request attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|PC|07|malware|03|com|00|"; fast_pattern:only; metadata:service dns; reference:url,geti2p.net; classtype:trojan-activity; sid:32865; rev:1;)
+# alert udp $HOME_NET 137 -> $HOME_NET 137 (msg:"APP-DETECT I2P NetBIOS name resolution request attempt"; content:"FAEDCOENEBEMFHEBFCEFCOEDEPENCAAA|00|"; fast_pattern:only; metadata:service netbios-ns; reference:url,geti2p.net; classtype:misc-activity; sid:32864; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com"; flow:to_server,established; content:"Host|3A| search64.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32851; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com"; flow:to_server,established; content:"Host|3A| search2.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32850; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com"; flow:to_server,established; content:"Host|3A| search.us.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32849; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za"; flow:to_server,established; content:"Host|3A| namequery.nettrace.co.za|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32848; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com"; flow:to_server,established; content:"Host|3A| bh.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32847; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - absolute.com"; flow:to_server,established; content:".absolute.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; pcre:"/^m\d+\.absolute\.com$/Hi"; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32846; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223"; flow:to_server,established; content:"Host|3A| 209.53.113.223|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32845; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT I2P traffic transmission attempt"; flow:to_server,established; content:"Host:"; content:".i2p|0D 0A|"; within:100; nocase; metadata:service http; reference:url,geti2p.net; classtype:policy-violation; sid:33430; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT TeamViewer remote administration tool outbound connection attempt"; flow:to_server,established; content:"client=DynGate"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1219; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:policy-violation; sid:34463; rev:4;)
+# alert udp $EXTERNAL_NET 53 -> any any (msg:"APP-DETECT Your-Freedom DNS tunneling query response attempt"; flow:to_client; byte_test:1,!&,0x01,2; content:"|03|s"; nocase; content:"|03|1yf|02|de|00|"; distance:2; nocase; metadata:service dns; reference:url,your-freedom.net; classtype:misc-activity; sid:34497; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT Your-Freedom DNS tunneling query attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|s"; nocase; content:"|03|1yf|02|de|00|"; distance:2; nocase; metadata:service dns; reference:url,your-freedom.net; classtype:misc-activity; sid:34496; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT 12P DNS request attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|b32|03|i2p|00|"; fast_pattern:only; metadata:service dns; reference:url,geti2p.net; classtype:misc-activity; sid:37062; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Jenkins Groovy script access through script console attempt"; flow:to_server,established; content:"POST /jenkins/script"; fast_pattern:only; metadata:service http; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/jenkins_script_console.rb; reference:url,wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console; classtype:policy-violation; sid:37354; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Hola VPN startup attempt"; flow:to_server,established; content:"/be_client_cgi/perr?browser="; fast_pattern:only; http_uri; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,en.wikipedia.org/wiki/Hola_(VPN); classtype:policy-violation; sid:37306; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,22222,22223] (msg:"APP-DETECT Hola VPN tunnel keep alive"; flow:to_server,established; content:"/hola_trigger?ping=tunnel"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,en.wikipedia.org/wiki/Hola_(VPN); classtype:policy-violation; sid:37305; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,22222,22223] (msg:"APP-DETECT Hola VPN non-http port ping"; flow:to_server,established; content:"/ping?rmt_ver"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,en.wikipedia.org/wiki/Hola_(VPN); classtype:policy-violation; sid:37304; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Hola VPN X-Hola-Version header attempt"; flow:to_server,established; content:"X-Hola-Version:"; fast_pattern:only; http_header; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,en.wikipedia.org/wiki/Hola_(VPN); classtype:policy-violation; sid:37303; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt"; flow:to_server,established; content:"X-Hola-Version:"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,en.wikipedia.org/wiki/Hola_(VPN); classtype:policy-violation; sid:37302; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Hola VPN startup attempt"; flow:to_server,established; content:"/www/hola/pub/"; fast_pattern:only; http_uri; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,en.wikipedia.org/wiki/Hola_(VPN); classtype:policy-violation; sid:37301; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Hola VPN startup attempt"; flow:to_server,established; content:"/access/popular"; fast_pattern:only; http_uri; content:"Host"; http_header; content:"hola.org"; within:50; http_header; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,en.wikipedia.org/wiki/Hola_(VPN); classtype:policy-violation; sid:37300; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Hola VPN installation attempt"; flow:to_server,established; content:"User-Agent: hola_get"; fast_pattern:only; http_header; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,en.wikipedia.org/wiki/Hola_(VPN); classtype:policy-violation; sid:37299; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Hola VPN installation attempt"; flow:to_server,established; content:"User-Agent: wget|0D 0A|Host: perr.hola.org"; fast_pattern:only; http_header; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,en.wikipedia.org/wiki/Hola_(VPN); classtype:policy-violation; sid:37298; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Bloomberg web crawler outbound connection"; flow:to_server,established; content:"User-Agent: BLP_bbot"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,irwebreport.com/20110223/bloomberg-bot-strikes-again-transocean-earnings-leaked; classtype:misc-activity; sid:38594; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"APP-DETECT OpenVAS Scanner User-Agent attempt"; flow:to_server,established; content:"User-Agent:"; http_header; content:"OpenVAS"; within:50; fast_pattern; http_header; metadata:service http; classtype:web-application-activity; sid:40335; rev:2;)
+# alert udp any 68 -> any 67 (msg:"APP-DETECT Intel AMT DHCP boot request detected"; flow:to_server; content:"|01 01 06|"; depth:3; content:"|37 09 06 03 01 0F 42 43 0D 2C 0C FF 00 00 00|"; isdataat:!1,relative; metadata:policy max-detect-ips drop, service dhcp; reference:url,www-ssl.intel.com/content/www/us/en/architecture-and-technology/intel-active-management-technology.html; classtype:policy-violation; sid:42492; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT HTTPTunnel proxy outbound connection detected"; flow:to_server,established; content:"/index.html?crap="; fast_pattern:only; http_uri; metadata:service http; reference:url,http-tunnel.sourceforge.net/; classtype:policy-violation; sid:43565; rev:1;)
--- a/docker/etc/rules/attack-responses.rules
+++ b/docker/etc/rules/attack-responses.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#------------------------
+# ATTACK-RESPONSES RULES
+#------------------------
+
--- a/docker/etc/rules/backdoor.rules
+++ b/docker/etc/rules/backdoor.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#----------------
+# BACKDOOR RULES
+#----------------
+
--- a/docker/etc/rules/bad-traffic.rules
+++ b/docker/etc/rules/bad-traffic.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-------------------
+# BAD-TRAFFIC RULES
+#-------------------
+
--- a/docker/etc/rules/blacklist.rules
+++ b/docker/etc/rules/blacklist.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------------
+# BLACKLIST RULES
+#-----------------
+
--- a/docker/etc/rules/botnet-cnc.rules
+++ b/docker/etc/rules/botnet-cnc.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#------------------
+# BOTNET-CNC RULES
+#------------------
+
--- a/docker/etc/rules/browser-chrome.rules
+++ b/docker/etc/rules/browser-chrome.rules
@@ -0,0 +1,74 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#----------------------
+# BROWSER-CHROME RULES
+#----------------------
+
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome net-internals uri fragment identifier XSS attempt"; flow:established,to_client; file_data; content:"chrome://net-internals/view-cache/"; nocase; pcre:"/^\x23([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/iR"; metadata:service http; reference:bugtraq,39667; reference:cve,2010-1503; reference:url,code.google.com/p/chromium/issues/detail?id=40137; classtype:attempted-user; sid:23471; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome https spoofing attempt"; flow:to_client,established; file_data; content:"view|2D|source"; nocase; content:"http|3A 2F 2F|"; distance:1; content:"url|3D|https"; distance:0; pcre:"/view\x2Dsource\x3Ahttp\x3A\x2F\x2F[^\x3B]*?url\x3Dhttps/smi"; metadata:service http; reference:url,blog.acrossecurity.com/2012/01/google-chrome-https-address-bar.html; classtype:attempted-recon; sid:21166; rev:3;)
+# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome FTP handling out-of-bounds array index denial of service attempt"; flow:to_client,established; content:"|22 22|"; pcre:"/^2\d{2}[^\n]*?\x22{2}/"; metadata:service ftp; reference:bugtraq,39183; classtype:attempted-dos; sid:16795; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome and Apple Safari Ruby before and after memory corruption"; flow:to_client,established; file_data; content:"<ruby>"; fast_pattern:only; content:"ruby|3A|"; pcre:"/ruby\s*{\s*float\x3a.*?ruby\x3a(before|after).*?(display\x3atable|counter-reset\x3a)/si"; metadata:service http; reference:cve,2011-1440; classtype:attempted-user; sid:29755; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome FileSystemObject clsid access"; flow:to_client,established; file_data; content:"clsid:0D43FE01-F093-11CF-8940-00A0C9054228"; fast_pattern:only; metadata:service http; reference:bugtraq,36947; reference:cve,2009-3934; classtype:attempted-user; sid:21446; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome XSSAuditor filter security policy bypass attempt"; flow:to_client,established; file_data; content:"<iframe"; nocase; content:"srcdoc"; within:20; nocase; content:"<script>"; within:10; nocase; pcre:"/<iframe[^>]*?srcdoc\s?=\s?[\x22\x27]<script>/smi"; metadata:service http; reference:bugtraq,65066; reference:url,blog.elevenpaths.com/2014/01/how-to-bypass-antixss-filter-in-chrome.html; reference:url,googlechromereleases.blogspot.ca/2014/01/stable-channel-update.html; reference:url,trac.webkit.org/changeset/158676; classtype:attempted-user; sid:30252; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt"; flow:to_server,established; file_data; content:"<embed "; nocase; content:"application/pdf"; within:125; nocase; content:".addEventListener"; nocase; content:".innerHTML"; nocase; content:".reload("; nocase; content:"fromCharCode"; fast_pattern:only; pcre:"/\.innerHTML\s*?\x3d\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:service smtp; reference:bugtraq,62752; reference:cve,2013-2912; classtype:attempted-user; sid:31599; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt"; flow:to_server,established; file_data; content:"<object "; nocase; content:"application/pdf"; within:125; nocase; content:".addEventListener"; nocase; content:".innerHTML"; nocase; content:".reload("; nocase; content:"fromCharCode"; fast_pattern:only; pcre:"/\.innerHTML\s*?\x3d\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:service smtp; reference:bugtraq,62752; reference:cve,2013-2912; classtype:attempted-user; sid:31598; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt"; flow:to_server,established; file_data; content:"<embed|20|"; content:"application/pdf"; within:100; content:".addEventListener|28|"; distance:0; content:"DOMContentLoaded"; within:20; fast_pattern; content:".reload|28|"; within:200; metadata:service smtp; reference:bugtraq,62752; reference:cve,2013-2912; classtype:attempted-user; sid:31597; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt"; flow:to_client,established; file_data; content:"<embed|20|"; content:"application/pdf"; within:100; content:".addEventListener|28|"; distance:0; content:"DOMContentLoaded"; within:20; fast_pattern; content:".reload|28|"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,62752; reference:cve,2013-2912; classtype:attempted-user; sid:31596; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt"; flow:to_server,established; file_data; content:"<object|20|"; content:"application/pdf"; within:100; content:".addEventListener|28|"; distance:0; content:"DOMContentLoaded"; within:20; fast_pattern; content:".reload|28|"; within:200; metadata:service smtp; reference:bugtraq,62752; reference:cve,2013-2912; classtype:attempted-user; sid:31595; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt"; flow:to_client,established; file_data; content:"<object|20|"; content:"application/pdf"; within:100; content:".addEventListener|28|"; distance:0; content:"DOMContentLoaded"; within:20; fast_pattern; content:".reload|28|"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,62752; reference:cve,2013-2912; classtype:attempted-user; sid:31594; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome Blink locationAttributeSetter use after free attempt"; flow:to_server,established; file_data; content:"if (i<50) document.getElementById(|22|iframeSpecial|22|).contentDocument.location = o"; fast_pattern:only; metadata:service smtp; reference:bugtraq,66243; reference:cve,2014-1713; reference:url,code.google.com/p/chromium/issues/detail?id=352374; classtype:attempted-user; sid:32320; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Blink locationAttributeSetter use after free attempt"; flow:to_client,established; file_data; content:"if (i<50) document.getElementById(|22|iframeSpecial|22|).contentDocument.location = o"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,66243; reference:cve,2014-1713; reference:url,code.google.com/p/chromium/issues/detail?id=352374; classtype:attempted-user; sid:32319; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt"; flow:to_client,established; file_data; content:"<object "; nocase; content:"application/pdf"; within:125; nocase; content:".addEventListener"; nocase; content:".innerHTML"; nocase; content:".reload("; nocase; content:"fromCharCode"; fast_pattern:only; pcre:"/\.innerHTML\s*?\x3d\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,62752; reference:cve,2013-2912; classtype:attempted-user; sid:33662; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt"; flow:to_client,established; file_data; content:"<embed "; nocase; content:"application/pdf"; within:125; nocase; content:".addEventListener"; nocase; content:".innerHTML"; nocase; content:".reload("; nocase; content:"fromCharCode"; fast_pattern:only; pcre:"/\.innerHTML\s*?\x3d\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,62752; reference:cve,2013-2912; classtype:attempted-user; sid:33661; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-CHROME Google Chrome Pepper Flash same-origin-policy bypass attempt"; flow:to_server,established; content:"X-Requested-With: ShockwaveFlash/"; fast_pattern:only; http_header; content:"Referer: "; http_header; content:"Content-Type: multipart/form-data"; http_header; content:"User-Agent: "; http_header; content:"Chrome/"; distance:0; http_header; metadata:service http; reference:cve,2015-0337; classtype:misc-attack; sid:33962; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome and Apple Safari runin handling use after free attempt"; flow:to_client,established; file_data; content:"display: run-in|3B|"; content:"display: inline-table|3B|"; distance:0; content:"document.execCommand('removeFormat')|3B|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-3068; classtype:attempted-user; sid:23015; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome FileSystemObject function call"; flow:to_client,established; file_data; content:"Scripting.FileSystemObject"; fast_pattern:only; content:"<script"; nocase; content:"Scripting.FileSystemObject"; distance:0; nocase; content:"</script>"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36947; reference:cve,2009-3931; classtype:attempted-user; sid:21447; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome and Apple Safari Ruby before and after memory corruption"; flow:to_client,established; file_data; content:"<ruby>"; fast_pattern:only; content:"ruby|3A|"; pcre:"/(before|after).*?((display\x3atable|counter-reset\x3a)|(counter-reset\x3a|display\x3atable)).*?ruby\s*{\s*float\x3a/siR"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1440; classtype:attempted-user; sid:20579; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome float rendering corruption attempt"; flow:to_client,established; file_data; content:"display: list-item"; content:"display: -webkit-inline-box"; fast_pattern:only; content:"removeChild|28|"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1804; classtype:attempted-user; sid:19710; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Uninitialized bug_report Pointer Code Execution"; flow:to_client,established; flowbits:isset,file.crx; file_data; content:"|43 72 32 34|"; content:"|95 78 B9 6A 79 B9 00 50 4B 01 02 00 00 14 00 00|"; distance:664; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,45788; reference:cve,2011-0470; reference:cve,2011-0471; reference:cve,2011-0472; reference:cve,2011-0473; reference:cve,2011-0474; reference:cve,2011-0475; reference:cve,2011-0476; reference:cve,2011-0477; reference:cve,2011-0478; reference:cve,2011-0479; reference:cve,2011-0480; reference:cve,2011-0481; reference:cve,2011-0482; reference:cve,2011-0483; reference:cve,2011-0484; reference:cve,2011-0485; classtype:attempted-user; sid:19217; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Uninitialized bug_report Pointer Code Execution"; flow:to_client,established; flowbits:isset,file.crx; file_data; content:"|43 72 32 34|"; content:"|07 2A 6F D1 6B B6 E8 CB A4 A9 C4 9C 67 42 1C FE|"; within:16; distance:537; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,45788; reference:cve,2011-0470; reference:cve,2011-0471; reference:cve,2011-0472; reference:cve,2011-0473; reference:cve,2011-0474; reference:cve,2011-0475; reference:cve,2011-0476; reference:cve,2011-0477; reference:cve,2011-0478; reference:cve,2011-0479; reference:cve,2011-0480; reference:cve,2011-0481; reference:cve,2011-0482; reference:cve,2011-0483; reference:cve,2011-0484; reference:cve,2011-0485; classtype:attempted-user; sid:19216; rev:14;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Apple Safari/Google Chrome Webkit memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|dialog|20|style|3D 27|position|3A|relative|27 3E|"; fast_pattern:only; content:"|3C|h|20|style|3D 27|outline|2D|style|3A|auto|27 3E|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43078; reference:cve,2010-1813; classtype:attempted-user; sid:19005; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome GURL cross origin bypass attempt"; flow:to_client,established; file_data; content:"|3C|iframe"; nocase; content:"src=|22|http|3A 2F 2F|www.google.ca|2F|language_tools?hl=en|22|"; within:100; nocase; content:"window.open|28 27|"; within:500; content:"alert|28|document.cookie|29 27|"; within:75; pcre:"/window\.open\x28\x27[\w\W]{0,35}\x3aalert\x28document\.cookie\x29\x27/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,39813; reference:cve,2010-1663; classtype:attempted-user; sid:16668; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome GURL cross origin bypass attempt"; flow:to_client,established; file_data; content:"|3C|iframe"; nocase; content:"src=|22|https|3A 2F 2F|www.google.com|2F|accounts|2F|ManageAccount?hl=fr|22|"; within:100; nocase; content:"window.open|28 27|"; within:500; content:"alert|28|document.cookie|29 27|"; within:75; pcre:"/window\.open\x28\x27[\w\W]{0,35}\x3aalert\x28document\.cookie\x29\x27/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,39813; reference:cve,2010-1663; classtype:attempted-user; sid:16667; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BROWSER-CHROME Google Chrome xssauditor policy bypass command injection attempt"; flow:to_server,established; content:"<svg>"; fast_pattern:only; http_uri; content:"<script>"; http_uri; content:"/<"; distance:0; http_uri; metadata:service http, service ssl; reference:url,codereview.chromium.org/1187843005/; reference:url,vulnerable.info/browsers/bypassing-chromes-anti-xss-filter/; classtype:attempted-user; sid:35412; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BROWSER-CHROME Google Chrome XSSAuditor Policy ByPass command injection attempt"; flow:to_server,established; content:"%3Csvg%3E%"; fast_pattern:only; http_client_body; content:"%3Cscript%3E"; http_client_body; pcre:"/(%2F|\/|\x2f)(%3c|\x3c|\<)/i"; metadata:service http, service ssl; reference:url,codereview.chromium.org/1187843005/; reference:url,vulnerable.info/browsers/bypassing-chromes-anti-xss-filter/; classtype:attempted-user; sid:35411; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome PDF Viewer information disclosure attempt"; flow:to_server,established; file_data; content:"document.createElement"; nocase; content:"embed"; within:50; nocase; content:".type"; within:50; nocase; content:"application/x-google-chrome-pdf"; within:60; nocase; content:"addEventListener"; within:200; nocase; content:".postMessage"; within:200; nocase; content:"event.data.selectedText"; within:200; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-1302; reference:url,code.google.com/p/chromium/issues/detail?id=520422; classtype:misc-attack; sid:37327; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome PDF Viewer information disclosure attempt"; flow:to_client,established; file_data; content:"document.createElement"; nocase; content:"embed"; within:50; nocase; content:".type"; within:50; nocase; content:"application/x-google-chrome-pdf"; within:60; nocase; content:"addEventListener"; within:200; nocase; content:".postMessage"; within:200; nocase; content:"event.data.selectedText"; within:200; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1302; reference:url,code.google.com/p/chromium/issues/detail?id=520422; classtype:misc-attack; sid:37326; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome same origin policy bypass attempt"; flow:to_client,established; file_data; content:"contentWindow.onunload"; nocase; content:".src"; within:75; nocase; content:"javascript|3A|"; within:50; nocase; content:"<script>"; within:75; nocase; content:"XMLHttpRequest"; within:100; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6768; classtype:policy-violation; sid:37325; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome MOTW pageSerializer HTML injection attempt"; flow:to_server,established; file_data; content:"<!--"; content:"saved from url=("; within:50; nocase; content:"--"; within:50; content:"--"; within:50; pcre:"/<!--[^>]+saved from url=\x28[^>\x20]+--[^>]+--/i"; metadata:service smtp; reference:cve,2015-6784; classtype:attempted-dos; sid:37311; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome MOTW pageSerializer HTML injection attempt"; flow:to_client,established; file_data; content:"<!--"; content:"saved from url=("; within:50; nocase; content:"--"; within:50; content:"--"; within:50; pcre:"/<!--[^>]+saved from url=\x28[^>\x20]+--[^>]+--/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6784; classtype:attempted-dos; sid:37310; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_server,established; file_data; content:"createImageData"; content:"createImageBitmap"; fast_pattern:only; pcre:"/createImageBitmap\x28[^\x29]*?(\d{5}|0x\d{4})/s"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-5182; classtype:attempted-admin; sid:43118; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_client,established; file_data; content:"createImageData"; content:"createImageBitmap"; fast_pattern:only; pcre:"/createImageBitmap\x28[^\x29]*?(\d{5}|0x\d{4})/s"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5182; classtype:attempted-admin; sid:43117; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome V8 engine integer overflow attempt"; flow:to_server,established; file_data; content:".getImageData"; fast_pattern:only; content:".__proto__"; content:".length"; content:"Array"; content:".concat("; isdataat:1000,relative; content:!")"; within:1000; metadata:service smtp; reference:url,securityfocus.com/bid/36149/info; classtype:attempted-admin; sid:43956; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome V8 engine integer overflow attempt"; flow:to_client,established; file_data; content:".getImageData"; fast_pattern:only; content:".__proto__"; content:".length"; content:"Array"; content:".concat("; isdataat:1000,relative; content:!")"; within:1000; metadata:service ftp-data, service http, service imap, service pop3; reference:url,securityfocus.com/bid/36149/info; classtype:attempted-admin; sid:43955; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_client,established; file_data; content:"imageData.data[i] = 0xFF|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5182; classtype:attempted-admin; sid:45767; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_server,established; file_data; content:"imageData.data[i] = 0xFF|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-5182; classtype:attempted-admin; sid:45766; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_server,established; file_data; content:"imageData.data[i] = 0x41|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-5182; classtype:attempted-admin; sid:45765; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_server,established; file_data; content:"imgData.data[i] = 0x41|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-5182; classtype:attempted-admin; sid:45764; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_client,established; file_data; content:"imgData.data[i] = 0xFF|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5182; classtype:attempted-admin; sid:45763; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_client,established; file_data; content:"imgData.data[i] = 0x41|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5182; classtype:attempted-admin; sid:45762; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_client,established; file_data; content:"imageData.data[i] = 0x41|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5182; classtype:attempted-admin; sid:45761; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt"; flow:to_server,established; file_data; content:"imgData.data[i] = 0xFF|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-5182; classtype:attempted-admin; sid:45760; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome Crankshaft type confusion attempt"; flow:to_server,established; file_data; content:"() {eval(|27|var"; content:"[i][0] ="; distance:0; content:"e-311|3B|"; within:75; metadata:service smtp; reference:cve,2017-5070; classtype:attempted-user; sid:46978; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Crankshaft type confusion attempt"; flow:to_client,established; file_data; content:"() {eval(|27|var"; content:"[i][0] ="; distance:0; content:"e-311|3B|"; within:75; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-5070; classtype:attempted-user; sid:46977; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome Crankshaft type confusion attempt"; flow:to_client,established; file_data; content:"function carry_me_plz(arr,obj)"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-5070; classtype:attempted-user; sid:46976; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome Crankshaft type confusion attempt"; flow:to_server,established; file_data; content:"function carry_me_plz(arr,obj)"; fast_pattern:only; metadata:service smtp; reference:cve,2017-5070; classtype:attempted-user; sid:46975; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt"; flow:to_server,established; file_data; content:"new ArrayBuffer("; content:"__defineGetter__("; within:40; content:"return 0xffff"; distance:0; fast_pattern; nocase; metadata:service smtp; reference:cve,2014-1705; classtype:attempted-user; sid:47019; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt"; flow:to_client,established; file_data; content:"new ArrayBuffer("; content:"__defineGetter__("; within:40; content:"return 0xffff"; distance:0; fast_pattern; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-1705; classtype:attempted-user; sid:47018; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME Google Chrome FileReader use after free attempt"; flow:to_client,established; file_data; content:"FileReader|28|"; nocase; content:"Blob|28|"; within:200; fast_pattern; nocase; content:".result"; within:200; nocase; content:"readAsArrayBuffer|28|"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,107213; reference:cve,2019-5786; reference:url,chromium-review.googlesource.com/c/chromium/src/+/1495209; classtype:attempted-user; sid:49361; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME Google Chrome FileReader use after free attempt"; flow:to_server,established; file_data; content:"FileReader|28|"; nocase; content:"Blob|28|"; within:200; fast_pattern; nocase; content:".result"; within:300; nocase; content:"readAsArrayBuffer|28|"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,107213; reference:cve,2019-5786; reference:url,chromium-review.googlesource.com/c/chromium/src/+/1495209; classtype:attempted-user; sid:49360; rev:1;)
--- a/docker/etc/rules/browser-firefox.rules
+++ b/docker/etc/rules/browser-firefox.rules
@@ -0,0 +1,304 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------------------
+# BROWSER-FIREFOX RULES
+#-----------------------
+
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-FIREFOX Possible Mozilla Firefox Plugin install from non-Mozilla source"; flow:to_server,established; content:!"mozilla"; http_header; content:".xpi"; nocase; http_uri; pcre:"/\.xpi$/Ui"; metadata:ruleset community, service http; reference:url,research.zscaler.com/2012/09/how-to-install-silently-malicious.html; classtype:bad-unknown; sid:26659; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox 3.5 unicode stack overflow attempt"; flow:to_server,established; file_data; content:"i = Math.ceil(Math.log(num) / Math.LN2),"; fast_pattern:only; content:"return res.slice(0, str.length * num)"; metadata:service smtp; reference:bugtraq,35707; reference:cve,2009-2479; classtype:attempted-user; sid:26188; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript arbitrary memory reading attempt"; flow:to_server,established; file_data; content:"new RegExp|28|"; content:"RegExp.input"; content:"document.write|28|regexp."; fast_pattern:only; pcre:"/for\s*?\x28.*?\x7b(?P<match>\w*).*?\x7d.*?for\s*?\x28.*?\x7b(?P<string>\w*).*?\x7d.*?new\s*?RegExp\x28\s*?(?P=match).*?\x2eexec\x28\s*?(?P=string)/smi"; metadata:service smtp; reference:cve,2011-2983; classtype:attempted-recon; sid:25292; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript arbitrary memory reading attempt"; flow:to_server,established; file_data; content:"new RegExp|28|"; content:"RegExp.input"; content:"document.write|28|regexp."; fast_pattern:only; pcre:"/for\s*?\x28.*?\x7b(?P<string>\w*).*?\x7d.*?for\s*?\x28.*?\x7b(?P<match>\w*).*?\x7d.*?new\s*?RegExp\x28\s*?(?P=match).*?\x2eexec\x28\s*?(?P=string)/smi"; metadata:service smtp; reference:cve,2011-2983; classtype:attempted-recon; sid:25291; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript arbitrary memory reading attempt"; flow:to_client,established; file_data; content:"new RegExp|28|"; content:"RegExp.input"; content:"document.write|28|regexp."; fast_pattern:only; pcre:"/for\s*?\x28.*?\x7b(?P<match>\w*).*?\x7d.*?for\s*?\x28.*?\x7b(?P<string>\w*).*?\x7d.*?new\s*?RegExp\x28\s*?(?P=match).*?\x2eexec\x28\s*?(?P=string)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2983; classtype:attempted-recon; sid:25290; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript arbitrary memory reading attempt"; flow:to_client,established; file_data; content:"new RegExp|28|"; content:"RegExp.input"; content:"document.write|28|regexp."; fast_pattern:only; pcre:"/for\s*?\x28.*?\x7b(?P<string>\w*).*?\x7d.*?for\s*?\x28.*?\x7b(?P<match>\w*).*?\x7d.*?new\s*?RegExp\x28\s*?(?P=match).*?\x2eexec\x28\s*?(?P=string)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2983; classtype:attempted-recon; sid:25289; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt"; flow:to_server,established; file_data; content:"appendChild"; content:"setUserData"; fast_pattern:only; pcre:"/\x2esetUserData\x28.{0,50}?\x7b[^\x7d]*?\x2eappendChild\x28/"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-2378; classtype:attempted-user; sid:25233; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt"; flow:to_client,established; file_data; content:"appendChild"; content:"setUserData"; fast_pattern:only; pcre:"/\x2esetUserData\x28.{0,50}?\x7b[^\x7d]*?\x2eappendChild\x28/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2378; classtype:attempted-user; sid:25232; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt"; flow:to_server,established; file_data; content:"document.createElement|28 27|iframe|27 29|"; fast_pattern:only; content:"<FRAME"; content:".xul"; content:".contentDocument.location.reload|28 29|"; metadata:service smtp; reference:cve,2011-2982; classtype:attempted-user; sid:25228; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt"; flow:to_client,established; file_data; content:"document.createElement|28 27|iframe|27 29|"; fast_pattern:only; content:"<FRAME"; content:".xul"; content:".contentDocument.location.reload|28 29|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2982; classtype:attempted-user; sid:25227; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Multiple Products xdomain object information disclosure attempt"; flow:to_server,established; file_data; content:"window.open("; fast_pattern:only; content:"<script>"; nocase; pcre:"/(?P<var>[a-z0-9_\-]+?)\s*?=\s*?window\.open\(\s*?\'https?\:\/\/[^\']+?\'\,\s*?\'newWin\'[^\)]*?\)\;.*?(?P=var)\.location/smiR"; metadata:service smtp; reference:cve,2012-4192; reference:url,www.mozilla.org/security/announce/2012/mfsa2012-89.html; classtype:attempted-recon; sid:24387; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Multiple Products xdomain object information disclosure attempt"; flow:to_client,established; file_data; content:"window.open("; fast_pattern:only; content:"<script>"; nocase; pcre:"/(?P<var>[a-z0-9_\-]+?)\s*?=\s*?window\.open\(\s*?\'https?\:\/\/[^\']+?\'\,\s*?\'newWin\'[^\)]*?\)\;.*?(?P=var)\.location/smiR"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-4192; reference:url,www.mozilla.org/security/announce/2012/mfsa2012-89.html; classtype:attempted-recon; sid:24386; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:".length = 2197815302"; fast_pattern:only; content:".reduceRight"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:24188; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"len = 0xffffffff"; fast_pattern:only; content:".reduceRight"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:24187; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Multiple Products table frames memory corruption attempt"; flow:to_client,established; file_data; content:"<style>"; nocase; content:"table:after"; fast_pattern:only; pcre:"/table\x3aafter\s*\x7b.*?display\s*\x3a\s*table-(footer|header|row)-group\x3b/smi"; content:"document.body.offset"; distance:0; nocase; content:"<tbody>"; nocase; content:"<colgroup>"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1952; classtype:attempted-user; sid:23790; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox resource URL handling directory traversal attempt"; flow:to_client,established; file_data; content:"resource://"; fast_pattern:only; pcre:"/resource\x3A[^>]*?(\x2E\x2E(%5C|\x5C|%2F|\x2F)){4}/mi"; metadata:service http; reference:cve,2007-3072; reference:cve,2007-3073; classtype:attempted-recon; sid:23625; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox use-after free remote code execution attempt"; flow:established,to_client; file_data; content:"{acceptNode: function(node) { return NodeFilter.FILTER_ACCEPT|3B| }}"; content:".nextNode()|3B|"; distance:0; content:".nextNode()|3B|"; distance:0; content:".previousNode()|3B|"; distance:0; metadata:service http; reference:cve,2011-3659; classtype:attempted-user; sid:23445; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox nSSVGValue memory corruption attempt"; flow:established,to_client; file_data; content:".removeEventListener(|22|DOMAttrModified|22|,"; content:".addEventListener(|22|DOMAttrModified|22|,"; distance:0; content:"<svg id=|22|"; distance:0; nocase; content:"</svg>"; distance:0; nocase; metadata:service http; reference:bugtraq,51138; reference:cve,2011-3658; classtype:attempted-user; sid:23054; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Multiple Products HTML href shell attempt"; flow:to_client,established; file_data; content:"shell:"; fast_pattern:only; pcre:"/<a\s+?href\s*?=\s*?[\x22\x27]*?\s*?shell\x3a/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2004-0648; classtype:policy-violation; sid:21953; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox null byte file remote code execution attempt"; flow:to_client,established; file_data; content:"<form"; nocase; content:"action"; distance:0; nocase; pcre:"/<form[^>]+action\s*=\s*[\x22\x27]?[^>\x22\x27]*?\.[\.a-z]{2,6}(\x2500|\x00)\.[\.a-z]{2,6}/ims"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,24447; reference:cve,2007-3285; classtype:attempted-user; sid:21394; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt"; flow:to_client,established; file_data; content:" = new Array|28 22|audio|22 2C 20 22|a|22 2C 20 22|base|22 29 3B|"; fast_pattern:only; content:"|22|string|22 29|"; content:".push|28|"; within:30; content:"document.body.removeChild|28|"; within:50; content:" < 0x8964"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3765; classtype:attempted-user; sid:21363; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products floating point buffer overflow attempt"; flow:to_client,established; content:"script"; nocase; content:"var"; content:"str|5F|repeat"; nocase; pcre:"/var\s*?\w+?\x3D\s*?\d+?\x2E.*?str\x5Frepeat\x28[\x22\x27]\d[\x22\x27]\x2C\d{2,}\x29/smi"; metadata:service http; reference:bugtraq,37078; reference:cve,2009-0689; classtype:attempted-user; sid:21155; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products floating point buffer overflow attempt"; flow:to_client,established; content:"|3C|script|3E|"; nocase; content:"var"; nocase; pcre:"/var\s*?\w+?\s*?\x3D\s*?\d+?\x2E\d{20}/smi"; metadata:service http; reference:bugtraq,37078; reference:cve,2009-0689; classtype:attempted-user; sid:21154; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla favicon href javascript execution attempt"; flow:to_client,established; file_data; content:"javascript:delayedOpenWindow"; fast_pattern:only; content:"<link"; nocase; pcre:"/<link\s[^>]*?href=[^>]*?(jar\:|view-source\:)?\s*?javascript\:delayedOpenWindow/smi"; metadata:service http; reference:cve,2005-1155; reference:cve,2005-1531; classtype:attempted-user; sid:20814; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla PLUGINSPAGE javascript execution attempt"; flow:to_client,established; file_data; content:"<EMBED"; nocase; content:"PLUGINSPAGE"; distance:0; nocase; pcre:"/<EMBED[^\x3E]*?PLUGINSPAGE\s*=[\x22\x27][^\x3E]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,13228; reference:cve,2005-0752; classtype:attempted-user; sid:20742; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Object.watch parent access attempt"; flow:to_client,established; file_data; content:"|2E|watch"; nocase; content:"arguments|2E|callee|2E|caller"; within:100; nocase; metadata:service http; reference:bugtraq,17516; reference:cve,2006-1734; classtype:attempted-admin; sid:20739; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla XBL.method memory corruption attempt"; flow:to_client,established; file_data; content:"moz|2D|binding"; fast_pattern:only; content:"xbl"; nocase; metadata:service http; reference:bugtraq,17516; reference:cve,2006-1735; classtype:attempted-admin; sid:20730; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla XBL object init code execution attempt"; flow:to_client,established; file_data; content:".init."; fast_pattern:only; content:"document.getElementById"; pcre:"/\x3C[^\x3E]*id\s*\x3D\s*[\x22\x27]\s*(\w*)\s*[\x22\x27].*?var\s*(\w*)\s*\x3D\s*document\.getElementbyId\s*\x28\s*[\x22\x27]\1[\x22\x27]\s*\x29.*?\2\.init\.(valueof\.)?(call|apply)/smi"; metadata:service http; reference:bugtraq,17516; reference:cve,2006-1733; classtype:attempted-user; sid:20729; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox user interface event dispatcher dos attempt"; flow:to_client,established; file_data; content:"document.createEvent("; content:"UIEvents"; within:20; fast_pattern; content:"initUIEvent"; distance:0; pcre:"/var\s+(\w+)\s*=\s*document\.createEvent\(\s*[\x22\x27]UIEvents(.+\1\.initUIEvent\(\s*[\x22\x27](keypress|click|onkeydown|onkeyup|onmousedown|onmouseup)[\x22\x27]){5}/Os"; metadata:service http; reference:bugtraq,31476; reference:cve,2008-4324; classtype:attempted-dos; sid:20727; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Thunderbird / SeaMonkey Content-Type header buffer overflow attempt"; flow:to_server,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type\x3a\s*(?![^\r\n]{0,50}boundary=\x22Apple-Mail=)[^\x0d\x0a\x3b]{77}/smi"; metadata:service smtp; reference:cve,2006-6505; classtype:attempted-user; sid:20667; rev:8;)
+# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Thunderbird / SeaMonkey Content-Type header buffer overflow attempt"; flow:to_client,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type\x3a\s*(?![^\r\n]{0,50}boundary=\x22Apple-Mail=)[^\x0d\x0a\x3b]{77}/smi"; reference:cve,2006-6505; classtype:attempted-user; sid:20666; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla multiple content-disposition headers malicious redirect attempt"; flow:to_client,established; content:"|0A|Content|2D|Disposition|3A|"; nocase; http_header; content:"|0A|Content|2D|Disposition|3A|"; distance:0; nocase; http_header; pcre:"/(300|301|302|303|307)/S"; metadata:service http; reference:cve,2011-3000; classtype:web-application-attack; sid:20586; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla multiple content-length headers malicious redirect attempt"; flow:to_client,established; content:"|0A|Content|2D|Length|3A|"; nocase; http_header; content:"|0A|Content|2D|Length|3A|"; distance:0; nocase; http_header; pcre:"/(300|301|302|303|307)/S"; metadata:service http; reference:cve,2011-3000; classtype:web-application-attack; sid:20585; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla multiple content-type headers malicious redirect attempt"; flow:to_client,established; content:"|0A|Content|2D|Type|3A|"; nocase; http_header; content:"|0A|Content|2D|Type|3A|"; distance:0; nocase; http_header; pcre:"/(300|301|302|303|307)/S"; metadata:service http; reference:cve,2011-3000; classtype:web-application-attack; sid:20584; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla multiple location headers malicious redirect attempt"; flow:to_client,established; content:"|0A|Location|3A|"; nocase; http_header; content:"|0A|Location|3A|"; distance:0; nocase; http_header; pcre:"/(300|301|302|303|307)/S"; metadata:service http; reference:cve,2011-3000; classtype:web-application-attack; sid:20583; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"a.length=0x81000002"; nocase; content:"a.reduceRight|28|callback|2C|0|29|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:19714; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt"; flow:to_client,established; file_data; content:"cobj|2E|id=|22|testcase|22|"; fast_pattern; nocase; content:"document|2E|body|2E|appendChild|28|cobj|29|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3765; classtype:attempted-user; sid:19292; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt"; flow:to_client,established; file_data; content:"var cobj=document.createElement(str)"; content:"<script>crashme()|3B|</script>"; distance:0; fast_pattern; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3765; classtype:attempted-user; sid:19077; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt"; flow:to_client,established; file_data; content:"var cobj=document.createElement(str)|3B 0A 20 20 20|cobj.id=|22|testcase|22 3B 0A 20 20 20|document.body.appendChild(cobj)|3B|"; content:"for(p in obj){|0A 20 20 20 20 20 20|if(typeof(obj[p])==|22|string|22|){"; distance:0; content:"document.body.removeChild(cobj)|3B|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3765; classtype:attempted-user; sid:19076; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript handler race condition memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E|"; depth:70; metadata:service http; reference:bugtraq,19488; reference:cve,2006-4253; classtype:attempted-user; sid:18486; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript handler race condition memory corruption attempt"; flow:to_client,established; file_data; content:"|3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1|"; fast_pattern:only; metadata:service http; reference:bugtraq,19488; reference:cve,2006-4253; classtype:attempted-user; sid:18485; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox JS Web Worker arbitrary code execution attempt"; flow:to_client,established; file_data; content:"postMessage"; fast_pattern; content:"data.concat"; within:50; content:"Worker"; pcre:"/\x2epostMessage\s*\x28\s*([^\s]+)\x2edata\x2econcat\s*\x28\1\x2edata\s*\x29/"; metadata:service http; reference:cve,2009-3371; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=514554; classtype:attempted-user; sid:18332; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox new function garbage collection remote code execution attempt"; flow:to_client,established; file_data; content:"try|20 7B 20|eval|28|e|2B 27 28|buf|2C|buf|29 27 29 3B 20 7D|"; content:"try|20 7B 20|eval|28|e|2B 27 28|buf|2C|buf|2C|buf|29 27 29 3B 20 7D|"; within:200; metadata:service http; reference:bugtraq,19181; reference:cve,2006-3803; classtype:attempted-user; sid:18302; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox GeckoActiveXObject memory corruption attempt"; flow:to_client,established; file_data; content:"str|2B 3D|str|3B|"; content:"window.GeckoActiveXObject|28|str|29 3B|"; within:200; metadata:service http; reference:bugtraq,19181; reference:cve,2006-3803; classtype:attempted-user; sid:18301; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript large regex memory corruption attempt"; flow:to_client,established; file_data; content:"Ocilla|7C|Ocoee|7C|Oconee|7C|Oconomowoc|7C|Ocontoabasadasdasdasdasdasdasdad|7C|x|29 29 2F|i|3B|"; metadata:service http; reference:bugtraq,17516; reference:cve,2006-1737; classtype:attempted-user; sid:18298; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products frame comment objects manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"|25|3C|21 2D 2D 25|20Comment|25|20|2D 2D 25|3E|25|3Csvg|25|20xmlns|3D 25|22http|3A 2F 2F|www|2E|w3|2E|org|2F|2000|2F|svg|25|22|25|20version|3D 25|221|2E|1|25|22|25|20baseProfile|3D 25|22full|25|22|25|3E|25|3C|2F|svg|25|3E"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21668; reference:cve,2006-6504; classtype:attempted-user; sid:18296; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt"; flow:to_client,established; file_data; content:"<q style=|22|position:relative|3B 22|>"; nocase; content:"<q style=|22|position:relative|3B 22|>"; within:75; nocase; content:".style.position=|27|static|27 3B|"; within:250; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,16476; reference:cve,2006-0294; classtype:attempted-user; sid:18286; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript deleted frame or window reference attempt"; flow:to_client,established; file_data; content:"|2E|location|20 3D 20 22|about|3A|blank|22 3B|"; content:"setTimeout|28|b|2C 20|500|29 3B|"; within:100; metadata:service http; reference:cve,2006-3801; classtype:attempted-user; sid:18264; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript deleted frame or window reference attempt"; flow:to_client,established; file_data; content:"editEl|20 3D 20|window|2E|el|3B|"; content:"editEl|2E|innerHTML|20 3D 20|value|3B|"; distance:0; content:"editEl|2E|disabled|20 3D 20|false|3B|"; distance:0; metadata:service http; reference:cve,2006-3801; classtype:attempted-user; sid:18263; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript engine function arguments memory corruption attempt"; flow:to_client,established; file_data; content:"for|28|"; content:"=0|3B|"; within:20; content:"<25|3B|"; within:20; fast_pattern; pcre:"/\=new Function\(\s*(?P<var>\w+)(\x2C\s*(?P=var)){20}/"; metadata:service http; reference:bugtraq,19181; reference:cve,2006-3806; classtype:attempted-user; sid:18262; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript engine String.toSource memory corruption attempt"; flow:to_client,established; file_data; content:"<1024|2A|1024|3B|"; fast_pattern:only; content:"<1024/4|3B|"; pcre:"/\<1024\*1024\x3B\w+\x2B\x2B\)\s*(?P<var1>\w+)\s*\x2B\x3D.*\<1024\/4\x3B\w+\x2B\x2B\)\s*\w+\s*\x2B\x3D\s*(?P=var1)\x3B/"; metadata:service http; reference:bugtraq,19181; reference:cve,2006-3806; classtype:attempted-user; sid:18261; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products EscapeAttributeValue integer overflow attempt"; flow:to_client,established; file_data; content:"alert|28|xx.toXMLString"; fast_pattern:only; content:"for|28|i=0|3B|i<|28|1024*1024|29|/2|3B|i++|29| m += |22 5C|n|22 3B|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16476; reference:cve,2006-0297; classtype:attempted-user; sid:18250; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Multiple browser marquee tag denial of service attempt"; flow:to_client,established; file_data; content:"document.write|28 27|<html><marquee><h1>|27|"; content:"+"; within:1; content:"+"; within:10; content:"|29 3B|"; within:15; metadata:service http; reference:bugtraq,18165; reference:cve,2006-2723; classtype:attempted-dos; sid:18188; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox InstallTrigger.install memory corruption attempt"; flow:to_client,established; file_data; content:"InstallTrigger.install.call|28|document"; fast_pattern:only; metadata:service http; reference:bugtraq,17516; reference:cve,2006-1790; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=290162; classtype:attempted-user; sid:18187; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products -moz-grid and -moz-grid-group display styles code execution attempt"; flow:to_client,established; file_data; content:"|3C|button onclick|3D 22|document|2E|getElementsByTagName|28 27|row|27 29 5B|0|5D 2E|style|2E|display|3D 27 2D|moz|2D|grid|2D|group|27 22|"; fast_pattern:only; metadata:service http; reference:bugtraq,17516; reference:cve,2006-1738; classtype:attempted-user; sid:18186; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla browsers memory corruption simultaneous XPCOM events code execution attempt"; flow:to_client,established; file_data; content:"|63 6C 61 73 73 3D 22 6D 65 6E 75 22 3E 3C 61 20 68 72 65 66 3D 22 22 20 74 61 72 67 65 74 3D 22 5F 74 6F 70 22 3E 51 51 51 51 51 51 51 51 51 51 3C 2F 61 3E|"; content:"|63 6C 61 73 73 3D 22 6D 65 6E 75 22 3E 3C 61 20 68 72 65 66 3D 22 22 20 74 61 72 67 65 74 3D 22 5F 74 6F 70 22 3E 51 51 51 51 51 51 51 51 51 51 3C 2F 61 3E|"; distance:0; metadata:service http; reference:bugtraq,19197; reference:cve,2006-3113; classtype:attempted-user; sid:18178; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla browsers memory corruption simultaneous XPCOM events code execution attempt"; flow:to_client,established; file_data; content:"|73 72 63 3D 22 64 61 74 61 3A 74 65 78 74 2F 68 74 6D 6C 3B 63 68 61 72 73 65 74 3D 75 74 66 2D 38 2C 25 33 43 68 74 6D 6C 25 33 45 25 30 44 25 30 41|"; content:"|25|3Cscript|25|3E"; within:300; content:"window|2E|addEventListener|28|"; within:500; metadata:service http; reference:bugtraq,19197; reference:cve,2006-3113; classtype:attempted-user; sid:18177; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla browsers memory corruption simultaneous XPCOM events code execution attempt"; flow:to_client,established; file_data; content:"|73 72 63 3D 22 64 61 74 61 3A 74 65 78 74 2F 68 74 6D 6C 3B 63 68 61 72 73 65 74 3D 75 74 66 2D 38 2C 25 33 43 68 74 6D 6C 25 33 45 25 30 44 25 30 41|"; content:"|25|3Cscript|25|3E"; within:300; content:"window|2E|removeEventListener|28|"; within:500; metadata:service http; reference:bugtraq,19197; reference:cve,2006-3113; classtype:attempted-user; sid:18176; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox and SeaMonkey onUnload event handler memory corruption attempt"; flow:to_client,established; file_data; content:"|64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 28 27 3C 68 74 6D 6C 3E 3C 62 6F 64 79 20 6F 6E 75 6E 6C 6F 61 64 3D 22|"; content:"|66 6F 72 20 28 69 3D 30 3B 69 3C 32 35 30 3B 69 2B 2B 29|"; distance:0; content:"|64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 28 27 3C 73 63 72 69 70 74 3E 64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 28 22|"; distance:0; metadata:service http; reference:bugtraq,22679; reference:cve,2007-1092; classtype:attempted-user; sid:18170; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products CSS rendering out-of-bounds array write attempt"; flow:to_client,established; file_data; content:"|3C|HR WIDTH|3D|4444444 COLOR|3D 22 23|000000|22 3E|"; fast_pattern:only; metadata:service http; reference:cve,2006-1739; classtype:attempted-user; sid:18078; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products CSS rendering out-of-bounds array write attempt"; flow:to_client,established; file_data; content:"%n%n%n%n%n%n|22|EWIDTH=left SIZE=|8B 8B 8B 8B 8B|"; fast_pattern:only; metadata:service http; reference:cve,2006-1739; classtype:attempted-user; sid:18077; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox IFRAME style change handling code execution"; flow:to_client,established; file_data; content:"contentDocument.designMode"; nocase; content:"addEvenListener|28|"; distance:0; nocase; content:"iframe.style.position"; within:100; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28448; reference:cve,2008-1236; reference:url,secunia.com/advisories/29526; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-15.html; classtype:attempted-user; sid:17570; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript Engine Information Disclosure attempt"; flow:to_client,established; file_data; content:"var|20|mem|20 3D 20|genGluck|28 20 22|XXX"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12998; reference:cve,2005-0989; classtype:attempted-user; sid:17415; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Animated PNG Processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; byte_test:4,>,32767,0,relative; content:"|01|"; within:1; distance:12; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4064; classtype:attempted-user; sid:17379; rev:14;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox domain name handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|22|http|3A 2F 2F 22 20 2B 0A|"; nocase; content:"|22|%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD|22|"; within:100; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14784; reference:cve,2005-2871; classtype:attempted-user; sid:17222; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox domain name handling buffer overflow attempt"; flow:to_client,established; file_data; content:"HREF=https|3A|--------------------"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14784; reference:cve,2005-2871; classtype:attempted-user; sid:17221; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox domain name handling buffer overflow attempt"; flow:to_client,established; file_data; content:"HREF=https|3A AD AD AD AD AD AD AD AD AD AD AD AD AD|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14784; reference:cve,2005-2871; classtype:attempted-user; sid:17220; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Chrome Page Loading Restriction Bypass attempt"; flow:to_client,established; file_data; content:"window|2E|open"; nocase; content:"about|3A|mozilla"; within:50; nocase; content:"document|2E|write"; distance:0; nocase; content:"about|3A|config"; within:50; fast_pattern; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2706; reference:url,secunia.com/advisories/16911/; classtype:attempted-user; sid:17213; rev:9;)
+# alert tcp $EXTERNAL_NET 1080 -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox oversized SOCKS5 DNS reply memory corruption attempt"; flow:to_client,established; content:"|05 00 00 03|"; depth:4; isdataat:16,relative; reference:bugtraq,35925; reference:cve,2009-2470; classtype:attempted-user; sid:16612; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client,established; file_data; content:"|3A|first-letter {float|3A| "; fast_pattern; content:".setAttribute|28|'style', 'display|3A| -moz-box|3B| '|29 3B|"; content:".style.display= 'none'|3B|"; within:60; metadata:service http; reference:bugtraq,36866; reference:cve,2009-3382; classtype:attempted-user; sid:16347; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox tag order memory corruption attempt"; flow:to_client,established; file_data; content:"BGCOLOR=|22|http|3A 22|-|9D 22 22| DP=-|B3| UNITS=|22 E2 E2 E2 E2|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17516; reference:cve,2006-0749; classtype:attempted-user; sid:16050; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox CSS Letter-Spacing overflow attempt"; flow:to_client,established; file_data; content:"style=|22|letter-spacing|3A| -2147483648"; fast_pattern:only; metadata:service http; reference:bugtraq,17516; reference:cve,2006-1730; classtype:attempted-user; sid:16044; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Thunderbird WYSIWYG engine filtering IFRAME JavaScript execution attempt"; flow:to_server,established; content:"<iframe"; nocase; pcre:"/^\s*[^\x3e]*src\s*\x3d\s*[\x22\x27][^\x22\x27]*javascript\x3a/iR"; metadata:service smtp; reference:bugtraq,16770; reference:cve,2006-0884; classtype:attempted-user; sid:16038; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript Function focus overflow attempt"; flow:to_client,established; file_data; content:"window"; nocase; content:"document.designMode"; within:150; fast_pattern; content:"on"; within:10; nocase; content:"window"; nocase; content:"open"; within:15; nocase; content:"window"; within:75; nocase; content:"window"; within:75; nocase; content:"<iframe"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17671; reference:cve,2006-1993; classtype:attempted-user; sid:16024; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox location spoofing attempt via invalid window.open characters"; flow:to_client,established; file_data; content:"window.open("; fast_pattern; nocase; content:"http:"; within:15; nocase; content:"stop"; distance:0; nocase; pcre:"/window\x2Eopen\x28\s?(\x22|\x26quot\x3B|\x27)\s?http\x3A[^\x27\x22]*(\x25[^0-9a-f]|\x2C).*?stop/smi"; metadata:service http; reference:bugtraq,35803; reference:cve,2009-2654; classtype:misc-attack; sid:15873; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox 3.5 unicode stack overflow attempt"; flow:to_client,established; file_data; content:"i = Math.ceil(Math.log(num) / Math.LN2),"; fast_pattern:only; content:"return res.slice(0, str.length * num)"; metadata:service http; reference:bugtraq,35707; reference:cve,2009-2479; classtype:attempted-user; sid:15699; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox animated PNG processing integer overflow"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR|00 00 80 00 00 00 80 00 08 06 00 00 01 B3|{|93|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4064; classtype:attempted-user; sid:15191; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Apple Quicktime chrome exploit"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"-chrome"; pcre:"/-chrome\s*javascript/"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-5045; classtype:attempted-user; sid:12593; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla compareTo arbitrary code execution attempt"; flow:to_client,established; file_data; content:"InstallVersion"; nocase; content:"compareTo"; distance:0; nocase; pcre:"/InstallVersion\s*\x29?\s*\.\s*compareTo/smi"; metadata:service http; reference:bugtraq,14242; reference:cve,2005-2265; reference:url,www.mozilla.org/security/announce/2005/mfsa2005-50.html; classtype:attempted-user; sid:10131; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox query interface suspicious function call access attempt"; flow:to_client,established; file_data; content:"location.QueryInterface"; nocase; content:"Components.interfaces.nsIClassInfo"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16476; reference:cve,2006-0295; reference:url,www.mozilla.org/security/announce/2006/mfsa2006-04.html; classtype:attempted-user; sid:10063; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox SVG data processing obfuscated memory corruption attempt"; flow:to_client,established; file_data; content:"split|28 22 22 29 2E|reverse|28 29 2E|join|28 22 22 29|"; content:"appendItem"; distance:1; content:"replaceItem"; distance:1; pcre:"/(?P<N1>[a-zA-Z\x5f][a-zA-Z\x5f0-9]*\x2e)appendItem(?!.+?(?P=N1)appendItem).+?(?P=N1)replaceItem/s"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33990; reference:cve,2009-0771; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-07.html; classtype:attempted-user; sid:29580; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client,established; file_data; content:"|3A|first-letter { float|3A| "; fast_pattern:only; content:"|5B 22|setAttribute|22 5D 28|'style', 'display|3A| table-cell'"; content:"|5B 22|style|22 5D 5B 22|display|22 5D|= 'none'"; within:60; metadata:service http; reference:bugtraq,36866; reference:cve,2009-3382; classtype:attempted-user; sid:29579; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Products SVG text content element getCharNumAtPosition use after free attempt"; flow:to_client,established; file_data; content:"<svg"; nocase; content:"<text id"; within:400; nocase; content:"getElementByID"; within:300; nocase; content:"removeChild"; within:100; content:"getCharNumAtPosition"; within:200; nocase; pcre:"/removeChild\((?<element>\w{1,20})\).*(?P=element)\.getCharNumAtPosition/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,49213; reference:cve,2011-0084; classtype:attempted-user; sid:29503; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow attempt"; flow:to_client,established; file_data; content:".length"; nocase; content:".reduceRight"; within:300; pcre:"/(?P<var>\w+)\.length\s*?\x3d\s*?([2-9][0-9]{9,11}|0x[8-fF][0-9a-zA-Z]{7}).*?(?P=var)\.reduceRight/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:29625; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow attempt"; flow:to_client,established; file_data; content:".length"; nocase; content:".reduceRight"; within:300; pcre:"/var\s*?(?P<var>\w+)\s*?\x3d\s*?([2-9][0-9]{9,11}|0x[8-fF][0-9a-zA-Z]{7}).*?(?P<var2>\w+)\.length\s*?\x3d\s*?(?P=var).*?(?P=var2)\.reduceRight/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:29624; rev:2;)
+# alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt"; flow:to_server,established; file_data; content:"|2E|view|2E|selection"; nocase; content:"|2E|invalidateSelection"; distance:0; nocase; pcre:"/\x2Eview\x2Eselection.*?\x2Etree\s*\x3D\s*null.*?\x2Einvalidate/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0073; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; classtype:attempted-user; sid:29617; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt"; flow:to_server,established; file_data; content:".view.selection"; nocase; content:"rangedSelect("; distance:0; content:".adjustSelection"; distance:0; nocase; pcre:"/\x2Eview\x2Eselection.*?\x2ErangedSelect\x28\s*\d+,\s*(0x[a-f0-9]{7}|\d{8}).*?\x2eadjustSelection\x28\s*\d+\s*,\s*\d/smi"; metadata:service smtp; reference:cve,2010-2753; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=571106; classtype:attempted-user; sid:30486; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt"; flow:to_client,established; file_data; content:".view.selection"; nocase; content:"rangedSelect("; distance:0; content:".adjustSelection"; distance:0; nocase; pcre:"/\x2Eview\x2Eselection.*?\x2ErangedSelect\x28\s*\d+,\s*(0x[a-f0-9]{7}|\d{8}).*?\x2eadjustSelection\x28\s*\d+\s*,\s*\d/smi"; metadata:service http; reference:cve,2010-2753; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=571106; classtype:attempted-user; sid:30485; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Multiple browser pressure function denial of service attempt"; flow:to_client, established; file_data; content:"spray()"; nocase; content:"new ArrayBuffer(0x"; content:"000"; within:3; distance:1; content:".toString()"; metadata:service http; reference:cve,2014-1512; classtype:denial-of-service; sid:31513; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox XBM image processing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xbm; file_data; content:"static|20|char|20|gopher|5F|binary|5F|bits|5B 5D|"; content:"0x71|2C 20|0x26|2C 20|0x01|20 20 20 20 20 20|"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,14916; reference:cve,2005-2701; classtype:attempted-user; sid:32133; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt"; flow:to_client,established; file_data; content:"javascript|3A|//"; fast_pattern:only; content:"document.cookie"; nocase; metadata:ruleset community, service http; reference:bugtraq,5293; reference:cve,2002-2314; classtype:attempted-user; sid:1841; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt"; flow:to_server,established; file_data; content:"javascript|3A|//"; fast_pattern:only; content:"document.cookie"; nocase; metadata:ruleset community, service smtp; reference:bugtraq,5293; reference:cve,2002-2314; classtype:attempted-user; sid:32244; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; file_data; content:"<xsl:key name=|22|"; depth:15; offset:117; fast_pattern; content:"match=|22|"; within:7; distance:10; content:"use=|22|"; within:5; distance:10; content:"</xsl:stylesheet>"; within:17; distance:101; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,attack.mitre.org/techniques/T1220; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:33566; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt"; flow:to_server,established; file_data; content:"chrome|3A|//browser/content/browser.xul"; fast_pattern:only; content:".messageManager"; nocase; content:".loadFrameScript"; nocase; content:".setPrototypeOf"; nocase; content:"Proxy.create"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,72041; reference:cve,2014-8636; classtype:attempted-user; sid:33904; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt"; flow:to_client,established; file_data; content:"chrome|3A|//browser/content/browser.xul"; fast_pattern:only; content:".messageManager"; nocase; content:".loadFrameScript"; nocase; content:".setPrototypeOf"; nocase; content:"Proxy.create"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72041; reference:cve,2014-8636; classtype:attempted-user; sid:33903; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt"; flow:to_server,established; file_data; content:"Components.classes"; nocase; content:"mozilla.org/file/local"; within:100; nocase; content:"Components.interfaces.nsILocalFile"; within:100; nocase; content:"initWithPath"; within:100; nocase; content:"C|3A 5C 5C|"; within:25; nocase; content:"|2C 20 22|x|22 2C|"; content:"|22|chrome"; within:10; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,72041; reference:cve,2014-8636; classtype:attempted-user; sid:34110; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox proxy prototype privileged javascript execution attempt"; flow:to_client,established; file_data; content:"Components.classes"; nocase; content:"mozilla.org/file/local"; within:100; nocase; content:"Components.interfaces.nsILocalFile"; within:100; nocase; content:"initWithPath"; within:100; nocase; content:"C|3A 5C 5C|"; within:25; nocase; content:"|2C 20 22|x|22 2C|"; content:"|22|chrome"; within:10; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72041; reference:cve,2014-8636; classtype:attempted-user; sid:34109; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt"; flow:to_server,established; file_data; content:"readystatechange"; fast_pattern:only; content:"addEventListener"; content:"ArrayBuffer("; content:"Int32Array"; content:"window.stop"; content:!"ArrayBufferView"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1690; reference:url,pastebin.mozilla.org/2777139; classtype:attempted-user; sid:33090; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt"; flow:to_server,established; file_data; content:"document.onreadystatechange"; content:"window.parent.frames[0].frameElement.ownerDocument.write("; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1690; reference:url,pastebin.mozilla.org/2777139; classtype:attempted-user; sid:33089; rev:5;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt"; flow:to_client,established; file_data; content:"document.onreadystatechange"; content:"window.parent.frames[0].frameElement.ownerDocument.write("; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1690; reference:url,pastebin.mozilla.org/2777139; classtype:attempted-user; sid:33088; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox XMLSerializer serializeToStream use-after-free attempt"; flow:to_server,established; file_data; content:"XMLSerializer()"; nocase; content:"removeChild"; within:100; nocase; content:"serializeToStream"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,57209; reference:cve,2013-0753; reference:url,www.mozilla.org/security/announce/2013/mfsa2013-16.html; classtype:attempted-user; sid:32994; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox XMLSerializer serializeToStream use-after-free attempt"; flow:to_client,established; file_data; content:"XMLSerializer()"; nocase; content:"removeChild"; within:100; nocase; content:"serializeToStream"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57209; reference:cve,2013-0753; reference:url,www.mozilla.org/security/announce/2013/mfsa2013-16.html; classtype:attempted-user; sid:32993; rev:6;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt"; flow:to_client,established; file_data; content:"readystatechange"; fast_pattern:only; content:"addEventListener"; content:"ArrayBuffer("; content:"Int32Array"; content:"window.stop"; content:!"ArrayBufferView"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1690; reference:url,pastebin.mozilla.org/2777139; classtype:attempted-user; sid:27568; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox onChannelRedirect method attempt"; flow:to_client,established; file_data; content:"<object "; nocase; content:"<script"; within:100; content:".onChannelRedirect("; distance:0; metadata:policy max-detect-ips drop, service http; reference:cve,2011-0065; classtype:attempted-user; sid:24994; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt"; flow:established,to_server; file_data; content:"IDBKeyRange"; fast_pattern:only; pcre:"/IDBKeyRange\x2e(only|lowerBound|upperBound|bound)\x28.*?\x29.{0,100}\x2e(lower|upper|lowerOpen|upperOpen)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0469; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=738985; classtype:attempted-user; sid:24574; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt"; flow:established,to_server; file_data; content:"IDBKeyRange.lowerBound("; content:".upper"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0469; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=738985; classtype:attempted-user; sid:24573; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt"; flow:established,to_client; file_data; content:"IDBKeyRange"; fast_pattern:only; pcre:"/IDBKeyRange\x2e(only|lowerBound|upperBound|bound)\x28.*?\x29.{0,100}\x2e(lower|upper|lowerOpen|upperOpen)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0469; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=738985; classtype:attempted-user; sid:24572; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt"; flow:established,to_client; file_data; content:"IDBKeyRange.lowerBound("; content:".upper"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0469; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=738985; classtype:attempted-user; sid:24571; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt"; flow:established,to_server; file_data; content:"IDBKeyRange.only("; content:").lower"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0469; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=738985; classtype:attempted-user; sid:24570; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Multiple Products table frames memory corruption attempt"; flow:to_client,established; file_data; content:"<style>"; nocase; content:"table:after"; fast_pattern:only; pcre:"/table\x3aafter\s*\x7b.*?display\s*\x3a\s*table-(footer|header|row)-group\x3b/smi"; content:"<table contenteditable>"; distance:0; nocase; content:"<col>"; distance:0; nocase; content:"<tfoot>"; nocase; content:"<colgroup>"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1952; classtype:attempted-user; sid:23789; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt"; flow:established,to_client; file_data; content:"IDBKeyRange.only("; content:").lower"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0469; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=738985; classtype:attempted-user; sid:23212; rev:10;)
+# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Multiple Products MozOrientation loading attempt"; flow:to_client,established; content:"addEventListener"; nocase; content:"MozOrientation"; distance:0; nocase; pcre:"/addEventListener\s*?\x28(?P<q1>\x22|\x27)\s*?MozOrientation\s*?(?P=q1)/smi"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,49217; reference:cve,2011-2980; classtype:attempted-user; sid:21191; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Multiple Products MozOrientation loading attempt"; flow:to_client,established; file_data; content:"addEventListener"; nocase; content:"MozOrientation"; distance:0; nocase; pcre:"/addEventListener\s*?\x28(?P<q1>\x22|\x27)\s*?MozOrientation\s*?(?P=q1)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,49217; reference:cve,2011-2980; classtype:attempted-user; sid:21190; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Products SVG text content element getCharNumAtPosition use after free attempt"; flow:to_client,established; file_data; content:"SVGDocument"; fast_pattern; nocase; content:"point"; distance:0; nocase; content:"y"; nocase; content:"x"; nocase; content:"getCharNumAtPosition"; distance:0; nocase; pcre:"/.*?(\w*)\s*=\s*SVGDocument.*var\s*point\s*=.*?get\s*(x|y)\s*\x28\s*\x29\s*\x7B\s*\1\.parentNode\.removeChild\x28\1\x29.*?alert\x28\1\.getCharNumAtPosition\x28point\x29/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,49213; reference:cve,2011-0084; classtype:attempted-user; sid:20600; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt"; flow:to_client,established; file_data; content:"|2E|view|2E|selection"; nocase; content:"|2E|invalidateSelection"; distance:0; nocase; pcre:"/\x2Eview\x2Eselection.*?\x2Etree\s*\x3D\s*null.*?\x2Einvalidate/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-0073; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; classtype:attempted-user; sid:20072; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"a.length=0xffffffff"; nocase; content:"a.reduceRight|28|callback|2C|0|29|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:19713; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Products nsCSSValue Array Index Integer Overflow"; flow:to_client,established; file_data; content:"@font-face"; nocase; content:"src|3A 20|url"; distance:0; nocase; isdataat:2000,relative; content:!"|3B|"; within:2000; metadata:policy max-detect-ips drop, service http; reference:bugtraq,41852; reference:cve,2010-2752; classtype:attempted-user; sid:19321; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption"; flow:to_client,established; file_data; content:"var tags = new Array (|22|base|22|, |22|a|22|, |22|audio|22|)"; nocase; content:"tobj.id = |22|telus|22|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3765; classtype:attempted-user; sid:19078; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla EnsureCachedAttrParamArrays integer overflow attempt"; flow:to_client,established; file_data; content:"<applet"; nocase; isdataat:5000,relative; content:!"</applet"; within:5000; nocase; content:"<param"; within:500; distance:1500; nocase; content:"<param"; within:50; nocase; content:"<param"; within:50; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,41842; reference:cve,2010-1214; classtype:attempted-user; sid:18809; rev:13;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption"; flow:to_client,established; file_data; content:"var tags = new Array|28 22|audio|22|, |22|a|22|, |22|base|22 29|"; nocase; content:"var html = |22|<|22| + tags[i] + |22| |22| + atts[j]"; distance:0; fast_pattern; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3765; classtype:attempted-user; sid:17804; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox ClearTextRun exploit attempt"; flow:to_client,established; file_data; content:"white-space|3A| pre"; content:"getElementById|28|'para'|29|.childNodes[0].splitText|28|11|29|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34743; reference:cve,2009-1313; classtype:attempted-user; sid:17719; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox ConstructFrame with floating first-letter memory corruption attempt"; flow:to_client,established; file_data; content:"first-letter"; nocase; content:"float: right"; distance:0; nocase; content:"parentNode.removeAttribute(|22|class|22|)"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35765; reference:cve,2009-2462; classtype:attempted-user; sid:17642; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla multiple products CSSValue array memory corruption attempt"; flow:to_client,established; file_data; content:"counter|2D|reset|3A|"; content:"counter|2D|increment|3A|"; distance:0; content:"|3C|ol|20|id|3D 22|id1|22 3E 0A|"; distance:0; content:"|3C|li|3E 3C 2F|li|3E 0A 3C|li|3E 3C 2F|li|3E 0A 3C|li|3E 3C 2F|li|3E 0A|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,29802; reference:cve,2008-2785; classtype:attempted-user; sid:17630; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Chrome Page Loading Restriction Bypass attempt"; flow:to_client,established; file_data; content:"window|2E|open"; nocase; content:"about:"; within:10; nocase; content:"document|2E|write"; distance:0; nocase; content:"about:"; within:30; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14920; reference:cve,2005-2706; classtype:attempted-user; sid:17629; rev:13;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client, established; file_data; content:"first-letter"; nocase; content:"direction"; distance:0; nocase; content:"rtl"; within:8; content:"white"; distance:0; nocase; content:"space"; within:6; nocase; content:"pre"; within:10; nocase; content:"|3C|span"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35326; reference:cve,2009-1392; classtype:attempted-user; sid:17613; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElement"; nocase; content:"type = |22|"; within:70; nocase; byte_extract:4,0,changed_var,relative; content:".blur()"; within:50; content:"input"; within:200; nocase; content:"type=|22|"; within:20; nocase; byte_test:4,!=,changed_var,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32281; reference:cve,2008-5021; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-55.html; classtype:attempted-user; sid:17603; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xul; file_data; content:"style="; content:"<treechildren"; nocase; content:"<treechildren"; distance:0; nocase; content:"ordinal"; content:"event.target.parentNode.removeChild"; fast_pattern:only; pcre:"/onoverflow\s*?=\s*?(\x22|\x27)\s*?event\.target\.parentNode\.removeChild/smi"; pcre:"/<treechildren.*?ordinal=.*?<treechildren/smi"; pcre:"/<tree.*?tree(?!children).*?<treechildren.*?<treechildren/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32281; reference:cve,2008-5016; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-52.html; classtype:attempted-user; sid:17601; rev:15;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox tag order memory corruption attempt"; flow:to_client,established; file_data; content:"<table>|0A|<html>|0A|<frameset>"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17516; reference:cve,2006-0749; classtype:attempted-user; sid:17581; rev:13;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox UTF-8 URL Handling Stack Buffer Overflow"; flow:to_client,established; file_data; content:"<a href=|22 01 78 78|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31346; reference:cve,2008-0016; classtype:attempted-user; sid:17519; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla NNTP URL Handling Buffer Overflow attempt"; flow:to_client,established; file_data; content:"news|3A 2F 2F|"; pcre:"/news\x3a\x2f\x2f.*?\x2f?(profile|search).*?\x2f.*?\x5c[^\s\x22\x27]{0,1}/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12131; reference:cve,2004-1316; classtype:attempted-user; sid:17482; rev:13;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; file_data; content:"<xsl|3A|key name=|22|poc|22| match=|22|nodeB|22| use=|22|does_not_exist|28 29 22|/>"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,attack.mitre.org/techniques/T1220; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:17444; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Unicode sequence handling stack corruption attempt"; flow:to_client,established; file_data; content:"|3B 26 23|8204|3B 26 23|8204"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14918; reference:cve,2005-2702; classtype:attempted-user; sid:17434; rev:13;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox IconURL Arbitrary Javascript Execution attempt"; flow:to_client,established; file_data; content:"IconURL|3A 20 22|javascript|3A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13544; reference:cve,2005-1477; classtype:attempted-user; sid:17424; rev:14;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox defineSetter function pointer memory corruption attempt"; flow:to_client,established; file_data; content:"p.type=|27|xxx|27|"; nocase; content:"__defineSetter__|28|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35758; reference:cve,2009-2469; classtype:attempted-user; sid:17422; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript Engine Information Disclosure attempt"; flow:to_client,established; file_data; content:"x|20 3D 20|x|2E|replace|28 2F|end|2F|i|2C 20|function|28 24|1|29 7B 20|var|20|y|20 3D 20 22|any|22 3B 20|y|2E|match|28 2F|any|2F|i|29|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12998; reference:cve,2005-0989; classtype:attempted-user; sid:17414; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-FIREFOX Mozilla Products IDN Spoofing Vulnerability Attempt"; flow:to_server,established; content:"xn--"; nocase; pcre:"/^Host\x3A\x20(www\x2e)?xn\x2d\x2d/mi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12470; reference:cve,2005-0233; classtype:attempted-user; sid:17409; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript array.splice memory corruption attempt"; flow:to_client,established; file_data; content:"a|5B|6|5D 20 3D 20 22|toto|22 3B|"; content:"a|2E|splice|28|6|2C 20|1|29 3B|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33990; reference:cve,2009-0773; classtype:attempted-user; sid:17399; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript array.splice memory corruption attempt"; flow:to_client,established; file_data; content:"a|5B|10|5D 20 3D 20 22|AAAAAAAAAA|22 3B|"; content:"a|2E|splice|28|10|2C 20|1|29 3B|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33990; reference:cve,2009-0773; classtype:attempted-user; sid:17398; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox DOMNodeRemoved attack attempt"; flow:to_client,established; file_data; content:"document|2E|addEventListener|28 22|DOMNodeRemoved|22|"; nocase; content:"document|2E|body|2E|appendChild|28|document|2E|getElementById|28|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,18228; reference:cve,2006-2779; classtype:attempted-user; sid:17389; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Animated PNG Processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; byte_test:4,>,32767,4,relative; content:"|01|"; within:1; distance:12; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4064; classtype:attempted-user; sid:17378; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox XBM image processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xbm; file_data; content:"static|20|char|20|gopher|5F|binary|5F|bits|5B 5D|"; content:"0x71|2C 20|0x26|2C 20|0x01|20 20 20 20 20 20|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14916; reference:cve,2005-2701; classtype:attempted-user; sid:17360; rev:13;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox sidebar panel arbitrary code execution attempt"; flow:to_client,established; file_data; content:"onclick|3D 22|window|2E|sidebar|2E|addPanel|28 27|FSC|20|sidebar"; content:"http|3A 2F 2F|gsx3|2F 7E|swarelis|2F|CAN|2D|2005|2D|0402|2F|poc|2E|html"; distance:4; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12884; reference:cve,2005-0402; classtype:attempted-user; sid:17268; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox plugin access control bypass attempt"; flow:to_client,established; file_data; content:"file|2E|initWithPath|28 22|c|3A 5C 5C 5C 5C|booom|2E|bat"; content:"xpcom|20 2B 3D 20 27|file|2E|createUnique"; content:"outputStream|2E|init|28|file|2C|0x04|7C|0x08|7C|0x20|2C|420"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12655; reference:cve,2005-0527; reference:url,attack.mitre.org/techniques/T1176; classtype:attempted-user; sid:17265; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript contentWindow in an iframe exploit attempt"; flow:to_client,established; file_data; content:"contentWindow.document"; content:".designMode"; within:100; fast_pattern; content:"on"; within:10; nocase; content:".contentWindow"; distance:0; content:".focus"; within:50; content:"<iframe"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17671; reference:cve,2006-1993; classtype:attempted-user; sid:17260; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox XUL tree element code execution attempt"; flow:to_client,established; file_data; content:"timedSelect"; fast_pattern:only; content:"view"; content:"selection"; within:25; content:"=null"; within:15; content:"parentNode"; content:"removeChild"; within:25; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34181; reference:cve,2009-1044; classtype:attempted-user; sid:17258; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox image dragging exploit attempt"; flow:to_client,established; file_data; content:"|3C|img|20|"; content:"|2E|bat"; distance:0; fast_pattern; nocase; pcre:"/\x3cimg\s[^\x3e]*?\x2ebat[\x22\x27]/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12468; reference:cve,2005-0230; classtype:attempted-user; sid:17245; rev:15;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox nsPropertyTable PropertyList memory corruption attempt"; flow:to_client,established; file_data; content:"-moz-column-"; fast_pattern:only; content:"documentElement.style.height"; pcre:"/<html[^>]*?height[^>]*?>/smi"; pcre:"/<body[^>]*?position[^>]*?inherit[^>]*?-moz-column-(count|width)[^>]*?documentElement\.style\.height[^>]*?/smiR"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-3070; reference:url,secunia.com/advisories/36671/; classtype:attempted-user; sid:17236; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox domain name handling buffer overflow attempt"; flow:to_client,established; file_data; content:"HREF=http://&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14784; reference:cve,2005-2871; classtype:attempted-user; sid:17219; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript eval arbitrary code execution attempt"; flow:to_client,established; file_data; content:"arguments|2E|callee|2E|"; nocase; content:"|5F 5F|parent|5F 5F 2E|eval"; distance:0; fast_pattern; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13645; reference:cve,2005-1532; reference:url,secunia.com/advisories/15528/; classtype:attempted-user; sid:17212; rev:14;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt"; flow:to_client,established; file_data; content:".substr"; content:"$"; within:25; distance:-30; content:".replace|28|"; within:50; pcre:"/(?P<var>\w+)\x2Ereplace\x28\s*(?P=var)\s*\x2C\s*(?P=var)\s*\x29/"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36343; reference:cve,2009-3075; classtype:attempted-user; sid:17166; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 2"; flow:to_client,established; file_data; content:"<object"; content:"data"; within:200; content:"|27 27|"; within:20; fast_pattern; pcre:"/\x3Cobject(?![^\x3E]+?src)[^\x3E]+?data\s*\x3D\s*\x27\x27/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,41933; reference:cve,2010-2755; reference:url,attack.mitre.org/techniques/T1176; classtype:attempted-user; sid:17154; rev:14;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1"; flow:to_client,established; file_data; content:"<object"; content:"data"; within:200; content:"|22 22|"; within:20; fast_pattern; pcre:"/\x3Cobject(?![^\x3E]+?src)[^\x3E]+?data\s*\x3D\s*\x22\x22/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,41933; reference:cve,2010-2755; reference:url,attack.mitre.org/techniques/T1176; classtype:attempted-user; sid:17153; rev:14;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based"; flow:to_client,established; file_data; content:"wOFFOTTO"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16502; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt"; flow:to_client,established; file_data; content:"wOFF"; depth:4; content:"|00 00|"; within:2; distance:10; pcre:"/wOFF.{10}\x00\x00.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/is"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16501; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox top-level script object offset calculation memory corruption attempt"; flow:to_client,established; file_data; content:".push"; content:"new"; within:10; pcre:"/\s*function\s*(\S+)\s*\x28\s*\S+\s*\x29[^\x7D]+function\s+\S+\s*\x28[^\x28]*\x29.+?for\s*\x28[^\x29]+\x29[^\x7D]*?\x2Epush\s*\x28\s*new\s+\1/sm"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36343; reference:cve,2009-3073; classtype:attempted-user; sid:16344; rev:13;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla CSS value counter overflow attempt"; flow:to_client,established; file_data; content:"counter-reset|3A| section"; nocase; content:"<li></li>|0A|<li></li>|0A|<li></li>|0A|<li></li>|0A|<li></li>|0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,29802; reference:cve,2008-2785; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-34.html; classtype:attempted-user; sid:16292; rev:8;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Network Security Services regexp heap overflow attempt"; flow:to_client,established; ssl_state:server_hello; content:"|16|"; content:"|0B|"; within:1; distance:4; byte_test:3,>,0,3,relative,big; content:"|06 03 55 04 03|"; distance:0; pcre:"/^[\x0c\x13]([\x00-\x7f]|\x81.|\x82.{2})\x28(?=[^\x29]*\x7e)[^\x29]*\x7c/sR"; metadata:policy max-detect-ips drop, service ssl; reference:bugtraq,35891; reference:cve,2009-2404; classtype:attempted-user; sid:16291; rev:13;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox ClearTextRun exploit attempt"; flow:to_client,established; file_data; content:"white-space|3A| pre"; content:"<script>|0A|function doe|28 29|"; content:"getElementById|28|'a'|29|.childNodes[0].splitText|28|1|29|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34743; reference:cve,2009-1313; classtype:attempted-user; sid:16284; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox command line URL shell command injection attempt"; flow:to_server,established; content:"<a href=|22|http|3A|//`echo"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,14888; reference:cve,2005-2968; classtype:attempted-user; sid:16200; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox PKCS11 module installation code execution attempt"; flow:to_client,established; file_data; content:"window.pkcs11.addmodule|28|"; pcre:"/(caption,\x22\x5c\x5c\x5c|\x22\x5cn\x5cn\x5cn\x22\x20\x2b\x20str)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36343; reference:cve,2009-3076; classtype:attempted-user; sid:16142; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox layout frame constructor memory corruption attempt"; flow:to_client,established; file_data; content:"div|3A 3A|first-letter"; nocase; content:"position|3A| fixed"; nocase; content:"<q>"; nocase; content:"display|3A| -moz-box"; nocase; content:"binding.xml"; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5959; classtype:attempted-user; sid:16047; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla browsers CSS moz-binding cross domain scripting attempt"; flow:to_client,established; file_data; content:"<P style=|22|-moz-binding|3A| url|28|http|3A|//gsx2/~rzhan/poc.xml|23|exploit|29 3B 22|></P>"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16427; reference:cve,2006-0496; classtype:attempted-user; sid:16042; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products graphics and XML features integer overflows attempt"; flow:to_client,established; file_data; content:"<?xml"; content:"<svg"; distance:0; content:"<filter"; distance:0; pcre:"/^[^\x3E]*(width|height)\s*\x3D\s*(\x22|\x27)([3-9]\d{4}|\d{6})/R"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16476; reference:cve,2006-0297; classtype:attempted-user; sid:16037; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Products QueryInterface method memory corruption attempt"; flow:to_client,established; file_data; content:"Components.interfaces."; content:"|2E|QueryInterface"; distance:0; pcre:"/(?P<var>\S+)\s*\x3D\s*eval\x28\s*(\x22|\x27|)Components\x2Einterfaces\x2E.*?\x2EQueryInterface\x28\s*(?P=var)\s*\x29.*?(location|navigator)/s"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16476; reference:cve,2006-0295; classtype:attempted-user; sid:16036; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products overflow event handling memory corruption attempt"; flow:to_client,established; file_data; content:"charset=utf-8,%3Chtml%3E"; content:"overflow%28%29%22%3ECrashIt"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,24376; reference:cve,2007-2876; classtype:attempted-user; sid:16009; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla browsers JavaScript argument passing code execution attempt"; flow:to_client,established; file_data; content:"arguments="; content:"for (|3B 3B|) { arguments()|3B|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22694; reference:cve,2007-0777; classtype:attempted-user; sid:16005; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products frame comment objects manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"bb.appendChild|28|fr.childNodes[4]|29 3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21668; reference:cve,2006-6504; classtype:attempted-user; sid:15999; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox JIT escape function memory corruption attempt"; flow:to_client,established; file_data; content:"=data.charAt("; fast_pattern:only; content:"function"; nocase; content:"(data)"; within:50; nocase; content:"if("; distance:0; nocase; content:"=='"; within:125; content:"'"; within:1; distance:1; content:" = escape("; within:135; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35660; reference:cve,2009-2477; reference:url,www.kb.cert.org/vuls/id/443060; classtype:attempted-user; sid:15997; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox defineSetter function pointer memory corruption attempt"; flow:to_client,established; file_data; content:".watch|28|"; nocase; content:"__defineSetter__|28|"; nocase; pcre:"/(?P<obj>\w+)\.watch\((?P<q1>\x22|\x27|)(?P<prop>[A-Z0-9\x2d\x5f]+)(?P=q1).*(?P=obj)\.__defineSetter__\((?P<q2>\x22|\x27|)(?P=prop)(?P=q2)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35758; reference:cve,2009-2469; classtype:attempted-user; sid:15872; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; file_data; content:"<xsl|3A|key name=|22|label|22| match=|22|item2|22| use=|22|w00t|28 29 22|/>"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,attack.mitre.org/techniques/T1220; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:15431; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox SVG data processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.svg; file_data; content:"getElementsByTagName"; content:"pathSegList"; content:"createSVGPathSegMoveto"; fast_pattern; nocase; content:"appendItem"; distance:1; content:"replaceItem"; distance:1; pcre:"/(?P<N1>[a-zA-Z\x5f][a-zA-Z\x5f0-9]*\x2e)appendItem(?!.+?(?P=N1)appendItem).+?(?P=N1)replaceItem/s"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33990; reference:cve,2009-0771; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-07.html; classtype:attempted-user; sid:15428; rev:17;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox XBL Event Handler Tags Removal memory corruption attempt"; flow:to_client,established; file_data; content:"XUL_NS"; content:"child.parentNode.removeChild"; distance:0; content:"onselect=|22|deleteChild|28|event.originalTarget|29|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26132; reference:cve,2007-5339; classtype:attempted-user; sid:15383; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox SVG pathSegList memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementById("; content:"path"; within:10; content:".pathSegList.getItem("; fast_pattern; content:"-"; within:5; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:15164; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox IFRAME style change handling code execution"; flow:to_client,established; file_data; content:"iframe"; nocase; content:"iframe.contentDocument.designMode"; nocase; content:"addEventListener"; nocase; pcre:"/addEventListener\s*\(\s*(?P<q>\x22|\x27|)(mouse(move|down)|keydown)(?P=q)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28448; reference:cve,2008-1236; reference:url,secunia.com/advisories/29526; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-15.html; classtype:attempted-user; sid:13838; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla regular expression heap corruption attempt"; flow:to_client,established; file_data; content:"new RegExp|28|"; nocase; pcre:"/new\s*?RegExp\x28(?=[^\x29]*\x5c{2}[\x22\x27])[^\x29]*\x5b[^\x5d]*\x5c{2}[\x22\x27]\x29/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20042; reference:cve,2006-4566; classtype:attempted-user; sid:8443; rev:15;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla javascript navigator object access"; flow:to_client,established; file_data; content:"window.navigator"; nocase; content:"="; within:2; content:"java."; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19181; reference:cve,2006-3677; reference:url,www.mozilla.org/security/announce/2006/mfsa2006-45.html; classtype:attempted-user; sid:8058; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox automatic user click event attempt"; flow:to_server,established; file_data; content:"document.createEvent("; nocase; content:"MouseEvents"; within:15; content:".initMouseEvent("; within:50; nocase; content:"click"; within:10; content:"window"; within:20; content:".dispatchEvent("; within:60; nocase; metadata:service smtp; reference:cve,2005-0145; reference:url,www.mozilla.org/security/announce/mfsa2005-07.html; classtype:attempted-user; sid:34947; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox automatic user click event attempt"; flow:to_client,established; file_data; content:"document.createEvent("; nocase; content:"MouseEvents"; within:15; content:".initMouseEvent("; within:50; nocase; content:"click"; within:10; content:"window"; within:20; content:".dispatchEvent("; within:60; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2005-0145; reference:url,www.mozilla.org/security/announce/mfsa2005-07.html; classtype:attempted-user; sid:34946; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt"; flow:to_client,established; file_data; content:"mozRTCPeerConnection|28 29|"; content:"createOffer|28|"; within:60; content:"window.open|28 28|function"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1510; reference:url,mozilla.org/security/announce/2014/mfsa2014-29.html; classtype:attempted-user; sid:35052; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt"; flow:to_client,established; file_data; content:"mozRTCPeerConnection|28 29|"; content:"createOffer|28|"; within:40; content:"window.open|28 27|chrome|3A|//browser/content/browser.xul"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1510; reference:url,mozilla.org/security/announce/2014/mfsa2014-29.html; classtype:attempted-user; sid:35051; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox DOMSVGLength initialize use after free attempt"; flow:to_server,established; file_data; content:"<script"; content:"animVal"; distance:0; fast_pattern; content:"initialize"; content:"animVal"; within:350; content:"<svg"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1563; reference:url,mozilla.org/security/announce/2014/mfsa2014-68.html; classtype:attempted-user; sid:35075; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox DOMSVGLength replaceItem use after free attempt"; flow:to_server,established; file_data; content:"<script"; content:"animVal"; distance:0; fast_pattern; content:"replaceItem"; content:"animVal"; within:350; content:"<svg"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1563; reference:url,mozilla.org/security/announce/2014/mfsa2014-68.html; classtype:attempted-user; sid:35074; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox DOMSVGLength insertItemBefore use after free attempt"; flow:to_server,established; file_data; content:"<script"; content:"animVal"; distance:0; fast_pattern; content:"insertItemBefore"; content:"animVal"; within:350; content:"<svg"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1563; reference:url,mozilla.org/security/announce/2014/mfsa2014-68.html; classtype:attempted-user; sid:35073; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox DOMSVGLength initialize use after free attempt"; flow:to_client,established; file_data; content:"<script"; content:"animVal"; distance:0; fast_pattern; content:"initialize"; content:"animVal"; within:350; content:"<svg"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1563; reference:url,mozilla.org/security/announce/2014/mfsa2014-68.html; classtype:attempted-user; sid:35072; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox DOMSVGLength replaceItem use after free attempt"; flow:to_client,established; file_data; content:"<script"; content:"animVal"; distance:0; fast_pattern; content:"replaceItem"; content:"animVal"; within:350; content:"<svg"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1563; reference:url,mozilla.org/security/announce/2014/mfsa2014-68.html; classtype:attempted-user; sid:35071; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox DOMSVGLength insertItemBefore use after free attempt"; flow:to_client,established; file_data; content:"<script"; content:"animVal"; distance:0; fast_pattern; content:"insertItemBefore"; content:"animVal"; within:350; content:"<svg"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1563; reference:url,mozilla.org/security/announce/2014/mfsa2014-68.html; classtype:attempted-user; sid:35070; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox InstallWrapper error handling code execution attempt"; flow:to_server,established; file_data; content:"InstallTrigger."; content:"__exposedProps__"; within:150; content:"defineProperty|3A|"; within:200; metadata:service smtp; reference:bugtraq,56119; reference:cve,2012-3993; classtype:attempted-user; sid:35461; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox InstallWrapper error handling code execution attempt"; flow:to_client,established; file_data; content:"InstallTrigger."; content:"__exposedProps__"; within:150; content:"defineProperty|3A|"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,56119; reference:cve,2012-3993; classtype:attempted-user; sid:35460; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt"; flow:to_server,established; file_data; content:"String.fromCharCode"; nocase; content:"1024"; within:100; content:"1024"; within:100; content:"escape"; distance:0; nocase; metadata:service smtp; reference:bugtraq,14917; reference:cve,2005-2705; classtype:attempted-user; sid:35439; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt"; flow:to_client,established; content:"String.fromCharCode"; nocase; content:"1024"; within:100; content:"1024"; within:100; content:"escape"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,14917; reference:cve,2005-2705; classtype:attempted-user; sid:35438; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox PDF.js same origin policy violation attempt"; flow:to_server,established; file_data; content:".location"; nocase; content:"data:application/x-moz-playpreview-pdfjs|3B|,"; within:200; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-4495; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2015-78/; classtype:policy-violation; sid:35676; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox PDF.js same origin policy violation attempt"; flow:to_client,established; file_data; content:".location"; nocase; content:"data:application/x-moz-playpreview-pdfjs|3B|,"; within:200; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-4495; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2015-78/; classtype:policy-violation; sid:35675; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript large regex memory corruption attempt"; flow:to_client,established; content:"Array("; content:".join("; within:100; content:"RegExp("; within:50; content:".exec("; within:20; metadata:service http; reference:bugtraq,17516; reference:cve,2006-1737; classtype:attempted-user; sid:36789; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox location.hostname DOM modification bypass attempt"; flow:to_client, established; file_data; content:"location.hostname"; fast_pattern; nocase; content:"|00|"; within:200; pcre:"/location\x2ehostname\s+=\s+[^\x3b]*?[\x00]/i"; metadata:service http; reference:cve,2007-0981; classtype:attempted-user; sid:37453; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt"; flow:to_client,established; file_data; content:"window"; content:"mozRTC"; within:120; content:"PeerConnection"; within:400; content:"createOffer"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1510; reference:url,mozilla.org/security/announce/2014/mfsa2014-29.html; classtype:attempted-user; sid:37626; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox about field spoofing attempt"; flow:to_client,established; file_data; content:"about:"; fast_pattern; nocase; content:"?"; within:15; content:"<"; within:100; content:"location"; nocase; pcre:"/\babout:[a-z]+?\?[^\n]+?\</i"; metadata:ruleset community, service http; reference:cve,2016-5268; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1253673; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-83/; classtype:attempted-user; sid:40015; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt"; flow:to_server,established; file_data; content:"document.getElement"; nocase; content:"type = |22|"; within:70; nocase; byte_extract:4,0,changed_var,relative; content:".blur()"; within:50; content:"input"; within:200; nocase; content:"type=|22|"; within:20; nocase; byte_test:4,!=,changed_var,0,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32281; reference:cve,2008-5021; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-55.html; classtype:attempted-user; sid:40280; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox CSP report-uri arbitrary file write attempt"; flow:to_client,established; content:"Content-Security-Policy|3A|"; nocase; http_header; content:"report-uri"; distance:0; nocase; http_header; pcre:"/report-uri\s+(file|resource|chrome)\x3a\x2f\x2f/Hi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-1954; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-17; classtype:attempted-user; sid:40363; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox ESR NotifyTimeChange use after free attempt"; flow:to_client,established; file_data; content:".createElementNS"; content:"svg"; within:10; content:".setAttribute"; content:"begin"; within:15; content:".setAttribute"; distance:0; content:"end"; within:10; content:".end"; within:20; content:".setAttribute"; distance:0; content:"end"; within:10; content:".end"; within:20; content:".pauseAnimations"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-9079; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-92/; classtype:attempted-user; sid:40888; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox ESR NotifyTimeChange use after free attempt"; flow:to_client,established; file_data; content:".pauseAnimations"; fast_pattern:only; content:"svg"; nocase; content:"animate"; nocase; content:"begin"; within:50; nocase; content:"end"; within:50; nocase; content:".end"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-9079; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-92/; classtype:attempted-user; sid:40896; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt"; flow:to_client,established; file_data; content:"SharedWorker|28|"; fast_pattern; content:".port"; within:400; nocase; content:".close|28|"; within:120; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,68818; reference:cve,2014-1548; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2014-56; classtype:attempted-user; sid:43779; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox nsTreeContentView double-free memory corruption attempt"; flow:to_client,established; file_data; content:"<treechildren"; fast_pattern:only; nocase; content:"optgroup"; nocase; content:"option"; within:60; nocase; content:"document.getElementById"; within:300; content:".parentNode.removeChild"; within:300; nocase; content:"null"; within:75; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,39128; reference:cve,2010-0176; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2010-18.html; classtype:attempted-user; sid:43778; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox floating layer denial of service attempt"; flow:to_server,established; file_data; content:"column-count"; nocase; content:".toppadded"; within:50; nocase; content:".floatbox"; within:50; nocase; content:"column-count"; within:50; nocase; content:"document.createTextNode("; within:250; metadata:service smtp; reference:cve,2007-0755; classtype:attempted-admin; sid:43768; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox floating layer denial of service attempt"; flow:to_client,established; file_data; content:"column-count"; nocase; content:".toppadded"; within:50; nocase; content:".floatbox"; within:50; nocase; content:"document.createTextNode("; within:250; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0755; classtype:attempted-admin; sid:43767; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox XUL null menu memory corruption attempt"; flow:to_server,established; file_data; content:".getAnonymousNodes("; content:".childNodes"; within:100; content:".menu"; nocase; content:"null"; within:10; nocase; metadata:service smtp; reference:cve,2007-0755; classtype:attempted-admin; sid:43766; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox XUL null menu memory corruption attempt"; flow:to_client,established; file_data; content:".getAnonymousNodes("; content:".childNodes"; within:100; content:".menu"; nocase; content:"null"; within:10; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0755; classtype:attempted-admin; sid:43765; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox XUL tree node removal memory corruption attempt"; flow:to_server,established; file_data; content:"<tree"; nocase; content:"<treechildren"; within:50; nocase; content:"<richlistbox"; within:50; nocase; content:".parentNode.removeChild("; metadata:service smtp; reference:cve,2007-0755; classtype:attempted-admin; sid:43764; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox XUL tree node removal memory corruption attempt"; flow:to_client,established; file_data; content:"<tree"; nocase; content:"<treechildren"; within:50; fast_pattern; nocase; content:"<richlistbox"; within:50; nocase; content:".parentNode.removeChild("; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0755; classtype:attempted-admin; sid:43763; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox wyciwgy domain forgery attempt"; flow:to_client,established; content:"Location|3A| wyciwyg|3A|//"; fast_pattern:only; http_header; metadata:service http; reference:cve,2007-3656; classtype:attempted-admin; sid:43761; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox BOM character cross site scripting attempt"; flow:to_server,established; file_data; content:"charset=utf-8"; nocase; content:"<script"; nocase; content:"|EF BB BF|"; within:25; fast_pattern; metadata:service smtp; reference:cve,2008-4065; classtype:attempted-admin; sid:43749; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox BOM character cross site scripting attempt"; flow:to_client,established; file_data; content:"charset=utf-8"; nocase; content:"<script"; nocase; content:"|EF BB BF|"; within:25; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2008-4065; classtype:attempted-admin; sid:43748; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox frame element memory corruption attempt"; flow:to_server,established; file_data; content:"window.frameElement"; content:"removeChild"; within:50; content:"window.frameElement"; within:50; content:"window.frameElement"; distance:0; content:"removeChild"; within:50; content:"window.frameElement"; within:50; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43747; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox frame element memory corruption attempt"; flow:to_client,established; file_data; content:"window.frameElement"; content:"removeChild"; within:50; content:"window.frameElement"; within:50; content:"window.frameElement"; distance:0; content:"removeChild"; within:50; content:"window.frameElement"; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43746; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox style display inherit memory corruption attempt"; flow:to_server,established; file_data; content:".style.display"; content:"inherit"; within:15; content:"insertBefore("; content:"createElementNS("; content:".appendChild("; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43745; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox style display inherit memory corruption attempt"; flow:to_client,established; file_data; content:".style.display"; content:"inherit"; within:15; content:"insertBefore("; content:"createElementNS("; content:".appendChild("; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43744; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox lookup property memory corruption attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagName("; content:".__proto__"; content:"null"; within:10; content:"dump("; within:50; fast_pattern; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43743; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox lookup property memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName("; content:".__proto__"; content:"null"; within:10; content:"dump("; within:50; fast_pattern; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43742; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox frameset memory corruption attempt "; flow:to_server,established; file_data; content:"<frameset"; content:"cols="; within:50; content:"onload="; within:25; content:"<frame"; within:50; content:"<frame"; within:50; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43741; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox frameset memory corruption attempt"; flow:to_client,established; file_data; content:"<frameset"; content:"cols="; within:50; content:"onload="; within:25; content:"<frame"; within:50; content:"<frame"; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43740; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox SVGZoom memory corruption attempt"; flow:to_server,established; file_data; content:"data:image/svg+xml|3B|charset=utf-8"; content:"SVGZoom"; fast_pattern:only; content:"documentElement.currentScale"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43739; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox SVGZoom memory corruption attempt"; flow:to_client,established; file_data; content:"data:image/svg+xml|3B|charset=utf-8"; content:"SVGZoom"; fast_pattern:only; content:"documentElement.currentScale"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43738; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox XUL commandDispatcher memory corruption attempt"; flow:to_server,established; content:"Content-Type: application/vnd.mozilla.xul+xml"; file_data; content:"document.createElementNS("; content:".commandDispatcher.addCommandUpdater("; fast_pattern:only; content:".commandDispatcher.updateCommands("; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43737; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox XUL commandDispatcher memory corruption attempt"; flow:to_client,established; content:"Content-Type: application/vnd.mozilla.xul+xml"; file_data; content:"document.createElementNS("; content:".commandDispatcher.addCommandUpdater("; fast_pattern:only; content:".commandDispatcher.updateCommands("; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43736; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox SVG pathSegList memory corruption attempt"; flow:to_server,established; file_data; content:"document.getElementById("; content:"path"; within:10; content:".pathSegList.getItem("; fast_pattern; content:"-"; within:5; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:43735; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript contentWindow in an iframe exploit attempt"; flow:to_server,established; file_data; content:"contentWindow.document"; content:".designMode"; within:100; fast_pattern; content:"on"; within:10; nocase; content:".contentWindow"; distance:0; content:".focus"; within:50; content:"<iframe"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,17671; reference:cve,2006-1993; classtype:attempted-user; sid:43706; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla products obfuscated cross site scripting attempt"; flow:to_server,established; file_data; content:"&#xdc"; fast_pattern:only; content:"&#xdc"; content:"&#xdc"; distance:0; content:"&#xdc"; distance:0; metadata:service smtp; reference:bugtraq,31346; reference:cve,2008-4066; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-admin; sid:43673; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products obfuscated cross site scripting attempt"; flow:to_client,established; file_data; content:"&#xdc"; fast_pattern:only; content:"&#xdc"; content:"&#xdc"; distance:0; content:"&#xdc"; distance:0; metadata:service http; reference:bugtraq,31346; reference:cve,2008-4066; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-admin; sid:43672; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox large window null pointer dereference attempt"; flow:to_server,established; file_data; content:"window.open("; nocase; content:"toolbar=yes"; within:100; nocase; content:"width="; within:100; nocase; content:"height="; within:150; distance:-100; nocase; pcre:"/window\x2eopen\x28[^\x29]*?toolbar=yes[^)]*?width=[\d]{9}[^)]*?height=[\d]{9}/i"; metadata:service smtp; reference:url,securityfocus.com/bid/67501; classtype:attempted-admin; sid:43652; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox large window null pointer dereference attempt"; flow:to_client,established; file_data; content:"window.open("; nocase; content:"toolbar=yes"; within:100; nocase; content:"width="; within:100; nocase; content:"height="; within:150; distance:-100; nocase; pcre:"/window\x2eopen\x28[^\x29]*?toolbar=yes[^)]*?width=[\d]{9}[^)]*?height=[\d]{9}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,securityfocus.com/bid/67501; classtype:attempted-admin; sid:43651; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox display moz-deck style memory corruption attempt"; flow:to_client,established; file_data; content:"-moz-deck"; fast_pattern:only; metadata:service http; reference:cve,2007-3734; classtype:attempted-user; sid:43644; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox design mode deleted style memory corruption attempt"; flow:to_client,established; file_data; content:"designMode"; fast_pattern; content:"on"; within:10; content:"removeAttribute"; content:"style"; within:10; metadata:service http; reference:cve,2007-3734; classtype:attempted-user; sid:43643; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox multiple vulnerabilities memory corruption attempt"; flow:to_client,established; file_data; content:".style.display"; content:"-moz-grid"; within:25; fast_pattern; nocase; metadata:service http; reference:cve,2006-1738; reference:cve,2007-3734; classtype:attempted-user; sid:43642; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox XUL tree element code execution attempt"; flow:to_server,established; file_data; content:"timedSelect"; fast_pattern:only; content:"view"; content:"selection"; within:25; content:"=null"; within:15; content:"parentNode"; content:"removeChild"; within:25; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,34181; reference:cve,2009-1044; classtype:attempted-user; sid:43367; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox domFuzzLite3 table use after free attempt"; flow:to_server,established; file_data; content:"fuzzPriv"; content:"forceGC"; within:25; content:"document.createElement("; content:"table"; within:15; metadata:service smtp; reference:cve,2017-5404; classtype:attempted-admin; sid:43347; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox domFuzzLite3 table use after free attempt"; flow:to_client,established; file_data; content:"fuzzPriv"; content:"forceGC"; within:25; content:"document.createElement("; content:"table"; within:15; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-5404; classtype:attempted-admin; sid:43346; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt"; flow:to_server,established; file_data; content:"<q style=|22|position:relative|3B 22|>"; nocase; content:"<q style=|22|position:relative|3B 22|>"; within:75; nocase; content:".style.position=|27|static|27 3B|"; within:250; nocase; metadata:service smtp; reference:bugtraq,16476; reference:cve,2006-0294; classtype:attempted-user; sid:43960; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla PLUGINSPAGE javascript execution attempt"; flow:to_server,established; file_data; content:"<EMBED"; nocase; content:"PLUGINSPAGE"; distance:0; nocase; pcre:"/<EMBED[^\x3E]*?PLUGINSPAGE\s*=[\x22\x27][^\x3E]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/smi"; metadata:service smtp; reference:bugtraq,13228; reference:cve,2005-0752; classtype:attempted-user; sid:43954; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox empty lookupGetter dangling pointer attempt"; flow:to_server,established; file_data; content:".__lookupGetter__|3B|"; fast_pattern:only; metadata:service smtp; reference:cve,2010-3183; classtype:attempted-admin; sid:44010; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox empty lookupGetter dangling pointer attempt"; flow:to_client,established; file_data; content:".__lookupGetter__|3B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-3183; classtype:attempted-admin; sid:44009; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox memory corruption attempt"; flow:to_server,established; file_data; content:"void 0x10000"; content:"void"; within:50; content:"export undefined"; within:75; content:"void 125"; within:50; content:"eval("; within:25; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-0777; classtype:attempted-admin; sid:44049; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox memory corruption attempt"; flow:to_client,established; file_data; content:"void 0x10000"; content:"void"; within:50; content:"export undefined"; within:75; content:"void 125"; within:50; content:"eval("; within:25; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0777; classtype:attempted-admin; sid:44048; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox memory corruption attempt"; flow:to_server,established; file_data; content:"Script("; content:".compile("; within:100; content:".join(Array("; within:100; content:".join(Array("; within:25; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-0777; classtype:attempted-admin; sid:44047; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox memory corruption attempt"; flow:to_client,established; file_data; content:"Script("; content:".compile("; within:100; content:".join(Array("; within:100; content:".join(Array("; within:25; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0777; classtype:attempted-admin; sid:44046; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox invalid watchpoint memory corruption attempt"; flow:to_server,established; file_data; content:".watch("; content:".unwatch("; within:50; content:".unwatch("; within:50; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-0777; classtype:attempted-admin; sid:44045; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox invalid watchpoint memory corruption attempt"; flow:to_client,established; file_data; content:".watch("; content:".unwatch("; within:50; content:".unwatch("; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0777; classtype:attempted-admin; sid:44044; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla browsers JavaScript argument passing code execution attempt"; flow:to_server,established; file_data; content:"arguments="; content:"for (|3B 3B|) { arguments()|3B|"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,22694; reference:cve,2007-0777; classtype:attempted-user; sid:44043; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt"; flow:to_server,established; file_data; content:"<a xmlns:v=|5C|"; content:"XML("; content:".toXMLString()"; within:50; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-0297; classtype:attempted-admin; sid:44147; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt"; flow:to_client,established; file_data; content:"<a xmlns:v=|5C|"; content:"XML("; content:".toXMLString()"; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0297; classtype:attempted-admin; sid:44146; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client,established; file_data; content:"|3A|first-letter { float|3A| "; fast_pattern:only; content:"|5B 22|setAttribute|22 5D 28|'style', 'display|3A| table-cell'"; content:"|5B 22|style|22 5D 5B 22|display|22 5D|= 'none'"; within:62; metadata:service http; reference:bugtraq,36866; reference:cve,2009-3382; reference:url,mozilla.org/en-US/security/advisories/mfsa2009-64/; classtype:attempted-user; sid:44978; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla products CSS rendering out-of-bounds array write attempt"; flow:to_client,established; file_data; content:"-moz-border-radius-"; content:"|3A|"; within:20; byte_test:10,>,10000,0,relative,string; metadata:service http; reference:cve,2006-1739; classtype:attempted-user; sid:44991; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla SSL certificate spoofing attempt"; flow:to_client,established; file_data; content:"<meta http-equiv=|22|refresh|22| content=|22|1|3B|"; fast_pattern:only; content:"document.write"; nocase; content:"document.close("; within:200; nocase; content:"window.location.reload("; within:200; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2004-0763; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=253121; classtype:misc-attack; sid:45127; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox SOAPParameter integer overflow attempt"; flow:to_server,established; file_data; content:"SOAPParameter("; fast_pattern:only; content:"Array("; nocase; content:"SOAPParameter("; within:200; nocase; content:"Array("; nocase; byte_test:10,>,0x3FFFFFFE,0,relative,string,dec; metadata:policy max-detect-ips drop, service smtp; reference:cve,2004-0722; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=236618; classtype:attempted-user; sid:45184; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox SOAPParameter integer overflow attempt"; flow:to_client,established; file_data; content:"SOAPParameter("; fast_pattern:only; content:"Array("; nocase; content:"SOAPParameter("; within:200; nocase; content:"Array("; nocase; byte_test:10,>,0x3FFFFFFE,0,relative,string,dec; metadata:policy max-detect-ips drop, service http; reference:cve,2004-0722; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=236618; classtype:attempted-user; sid:45183; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox SOAPParameter integer overflow attempt"; flow:to_server,established; file_data; content:"SOAPParameter("; fast_pattern:only; content:"Array("; nocase; content:"SOAPParameter("; within:200; nocase; content:"var"; content:"="; within:30; byte_test:10,>,0x3FFFFFFE,0,relative,string,dec; metadata:policy max-detect-ips drop, service smtp; reference:cve,2004-0722; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=236618; classtype:attempted-user; sid:45182; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox SOAPParameter integer overflow attempt"; flow:to_client,established; file_data; content:"SOAPParameter("; fast_pattern:only; content:"Array("; nocase; content:"SOAPParameter("; within:200; nocase; content:"var"; content:"="; within:30; byte_test:10,>,0x3FFFFFFE,0,relative,string,dec; metadata:policy max-detect-ips drop, service http; reference:cve,2004-0722; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=236618; classtype:attempted-user; sid:45181; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox SOAPParameter integer overflow attempt"; flow:to_server,established; file_data; content:"SOAPParameter("; fast_pattern:only; content:"Array("; nocase; content:"SOAPParameter("; within:200; nocase; content:"Array("; nocase; byte_test:10,>,0x3FFFFFFE,0,relative,string,hex; metadata:policy max-detect-ips drop, service smtp; reference:cve,2004-0722; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=236618; classtype:attempted-user; sid:45180; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox SOAPParameter integer overflow attempt"; flow:to_server,established; file_data; content:"SOAPParameter("; fast_pattern:only; content:"Array("; nocase; content:"SOAPParameter("; within:200; nocase; content:"var"; content:"="; within:30; byte_test:10,>,0x3FFFFFFE,0,relative,string,hex; metadata:policy max-detect-ips drop, service smtp; reference:cve,2004-0722; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=236618; classtype:attempted-user; sid:45179; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox SOAPParameter integer overflow attempt"; flow:to_client,established; file_data; content:"SOAPParameter("; fast_pattern:only; content:"Array("; nocase; content:"SOAPParameter("; within:200; nocase; content:"Array("; nocase; byte_test:10,>,0x3FFFFFFE,0,relative,string,hex; metadata:policy max-detect-ips drop, service http; reference:cve,2004-0722; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=236618; classtype:attempted-user; sid:45178; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox SOAPParameter integer overflow attempt"; flow:to_client,established; file_data; content:"SOAPParameter("; fast_pattern:only; content:"Array("; nocase; content:"SOAPParameter("; within:200; nocase; content:"var"; content:"="; within:30; byte_test:10,>,0x3FFFFFFE,0,relative,string,hex; metadata:policy max-detect-ips drop, service http; reference:cve,2004-0722; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=236618; classtype:attempted-user; sid:45177; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox nsTreeContentView double-free memory corruption attempt"; flow:to_server,established; file_data; content:"<treechildren"; fast_pattern:only; nocase; content:"optgroup"; nocase; content:"option"; within:60; nocase; content:"document.getElementById"; within:300; content:".parentNode.removeChild"; within:300; nocase; content:"null"; within:75; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,39128; reference:cve,2010-0176; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2010-18.html; classtype:attempted-user; sid:45176; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla download directory file deletion attempt"; flow:to_server,established; file_data; content:"<a href=|22|data:application/octet-stream,hello|22|>"; fast_pattern:only; metadata:service smtp; reference:cve,2004-2225; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=259708; classtype:attempted-user; sid:45174; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla download directory file deletion attempt"; flow:to_client,established; file_data; content:"<a href=|22|data:application/octet-stream,hello|22|>"; fast_pattern:only; metadata:service http; reference:cve,2004-2225; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=259708; classtype:attempted-user; sid:45173; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox buffer overflow attempt"; flow:to_server,established; file_data; content:"<a href=|22|http://|E0 90 B6 E0 90 BC E0 90 B8 2D E0 91 81 E0 91 8E E0 90 B4 E0 90|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2004-0902; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=256316; classtype:attempted-user; sid:45172; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox buffer overflow attempt"; flow:to_client,established; file_data; content:"<a href=|22|http://|E0 90 B6 E0 90 BC E0 90 B8 2D E0 91 81 E0 91 8E E0 90 B4 E0 90|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2004-0902; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=256316; classtype:attempted-user; sid:45171; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Multiple browser pressure function denial of service attempt"; flow:to_client, established; file_data; content:"tab_var[tab_var.length]"; content:"new ArrayBuffer(0x"; within:25; content:"000"; within:3; distance:1; content:"onload"; within:100; metadata:service http; reference:cve,2014-1512; classtype:denial-of-service; sid:45206; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox DOM event handler privilege escalation attempt"; flow:to_server,established; file_data; content:".handleEvent"; content:"Components.lookupMethod"; fast_pattern:only; content:".addEventListener"; content:".addEventListener"; within:300; content:"about:blank"; metadata:service smtp; reference:cve,2007-3737; classtype:attempted-admin; sid:45247; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox DOM event handler privilege escalation attempt"; flow:to_client,established; file_data; content:".handleEvent"; content:"Components.lookupMethod"; fast_pattern:only; content:".addEventListener"; content:".addEventListener"; within:300; content:"about:blank"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-3737; classtype:attempted-admin; sid:45246; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox HTTP index format out of bounds read attempt"; flow:to_client,established; content:"application/http-index-format"; fast_pattern:only; http_header; file_data; content:"200:"; content:"201:"; distance:0; pcre:"/201:[^\n]*?[\x22\x27][^\x22\x27]*?[\n]/s"; metadata:service http; reference:cve,2017-5444; classtype:attempted-admin; sid:45476; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox Javascript Function focus overflow attempt"; flow:to_server,established; file_data; content:"window"; nocase; content:"document.designMode"; within:150; fast_pattern; content:"on"; within:10; nocase; content:"window"; nocase; content:"open"; within:15; nocase; content:"window"; within:75; nocase; content:"window"; within:75; nocase; content:"<iframe"; metadata:service smtp; reference:bugtraq,17671; reference:cve,2006-1993; classtype:attempted-user; sid:45576; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox nsHTMLDocument SetBody use-after-free attempt"; flow:to_server,established; file_data; content:"addEventListener(|22|DOM"; fast_pattern; nocase; content:"parentNode.removeChild"; within:500; nocase; content:"documentElement"; within:500; nocase; pcre:"/(?P<root>\w+)\.parentNode\.removeChild\(\s*(?P=root)\s*\).*?var\s*(?P=root)\s*=\s*\w+\.documentElement/si"; metadata:service smtp; reference:cve,2016-1961; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1342258; classtype:attempted-admin; sid:46781; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox nsHTMLDocument SetBody use-after-free attempt"; flow:to_client,established; file_data; content:"addEventListener(|22|DOM"; fast_pattern; nocase; content:"parentNode.removeChild"; within:500; nocase; content:"documentElement"; within:500; nocase; pcre:"/(?P<root>\w+)\.parentNode\.removeChild\(\s*(?P=root)\s*\).*?var\s*(?P=root)\s*=\s*\w+\.documentElement/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-1961; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1342258; classtype:attempted-admin; sid:46767; rev:3;)
+# alert tcp  $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "BROWSER-FIREFOX Mozilla Firefox nsHTMLDocument SetBody use-after-free attempt"; flow:to_server,established; file_data; content:"documentElement"; nocase; content:"addEventListener(|22|DOM"; fast_pattern; nocase; within:500; content:"parentNode.removeChild"; within:500; nocase; pcre:"/var\s*(?P<root>\w+)\s*=\s*\w+\.documentElement.*?(?P=root)\.parentNode\.removeChild\(\s*(?P=root)\s*\)/si"; metadata:service smtp; reference: cve,2016-1961; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1342258; classtype:attempted-admin; sid:46766; rev:1;)
+# alert tcp  $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox nsHTMLDocument SetBody use-after-free attempt"; flow:to_client,established; file_data; content:"documentElement"; nocase; content:"addEventListener(|22|DOM"; fast_pattern; nocase; within:500; content:"parentNode.removeChild"; within: 500; nocase; pcre:"/var\s*(?P<root>\w+)\s*=\s*\w+\.documentElement.*?(?P=root)\.parentNode\.removeChild\(\s*(?P=root)\s*\)/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-1961; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1342258; classtype:attempted-admin; sid:46765; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt"; flow:to_client,established; file_data; content:"foo.replace|28|foo, foo|29|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36343; reference:cve,2009-3075; classtype:attempted-user; sid:46913; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt"; flow:to_client,established; file_data; content:"str.replace|28|str, str|29|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36343; reference:cve,2009-3075; classtype:attempted-user; sid:46912; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox sandbox escape attempt"; flow:to_server,established; file_data; content:"ContentFrameMessageManager"; content:"sendAsyncMessage("; distance:0; content:"Prompt:Open"; within:15; metadata:service smtp; classtype:attempted-user; sid:48225; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox sandbox escape attempt"; flow:to_client,established; file_data; content:"ContentFrameMessageManager"; content:"sendAsyncMessage("; distance:0; content:"Prompt:Open"; within:15; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:48224; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox javascript type confusion code execution attempt"; flow:to_server,established; file_data; content:"objs[i] = {x: 'asd', p1: {}, p2: {}, p3: {}, p4: x, p5: x, p6: {}}|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12386; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2018-24/#CVE-2018-12386; classtype:attempted-user; sid:48565; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox javascript type confusion code execution attempt"; flow:to_client,established; file_data; content:"objs[i] = {x: 'asd', p1: {}, p2: {}, p3: {}, p4: x, p5: x, p6: {}}|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12386; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2018-24/#CVE-2018-12386; classtype:attempted-user; sid:48564; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox method array.prototype.push remote code execution attempt"; flow:to_server,established; file_data; content:"Array.prototype.push.call(a,"; fast_pattern:only; content:"new Uint32Array(convert)"; content:"new Float64Array(convert)"; within:45; content:"offsets.forEach((offset)"; within:65; distance:1310; content:"document.body.appendChild(el)"; within:75; distance:440; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12387; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-12387; classtype:attempted-user; sid:48626; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox method array.prototype.push remote code execution attempt"; flow:to_client,established; file_data; content:"Array.prototype.push.call(a,"; fast_pattern:only; content:"new Uint32Array(convert)"; content:"new Float64Array(convert)"; within:45; content:"offsets.forEach((offset)"; within:70; distance:960; content:"document.body.appendChild(el)"; within:75; distance:320; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12387; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-12387; classtype:attempted-user; sid:48625; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla Firefox DOMSVGLength appendItem use after free attempt"; flow:to_server,established; file_data; content:"<script"; content:"animVal"; distance:0; fast_pattern; content:"appendItem"; content:"animVal"; within:350; content:"<svg"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-1563; reference:url,mozilla.org/security/announce/2014/mfsa2014-68.html; classtype:attempted-user; sid:49918; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox DOMSVGLength appendItem use after free attempt"; flow:to_client,established; file_data; content:"<script"; content:"animVal"; distance:0; fast_pattern; content:"appendItem"; content:"animVal"; within:350; content:"<svg"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-1563; reference:url,mozilla.org/security/announce/2014/mfsa2014-68.html; classtype:attempted-user; sid:49917; rev:1;)
--- a/docker/etc/rules/browser-ie.rules
+++ b/docker/etc/rules/browser-ie.rules
--- a/docker/etc/rules/browser-other.rules
+++ b/docker/etc/rules/browser-other.rules
@@ -0,0 +1,95 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#---------------------
+# BROWSER-OTHER RULES
+#---------------------
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt"; flow:to_server,established; file_data; content:"nim:import?"; fast_pattern; nocase; content:"filename="; distance:0; nocase; isdataat:486,relative; content:!">"; within:486; pcre:"/nim:import\?[^\x22\x27>\s]*?filename=[^\x22\x27>\s]{485}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1085; reference:url,www.novell.com/support/kb/doc.php?id=7011935; classtype:attempted-user; sid:26490; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt"; flow:to_client,established; file_data; content:"nim:import?"; fast_pattern; nocase; content:"filename="; distance:0; nocase; isdataat:486,relative; content:!">"; within:486; pcre:"/nim:import\?[^\x22\x27>\s]*?filename=[^\x22\x27>\s]{485}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1085; reference:url,www.novell.com/support/kb/doc.php?id=7011935; classtype:attempted-user; sid:26489; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera browser window null pointer dereference attempt"; flow:to_client,established; file_data; content:"window.open|28|"; content:"document.createElement|28|"; within:50; nocase; content:"document.body.appendChild|28|"; within:50; nocase; content:".close|28|"; within:50; nocase; content:"document.cloneNode|28|"; within:50; nocase; metadata:service http; reference:bugtraq,46872; classtype:attempted-user; sid:25653; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_server,established; file_data; content:"window.opera.collect|28 29|"; fast_pattern:only; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use"; within:3; distance:2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:service smtp; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25622; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_client,established; file_data; content:"window.opera.collect|28 29|"; fast_pattern:only; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use"; within:3; distance:2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25621; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER suspicious named empty form detected"; flow:to_client,established; file_data; content:"<form "; content:"</form>"; within:30; pcre:"/<form\s*id\s*=\s*\x22[^\x22]*\x22\s*>\s*<\x2fform>/smi"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:25124; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-OTHER Puffin Browser usage detected"; flow:to_server,established; content:"X-Puffin-UA|3A| "; fast_pattern:only; http_header; metadata:service http; reference:url,www.puffinbrowser.com; classtype:policy-violation; sid:24474; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:"Uint8ClampedArray(1024*1024)|3B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24433; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:" for"; content:"document.createElement(|27|canvas|27|)"; within:100; nocase; content:"getContext(|27|2d|27|)"; within:200; nocase; content:"createImageData("; within:200; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24432; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera Web Browser History Search Input validation vulnerability"; flow:established,to_client; file_data; content:"<html"; content:"#<script"; distance:0; fast_pattern; content:"</html>"; distance:0; metadata:service http; reference:bugtraq,31869; reference:cve,2008-4696; classtype:attempted-user; sid:21399; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Multiple web browser window injection attempt"; flow:to_client,established; file_data; content:"onunload"; fast_pattern; content:"open"; nocase; pcre:"/(\S*)onunload\s*\x3D\s*([^\x3B]*)\x3B\s*\x7D\s*function\2\s*\x28\s*\x29\s*\x7B[^\x7D]*\1open[^\x7D]*\x7D/smi"; metadata:service http; reference:cve,2004-1155; classtype:misc-attack; sid:20743; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera Config File script access attempt"; flow:to_client,established; file_data; content:"opera|3A|config"; fast_pattern; nocase; content:"opera|3A|cache"; nocase; metadata:service http; classtype:attempted-user; sid:20535; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera asynchronous document modifications attempted memory corruption"; flow:to_client,established; file_data; content:"function loop|28 29|"; content:"setInterval|28|doit,0|29|"; distance:0; content:"function doit|28 29|"; distance:0; content:"document.write"; distance:0; content:"setInterval|28|loop,0|29|"; distance:0; metadata:service http; reference:url,secunia.com/advisories/39590/; reference:url,www.opera.com/support/kb/view/953/; classtype:attempted-user; sid:16592; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Mozilla Netscape XMLHttpRequest local file read attempt"; flow:to_client,established; file_data; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; metadata:ruleset community, service http; reference:bugtraq,4628; reference:cve,2002-0354; classtype:web-application-attack; sid:1735; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BROWSER-OTHER Netscape 4.7 unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; metadata:ruleset community; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:15;)
+# alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"BROWSER-OTHER Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; metadata:ruleset community; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user; sid:283; rev:14;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"BROWSER-OTHER known revoked certificate for Tresor CA"; flow:to_client,established; ssl_state:server_hello; content:"|30 82 03 6C 30 82 02 54 A0 03 02 01 02 02 03 03 1D A7|"; fast_pattern:only; content:"130718100528Z|17 0D|140718100528Z"; content:"AC DG Tr|C3 A9|sor SSL"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:url,technet.microsoft.com/en-us/security/advisory/2916652; classtype:bad-unknown; sid:28893; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt"; flow:to_server,established; file_data; content:"srcElement.parentNode.removeChild"; pcre:"/srcElement\x2eparentNode\x2eremoveChild\s*\x28[^\x29]*srcElement/"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:30959; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER suspicious srcElement child element removal - possible use after free attempt"; flow:to_client,established; file_data; content:"srcElement.parentNode.removeChild"; pcre:"/srcElement\x2eparentNode\x2eremoveChild\s*\x28[^\x29]*srcElement/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:30958; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Android WebView same origin policy bypass attempt"; flow:to_client,established; file_data; content:"window.open"; content:"00javascript|3A|"; within:30; content:"document"; within:50; reference:bugtraq,69548; reference:cve,2014-6041; classtype:misc-activity; sid:32029; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BROWSER-OTHER WGet symlink arbitrary file write attempt"; flow:to_client,established; content:"total "; depth:6; content:"|0D 0A|l"; within:20; content:" -> "; within:100; metadata:policy max-detect-ips drop, service ftp-data; reference:bugtraq,70751; reference:cve,2014-4877; classtype:attempted-user; sid:32375; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-OTHER FreeBSD tnftp client detected"; flow:to_server,established; content:"User-Agent|3A| tnftp/"; fast_pattern:only; http_header; flowbits:set,tnftp; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; sid:32525; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER FreeBSD tnftp fetch_url client side command injection attempt"; flow:to_client,established; flowbits:isset,tnftp; content:"Location|3A|"; http_header; content:"/|7C|"; distance:0; fast_pattern; http_header; pcre:"/^Location\x3a\s[^\s\r\n]+?\x2f\x7c/Hmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,70792; reference:cve,2014-8517; classtype:attempted-user; sid:32524; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER FreeBSD tnftp fetch_url client side command injection attempt"; flow:to_client,established; flowbits:isset,tnftp; content:"Location|3A|"; http_header; content:"/%7C"; distance:0; fast_pattern; nocase; http_header; pcre:"/^Location\x3a\s[^\s\r\n]+?\x2f%7C/Hmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,70792; reference:cve,2014-8517; classtype:attempted-user; sid:32523; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-OTHER Microsoft Internet Explorer cross site scripting filter bypass attempt"; flow:to_server,established; content:"%U00"; fast_pattern:only; content:"%U00"; http_raw_uri; pcre:"/(script|onload|src|alert)/Ii"; metadata:service http; reference:cve,2014-6328; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-080; classtype:attempted-user; sid:32713; rev:1;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"BROWSER-OTHER Network Security Services NSS library RSA signature forgery attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|2A 86 48 86 F7 0D 01 01 05|"; fast_pattern; content:"|03|"; within:1; distance:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:20; distance:3; metadata:service ssl; reference:bugtraq,70116; reference:cve,2014-1568; reference:url,googlechromereleases.blogspot.ca/2014/09/stable-channel-update_24.html; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2014-73/; classtype:misc-activity; sid:33664; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Opera SVG use after free memory corruption attempt"; flow:to_server,established; content:"filename="; nocase; content:".svg"; within:100; nocase; file_data; content:"clip-path="; nocase; content:"xlink:href="; within:90; nocase; content:"getElementById"; distance:0; nocase; content:"setAttribute"; within:30; nocase; content:"clip-path"; within:12; nocase; metadata:service smtp; reference:bugtraq,57633; reference:cve,2013-1638; classtype:attempted-dos; sid:34171; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera SVG use after free memory corruption attempt"; flow:to_client,established; flowbits:isset,file.svg; file_data; content:"clip-path="; nocase; content:"xlink:href="; within:90; nocase; content:"getElementById"; distance:0; nocase; content:"setAttribute"; within:30; nocase; content:"clip-path"; within:12; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,57633; reference:cve,2013-1638; classtype:attempted-dos; sid:34170; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER local loopback address in html"; flow:to_client,established; file_data; content:"http|3A 2F 2F|127."; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,tools.ietf.org/html/rfc990; classtype:unknown; sid:26879; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera file URI handling buffer overflow"; flow:to_client,established; file_data; content:"var file = |22|file|3A 2F 2F 22 3B 0A 0A|"; nocase; content:"var i = 0|3B| i<16438|3B|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32323; reference:cve,2008-5178; classtype:attempted-user; sid:18597; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera file URI handling buffer overflow"; flow:to_client,established; file_data; content:"file|3A 2F 2F|"; fast_pattern:only; pcre:"/(src|href)\s*=\s*(\x22|\x27|)file\x3a\x2f\x2f[^\s\x22\x27]{900}/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32323; reference:cve,2008-5178; classtype:attempted-user; sid:17725; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera browser document writing uninitialized memory access attempt"; flow:to_client,established; file_data; content:"document.write"; content:"setInterval"; fast_pattern:only; pcre:"/function\s+(?P<func>[a-z\x5F]+).+?\x7B[^\x7D]+?document\x2Ewrite[^\x7D]+?setInterval\x28(?P=func)/is"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,39855; reference:cve,2010-1728; classtype:attempted-user; sid:17165; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera Content-Length header integer overflow attempt"; flow:to_client,established; content:"Content-Length"; nocase; http_header; pcre:"/^Content-Length\s*\x3A\s*[^\n]{20}/miH"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,38519; reference:cve,2010-1349; reference:url,www.hack0wn.com/view.php?xroot=672.0&cat=exploits; classtype:attempted-user; sid:16481; rev:12;)
+# alert tcp $EXTERNAL_NET [8088,$HTTP_PORTS] -> $HOME_NET any (msg:"BROWSER-OTHER Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt"; flow:to_client,established; content:"Transfer-Encoding"; nocase; http_header; content:"chunked"; fast_pattern; nocase; http_header; pkt_data; pcre:"/^Transfer-Encoding\s*\x3a\s*chunked.*\n0*[8-9a-f][0-9a-f]{7}\s*\n/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35462; reference:cve,2005-2922; reference:cve,2009-0086; reference:cve,2009-2121; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-013; classtype:attempted-user; sid:15462; rev:20;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Google Chrome invalid URI denial of service attempt"; flow:to_client,established; file_data; content:"href"; content:"%0%30"; within:45; metadata:service http; reference:url,code.google.com/p/chromium/issues/detail?id=533361; classtype:denial-of-service; sid:36378; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Google Chrome invalid URI denial of service attempt"; flow:to_client,established; file_data; content:"href"; content:"%%30"; within:45; metadata:service http; reference:url,code.google.com/p/chromium/issues/detail?id=533361; classtype:denial-of-service; sid:36377; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Apple iOS CoreGraphics library PDF embedded image handling information leak attempt"; flow:to_client,established; file_data; content:"dyld_shared_cache_offset"; fast_pattern:only; content:"createElement"; nocase; content:"canvas"; within:20; nocase; content:".drawImage"; within:500; nocase; content:"getImageData"; within:250; nocase; metadata:service http; reference:bugtraq,69915; reference:cve,2014-4378; reference:url,support.apple.com/en-us/HT204532; classtype:attempted-recon; sid:38135; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER ICY HTTP version evasion attempt"; flow:to_client,established; content:"ICY 200 "; depth:8; content:!"icy-"; nocase; metadata:policy max-detect-ips drop, service http; classtype:non-standard-protocol; sid:38382; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER HTTP characters prior to header evasion attempt"; flow:to_client,established; content:"http"; depth:24; fast_pattern; nocase; content:!"http"; depth:4; nocase; pcre:"/^.{1,20}HTTP\s*\x2f\s*[12]\.[01]/i"; metadata:policy max-detect-ips drop, service http; classtype:non-standard-protocol; sid:38381; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt"; flow:to_client,established; file_data; content:"<Novell>"; content:"<folder"; fast_pattern; nocase; content:"name"; within:50; content:"|27|"; within:50; isdataat:200,relative; pcre:"/folder\s*name\s*=\s*[\x27][^\x27]{200}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,52062; classtype:attempted-user; sid:39709; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt"; flow:to_server,established; file_data; content:"<Novell>"; content:"<folder"; fast_pattern; nocase; content:"name"; within:50; content:"|27|"; within:50; isdataat:200,relative; pcre:"/folder\s*name\s*=\s*[\x27][^\x27]{200}/i"; metadata:service smtp; reference:bugtraq,52062; classtype:attempted-user; sid:39708; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt"; flow:to_client,established; file_data; content:"<Novell>"; content:"<folder"; fast_pattern; nocase; content:"name"; within:50; content:"|22|"; within:50; isdataat:200,relative; pcre:"/folder\s*name\s*=\s*[\x22][^\x22]{200}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,52062; classtype:attempted-user; sid:39707; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt"; flow:to_server,established; file_data; content:"<Novell>"; content:"<folder"; fast_pattern; nocase; content:"name"; within:50; content:"|22|"; within:50; isdataat:200,relative; pcre:"/folder\s*name\s*=\s*[\x22][^\x22]{200}/i"; metadata:service smtp; reference:bugtraq,52062; classtype:attempted-user; sid:39706; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Android Browser potential denial of service attempt"; flow:to_client,established; content:"market|3A|//"; fast_pattern:only; content:"createElement("; content:"iframe"; within:7; content:"src"; distance:0; content:"market|3A|//"; within:15; metadata:service http; reference:cve,2012-6301; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/android/android_stock_browser_iframe.rb; classtype:denial-of-service; sid:40361; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Android browser file exfiltration attempt"; flow:to_client,established; file_data; content:"file:///data/data/com.android.browser/"; fast_pattern:only; nocase; content:"javascript://"; nocase; metadata:service http; reference:url,android.googlesource.com/platform/packages/apps/Browser/+/d2391b492dec778452238bc6d9d549d56d41c107%5E%21/#F0; classtype:attempted-recon; sid:40458; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Cisco WebEx extension command execution attempt"; flow:to_server,established; file_data; file_data; content:"CustomEvent"; nocase; content:"connect"; within:50; nocase; content:"CustomEvent"; nocase; content:"message"; within:50; nocase; content:"message_type"; nocase; content:"launch_meeting"; within:50; nocase; content:"GpcComponentName"; fast_pattern; content:!"YXRtY2NsaS5ETEw="; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3823; reference:cve,2017-6753; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex; classtype:attempted-admin; sid:41408; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Cisco WebEx extension command execution attempt"; flow:to_client,established; file_data; content:"CustomEvent"; nocase; content:"connect"; within:50; nocase; content:"CustomEvent"; nocase; content:"message"; within:50; nocase; content:"message_type"; nocase; content:"launch_meeting"; within:50; nocase; content:"GpcComponentName"; fast_pattern; content:!"YXRtY2NsaS5ETEw="; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3823; reference:cve,2017-6753; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex; classtype:attempted-admin; sid:41407; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Apple Safari nested xml tag denial of service attempt"; flow:to_server,established; file_data; content:">|5C|<"; content:">|5C|<"; within:3; distance:1; content:">|5C|<"; within:3; distance:1; content:">|5C|<"; within:3; distance:1; content:">|5C|<"; within:3; distance:1; content:">|5C|<"; within:3; distance:1; metadata:service smtp; reference:cve,2009-1233; classtype:denial-of-service; sid:43517; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Apple Safari nested xml tag denial of service attempt"; flow:to_client,established; file_data; content:">|5C|<"; content:">|5C|<"; within:3; distance:1; content:">|5C|<"; within:3; distance:1; content:">|5C|<"; within:3; distance:1; content:">|5C|<"; within:3; distance:1; content:">|5C|<"; within:3; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-1233; classtype:denial-of-service; sid:43516; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-OTHER Foscam IP Camera User-Agent string detected"; flow:to_server,established; content:"User-Agent: Foscam"; fast_pattern:only; http_header; flowbits:set,foscam_ua; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:43080; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Opera animation element denial of service attempt"; flow:to_server,established; file_data; content:"<svg"; nocase; content:"<animation"; nocase; content:"xlink:href"; within:25; nocase; content:"#"; within:5; metadata:service smtp; reference:url,support.ixiacom.com/strikes/denial/browser/opera_svg_animation_element_denial.xml; classtype:denial-of-service; sid:43827; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera animation element denial of service attempt"; flow:to_client,established; file_data; content:"<svg"; nocase; content:"<animation"; nocase; content:"xlink:href"; within:25; nocase; content:"#"; within:5; metadata:service ftp-data, service http, service imap, service pop3; reference:url,support.ixiacom.com/strikes/denial/browser/opera_svg_animation_element_denial.xml; classtype:denial-of-service; sid:43826; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Apple Safari document.write buffer overflow attempt"; flow:to_server,established; file_data; content:"=1|3B|while("; nocase; content:"++) document.write("; within:50; fast_pattern; isdataat:1000,relative; content:!")"; within:1000; metadata:service smtp; reference:cve,2008-2000; classtype:attempted-admin; sid:44051; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Apple Safari document.write buffer overflow attempt"; flow:to_client,established; file_data; content:"=1|3B|while("; nocase; content:"++) document.write("; within:50; fast_pattern; isdataat:1000,relative; content:!")"; within:1000; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2008-2000; classtype:attempted-admin; sid:44050; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Adobe Acrobat Pro WebCapture information disclosure attempt"; flow:to_server,established; file_data; content:"<keygen"; content:"challange"; within:100; content:"|5C|8}spA|28|"; within:25; fast_pattern; metadata:service smtp; reference:cve,2017-16408; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:45043; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Adobe Acrobat Pro WebCapture information disclosure attempt"; flow:to_client,established; file_data; content:"<keygen"; content:"challange"; within:100; content:"|5C|8}spA|28|"; within:25; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16408; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:45042; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER IBM Notes denial of service attempt"; flow:to_client,established; file_data; content:"setInterval(|22|f.click()|22|, 1)|3B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,100632; reference:cve,2017-1130; reference:url,ibm.com/support/docview.wss?uid=swg21999384; classtype:denial-of-service; sid:45257; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER IBM Notes denial of service attempt"; flow:to_server,established; file_data; content:"setInterval(|22|f.click()|22|, 1)|3B|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,100632; reference:cve,2017-1130; reference:url,ibm.com/support/docview.wss?uid=swg21999384; classtype:denial-of-service; sid:45256; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Apple Safari javascript mutlibyte character escaping denial of service attempt"; flow:to_server,established; file_data; content:"String.fromCharCode(257)"; fast_pattern:only; content:"escape("; metadata:policy max-detect-ips drop, service smtp; reference:url,www.apple.com/safari/; classtype:denial-of-service; sid:45355; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Apple Safari javascript mutlibyte character escaping denial of service attempt"; flow:to_client,established; file_data; content:"String.fromCharCode(257)"; fast_pattern:only; content:"escape("; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.apple.com/safari/; classtype:denial-of-service; sid:45354; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Multiple browser long unicode string denial of service attempt"; flow:to_server,established; file_data; content:"unescape(|22|%u"; fast_pattern; content:"unescape(|22|%u"; within:200; content:"<body onLoad"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:url,www.exploit-db.com/exploits/12493/; classtype:denial-of-service; sid:45303; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Multiple browser long unicode string denial of service attempt"; flow:to_client,established; pkt_data; content:"unescape(|22|%u"; fast_pattern; content:"unescape(|22|%u"; within:200; file_data; content:"<body onLoad"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.exploit-db.com/exploits/12493/; classtype:denial-of-service; sid:45302; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Mozilla Firefox table object integer underflow"; flow:to_server,established; file_data; content:"WebAssembly.Table("; content:".grow("; within:500; metadata:service smtp; reference:cve,2018-5093; classtype:attempted-admin; sid:46399; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Mozilla Firefox table object integer underflow"; flow:to_client,established; file_data; content:"WebAssembly.Table("; content:".grow("; within:500; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5093; classtype:attempted-admin; sid:46398; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER HTTP encoding header evasion attempt"; flow:to_client,established; content:"|0D 0D|Content-Encoding"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:policy-violation; sid:46444; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER HTTP encoding header evasion attempt"; flow:to_client,established; content:"|0D 0D|Transfer-Encoding"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:policy-violation; sid:46443; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Electron nodeIntegration bypass exploit attempt"; flow:to_server, established; file_data; content:"new WebView"; content:"setAttribute("; within:400; distance:-200; content:"webpreferences"; within:400; distance:-200; nocase; content:"nodeIntegration=yes"; within:400; distance:-200; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-1000136; reference:url,www.electronjs.org/blog/webview-fix; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass/; classtype:attempted-user; sid:46855; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Electron nodeIntegration bypass exploit attempt"; flow:to_client, established; file_data; content:"new WebView"; content:"setAttribute("; within:400; distance:-200; content:"webpreferences"; within:400; distance:-200; nocase; content:"nodeIntegration=yes"; within:400; distance:-200; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1000136; reference:url,www.electronjs.org/blog/webview-fix; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass/; classtype:attempted-user; sid:46854; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Microsoft Edge url spoofing attempt"; flow:to_server,established; file_data; content:"window.open("; content:".document.execCommand("; within:100; fast_pattern; content:"stop"; within:20; nocase; content:".document.close("; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-11646; reference:cve,2018-8278; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8278; classtype:attempted-user; sid:47120; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Microsoft Edge url spoofing attempt"; flow:to_client,established; file_data; content:"window.open("; content:".document.execCommand("; within:100; fast_pattern; content:"stop"; within:20; nocase; content:".document.close("; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-11646; reference:cve,2018-8278; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8278; classtype:attempted-user; sid:47119; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera GIF parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"|12 0C BB F9 FB 08 14 10 81 A3 C0 8D 9B 07 55 F6 1C 33 90 0E D5 84 38 7A BE E8 E9 37 00 A1 13 02|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-6470; classtype:attempted-user; sid:49115; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Opera GIF parsing buffer underflow attempt"; flow:to_client,established; file_data; content:"GIF8"; depth:4; content:"|86|"; within:1; distance:6; content:"|00|"; within:1; distance:1; content:"|2C 00 00 00 00|"; within:5; distance:384; content:"|00 07 FE 80|"; within:4; distance:4; content:"|FE|"; within:1; distance:253; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-6470; classtype:attempted-user; sid:49114; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Opera GIF parsing buffer overflow attempt"; flow:to_server,established; file_data; content:"|12 0C BB F9 FB 08 14 10 81 A3 C0 8D 9B 07 55 F6 1C 33 90 0E D5 84 38 7A BE E8 E9 37 00 A1 13 02|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-6470; classtype:attempted-user; sid:49113; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Opera GIF parsing buffer underflow attempt"; flow:to_server,established; file_data; content:"GIF8"; depth:4; content:"|86|"; within:1; distance:6; content:"|00|"; within:1; distance:1; content:"|2C 00 00 00 00|"; within:5; distance:384; content:"|00 07 FE 80|"; within:4; distance:4; content:"|FE|"; within:1; distance:253; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-6470; classtype:attempted-user; sid:49112; rev:2;)
--- a/docker/etc/rules/browser-plugins.rules
+++ b/docker/etc/rules/browser-plugins.rules
--- a/docker/etc/rules/browser-webkit.rules
+++ b/docker/etc/rules/browser-webkit.rules
@@ -0,0 +1,99 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#----------------------
+# BROWSER-WEBKIT RULES
+#----------------------
+
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Google Chrome and Apple Safari CSS float use-after-free attempt"; flow:to_server,established; file_data; content:"document.body.offsetTop"; nocase; content:"absolute"; within:125; nocase; content:"absolute"; within:125; nocase; content:"document.body.offsetTop"; within:200; nocase; pcre:"/var\s+(?P<element1>\w+)\s*?=\s*?document\.getElementById.*?var\s+(?P<element2>\w+)\s*?=\s*?(?P=element1).style.*?(?P=element2)\.height\s*?=\s*?[\x22\x27]\d/si"; metadata:service smtp; reference:bugtraq,48960; reference:cve,2011-2790; classtype:attempted-user; sid:29812; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Google Chrome and Apple Safari CSS float use-after-free attempt"; flow:to_server,established; file_data; content:"float:"; content:"document.body.offsetTop"; nocase; content:"absolute"; content:"document.body.offsetTop"; nocase; pcre:"/body\.offsetTop\x3b.*?\.position\s*?=\s*?[\x22\x27]absolute[\x22\x27].*?\.offsetTop\x3b.*?\.height\s*=.*?\.display\s*=/si"; metadata:service smtp; reference:bugtraq,48960; reference:cve,2011-2790; classtype:attempted-user; sid:29811; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Google Chrome and Apple Safari CSS float use-after-free attempt"; flow:to_client,established; file_data; content:"document.body.offsetTop"; nocase; content:"absolute"; within:125; nocase; content:"absolute"; within:125; nocase; content:"document.body.offsetTop"; within:200; nocase; pcre:"/var\s+(?P<element1>\w+)\s*?=\s*?document\.getElementById.*?var\s+(?P<element2>\w+)\s*?=\s*?(?P=element1).style.*?(?P=element2)\.height\s*?=\s*?[\x22\x27]\d/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48960; reference:cve,2011-2790; classtype:attempted-user; sid:29810; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Google Chrome and Apple Safari CSS float use-after-free attempt"; flow:to_client,established; file_data; content:"float:"; content:"document.body.offsetTop"; nocase; content:"absolute"; content:"document.body.offsetTop"; nocase; pcre:"/body\.offsetTop\x3b.*?\.position\s*?=\s*?[\x22\x27]absolute[\x22\x27].*?\.offsetTop\x3b.*?\.height\s*=.*?\.display\s*=/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48960; reference:cve,2011-2790; classtype:attempted-user; sid:29809; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-WEBKIT Possible Google Chrome Plugin install from non-trusted source"; flow:to_server,established; content:!"googleusercontent"; http_header; content:!"google.com"; http_header; content:"|2F|crx|2F|blobs"; http_uri; content:!"gvt1.com"; http_header; metadata:ruleset community, service http; reference:url,blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; classtype:bad-unknown; sid:26658; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Safari Webkit libxslt arbitrary file creation attempt"; flow:to_server,established; file_data; content:"http://icl.com/saxon"; fast_pattern:only; content:":output"; nocase; pcre:"/\s*[^>]file=/iR"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,48840; reference:cve,2011-1774; reference:url,attack.mitre.org/techniques/T1220; reference:url,support.apple.com/kb/HT4808; classtype:attempted-user; sid:26592; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari SVG Markers Memory Use-After-Free attempt"; flow:to_client,established; file_data; content:"object_whiteList"; fast_pattern:only; content:"shellcode"; nocase; content:"payload"; distance:0; nocase; content:"shellcode"; within:25; nocase; content:"window.open("; within:50; nocase; content:".svg"; within:25; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46677; reference:cve,2011-1453; reference:url,support.apple.com/kb/HT4808; classtype:attempted-user; sid:26259; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari SVG Markers Memory Use-After-Free attempt"; flow:to_client,established; flowbits:isset,file.svg; file_data; content:"marker id"; fast_pattern; nocase; content:"removeChild"; distance:0; nocase; content:"document.getElementById"; within:35; nocase; pcre:"/marker id\s*\x3d\s*["']?(?P<m1>\w+)["'\s].*?marker\x2d(start|mid|end).*?removeChild\s*\x28\s*document\x2egetElementById\x28\s*["']?(?P=m1)["'\s]/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46677; reference:cve,2011-1453; reference:url,support.apple.com/kb/HT4808; classtype:attempted-user; sid:26258; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt"; flow:to_server,established; file_data; content:"<style"; nocase; content:"title"; distance:0; nocase; content:"</style>"; distance:0; content:"<script"; distance:0; nocase; content:"<title"; distance:0; nocase; content:"</script"; distance:0; nocase; metadata:service smtp; reference:cve,2012-3684; reference:url,support.apple.com/kb/HT5485; reference:url,support.apple.com/kb/HT5502; reference:url,support.apple.com/kb/HT5503; classtype:attempted-user; sid:25040; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt"; flow:to_server,established; file_data; content:"<style>*"; nocase; content:"</style>"; distance:0; content:"<script"; distance:0; nocase; content:"<title"; distance:0; nocase; content:"</script"; distance:0; nocase; metadata:service smtp; reference:cve,2012-3684; reference:url,support.apple.com/kb/HT5485; reference:url,support.apple.com/kb/HT5502; reference:url,support.apple.com/kb/HT5503; classtype:attempted-user; sid:25039; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari innerHTML use after free exploit attempt"; flow:to_client,established; file_data; content:"setTimeout"; nocase; content:"document.body.innerHTML"; distance:0; nocase; content:"document.getElementById("; distance:0; nocase; content:".innerHTML"; distance:0; nocase; pcre:"/setTimeout.*?\x7b[^\x7d]*document\.body\.innerHTML.*?\x7d.*document\.getElementById\x28(?P<q1>\x22|\x27|)(?P<m1>\w+?)(?P=q1)\x29\.innerHTML.*?div\s+id\s*\x3d\s*(?P<q2>\x22|\x27|)(?P=m1)(?P=q2)/smi"; metadata:service http; reference:bugtraq,48844; reference:cve,2011-0221; classtype:attempted-user; sid:21189; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Webkit Display box rendering corruption attempt"; flow:to_client,established; file_data; content:"-webkit-box"; fast_pattern:only; content:"<script"; nocase; content:"function "; distance:0; nocase; content:".getElementById("; distance:0; nocase; content:".removeChild("; distance:0; nocase; content:".appendChild("; distance:0; nocase; pcre:"/\x2egetelementbyid\x28(?P<m1>\x22|\x27|)(?P<q1>\w+?)(?P=m1).*?\x2eremoveChild\x28(?P<m2>\x22|\x27|)(?P=q1)(?P=m2).*?\x2eappendChild\x28(?P<m3>\x22|\x27|)(?P=q1)(?P=m3)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48960; reference:cve,2011-2818; classtype:attempted-user; sid:20997; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari x-man-page URI terminal escape attempt"; flow:to_client,established; file_data; content:"x-man-page://"; nocase; content:"%1b"; within:100; metadata:service http; reference:bugtraq,13502; reference:cve,2005-1342; classtype:attempted-user; sid:20736; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit SVG memory corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.svg; content:"|2E|svg"; nocase; content:"documentElement"; distance:0; nocase; pcre:"/\x3cscript.*documentElement\x2e(height|preserveAspectRatio|viewBox|width|x|y)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48844; reference:cve,2011-0222; reference:url,support.apple.com/kb/HT4808; classtype:attempted-user; sid:19807; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit SVG memory corruption attempt"; flow:to_client,established; file_data; content:"target|2E|svg"; nocase; content:"arrey_name26|2E|push"; distance:0; nocase; content:"tweak_properties"; distance:0; nocase; metadata:service http; reference:bugtraq,48844; reference:cve,2011-0222; reference:url,support.apple.com/kb/HT4808; classtype:attempted-user; sid:19806; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari WebKit ParentStyleSheet exploit attempt"; flow:to_client,established; file_data; content:".sheet.rules["; fast_pattern:only; pcre:"/getElementById\(\x22(.*?)\x22\)\.sheet\.rules\[\d+\].*?([A-Z\d_]+)\s*=\s*document\.getElementById\(\x22\1\x22\).*?\s+\2\.parentElement/smi"; metadata:service http; reference:url,svnsearch.org/svnsearch/repos/WEBKIT/search?logMessage=51993; classtype:attempted-user; sid:18508; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|img width=0.3133731337313373133731337"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:18295; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"var Overflow = |22|31337|22 20 2B 20|0|2E|313373133731337313373133731337"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:18294; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari LI tag with large VALUE attribute exploit attempt"; flow:to_client,established; file_data; content:"<li"; nocase; pcre:"/^[^\x3E]+?value\s*\x3D\s*\d{10}/iR"; metadata:service http; reference:bugtraq,17634; reference:cve,2006-1988; classtype:attempted-user; sid:17218; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari invalid FRAME tag remote code execution attempt"; flow:to_client,established; file_data; content:"<frame"; nocase; content:"scrolling"; within:100; nocase; isdataat:10,relative; content:!"auto"; within:10; nocase; content:!"yes"; within:10; nocase; content:!"no"; within:10; nocase; pcre:"/\x3Cframe([^\x3E]+scrolling\s*\x3D(?!\s*(\x22|\x27)?\s*(yes|no|auto))){2}/i"; metadata:service http; reference:bugtraq,17634; reference:cve,2006-1987; classtype:attempted-user; sid:17217; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari TABLE tag with large CELLSPACING attribute exploit attempt"; flow:to_client,established; file_data; content:"cellspacing"; nocase; pcre:"/^\s*\x3D\s*\d{10}/R"; metadata:service http; reference:bugtraq,17634; reference:cve,2006-1986; classtype:attempted-user; sid:17216; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Safari x-unix-mode executable mail attachment"; flow:to_server,established; content:"x-unix-mode"; fast_pattern:only; pcre:"/x-unix-mode\s*\x3D\s*(?(?=\d{4})[0-7]([1357][0-7]{2}|[0-7][1357][0-7]|[0-7]{2}[1357])|([1357][0-7]{2}|[0-7][1357][0-7]|[0-7]{2}[1357]))/smi"; metadata:service smtp; reference:bugtraq,16736; reference:cve,2006-0848; reference:url,www.heise.de/english/newsticker/news/69919; reference:url,www.kb.cert.org/vuls/id/999708; classtype:attempted-user; sid:5714; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit attribute child removal code execution attempt"; flow:to_client,established; file_data; content:"= document.getElementById|28 22|t|22 29|"; fast_pattern; content:"= elem.getAttributeNode|28 27|id|27 29|"; within:50; content:"rows.childNodes|20|setTimeout|28|function|28 29 20 7B|"; within:80; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40642; reference:cve,2010-1119; classtype:attempted-user; sid:29623; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://<"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33631; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://^"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33630; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://|5C|"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33629; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://`"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33628; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://}"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33627; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://|7C|"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33626; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://>"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33625; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://{"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33624; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://%"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33623; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari feeds URI null pointer dereference denial of service attempt"; flow:to_client,established; file_data; content:"href=|27|feed://|22|"; fast_pattern:only; metadata:service http; reference:cve,2009-0744; classtype:denial-of-service; sid:33622; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Webkit rowspan denial of service attempt"; flow:to_server,established; file_data; content:"<td"; nocase; content:"rowspan"; within:50; nocase; pcre:"/rowspan\s*=\s*[\x22\x27]?\s*\d{6}/si"; metadata:service smtp; reference:cve,2007-0342; classtype:attempted-dos; sid:33911; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Webkit rowspan denial of service attempt"; flow:to_client,established; file_data; content:"<td"; nocase; content:"rowspan"; within:50; nocase; pcre:"/rowspan\s*=\s*[\x22\x27]?\s*\d{6}/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0342; classtype:attempted-dos; sid:33910; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple WebKit QuickTime plugin content-type http header buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime|file.smil; content:"Content-Type: "; http_header; content:!"|3B|"; within:255; http_header; content:!"|0A|"; within:255; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2012-3753; reference:url,attack.mitre.org/techniques/T1176; classtype:attempted-user; sid:29394; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt"; flow:to_client,established; file_data; content:"<style"; nocase; content:"title"; distance:0; nocase; content:"</style>"; distance:0; content:"<script"; distance:0; nocase; content:"<title"; distance:0; nocase; content:"</script"; distance:0; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-3684; reference:url,support.apple.com/kb/HT5485; reference:url,support.apple.com/kb/HT5502; reference:url,support.apple.com/kb/HT5503; classtype:attempted-user; sid:25038; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt"; flow:to_client,established; file_data; content:"<style>*"; nocase; content:"</style>"; distance:0; content:"<script"; distance:0; nocase; content:"<title"; distance:0; nocase; content:"</script"; distance:0; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-3684; reference:url,support.apple.com/kb/HT5485; reference:url,support.apple.com/kb/HT5502; reference:url,support.apple.com/kb/HT5503; classtype:attempted-user; sid:25037; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari WebKit form elements virtual function DoS attempt"; flow:established,to_client; file_data; content:" form="; fast_pattern; content:"<form"; nocase; content:"</form>"; distance:0; nocase; content:" form="; distance:0; nocase; pcre:"/<form\s[^>]*?id=[^>]+?>[^<]*?<\/form>.*?<\w+(?<!form)\s[^>]*?form=/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-2813; reference:url,support.apple.com/kb/HT4981; classtype:attempted-dos; sid:25036; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT WebKit button column memory corruption attempt"; flow:to_client,established; file_data; content:"-webkit-column-span"; fast_pattern; nocase; content:"document.documentElement.offsetTop"; distance:0; pcre:"/(function\s+(?P<function>[a-z0-9_\-]+)\(\)\s*\{.*?(?P<div>[a-z0-9_\-]+)\s*=\s*document\.createElement\('div'\)\x3b.*?(?P=div)\.style\['-webkit-column-span'\]\s*=\s*'all'\x3b.*?document\.getElementById\(\"(?P<button>[a-z0-9_\-]+)\"\)\.appendChild\((?P=div)\)\x3b.*?document\.documentElement\.offsetTop\x3b.*?\<body[^>]*?onload\s*=\s*\"(?P=function)\(\)\"[^>]*?>.*?<button[^>]*?id\s*=\s*\"(?P=button)\"[^>]*?style\s*=\s*\"[^\"]*?-webkit-column-width\x3a1px\"[^>]*?>)|(<style>.*?\{\s*-webkit-column-span\x3a\s*all\x3b.*?function\s+(?P<function2>[a-z0-9_\-]+)\(\)\s*\{.*?(?P<div2>[a-z0-9_\-]+)*\s*=\s*document\.createElement\('div'\)\x3b.*?(?P<button2>[a-z0-9_\-]+)\s*=\s*document\.createElement\('button'\)\x3b.*?document\.documentElement.appendChild\((?P=button2)\)\x3b.*?(?P=button2)\.appendChild\((?P=div2)\).*?document\.documentElement\.offsetTop\x3b)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54680; reference:cve,2012-1520; classtype:attempted-user; sid:23805; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Microsoft Windows 7 x64 Apple Safari abnormally long iframe exploit attempt"; flow:to_client,established; file_data; content:"<iframe"; fast_pattern; nocase; content:"height|3D|"; within:50; nocase; pcre:"/<iframe[^>]*?height\x3d\s*[\x22\x27]?\s*[0-9]{6}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,51122; reference:cve,2011-5046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-008; classtype:attempted-dos; sid:20999; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit libxslt arbitrary file creation attempt"; flow:to_client,established; file_data; content:"http://icl.com/saxon"; fast_pattern:only; content:":output"; nocase; pcre:"/\s*[^>]file=/iR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1774; reference:url,attack.mitre.org/techniques/T1220; reference:url,support.apple.com/kb/HT4808; classtype:attempted-user; sid:20593; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari CSS font format corruption attempt"; flow:to_client,established; file_data; content:"src|3A|"; nocase; content:"url("; within:100; nocase; content:"format("; within:300; nocase; pcre:"/\x7B[^\x7D]*?src\x3A\s+url\([^\)]*\)\s+format\([^\x22\x27\)]*\)/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,38684; reference:cve,2010-0046; reference:url,support.apple.com/kb/HT4070; classtype:attempted-user; sid:19099; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit ContentEditable code exeuction attempt"; flow:to_client,established; file_data; content:"target.innerHTML = |22 3C|option|3E|PASS|3C 2F|option|3E 22 3B|"; content:"getElementById|28 22|result|22 29|.innerHTML = target.value"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40647; reference:cve,2010-1396; classtype:attempted-user; sid:19098; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit ContentEditable code execution attempt"; flow:to_client,established; file_data; content:"object.innerHTML = |22 22 3B|"; content:"object.value|3B|"; within:30; content:"|3C|select id|3D 22|object|22 3E 3C|option|3E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40647; reference:cve,2010-1396; classtype:attempted-user; sid:19097; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit CSS Charset Text transformation code execution attempt"; flow:to_client,established; file_data; content:"text-transform|3A 20|lowercase|3B|"; fast_pattern:only; content:"document|2E|getElementById|28 22|result|22 29 2E|innerHTML|20 3D 20 22|PASS|22 3B|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40653; reference:cve,2010-1770; classtype:attempted-user; sid:19096; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit CSS Charset Text transformation code execution attempt"; flow:to_client,established; file_data; content:"text-transform|3A 20|capitalize|3B|"; fast_pattern:only; content:"document.body.addTextNode"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40653; reference:cve,2010-1770; classtype:attempted-user; sid:19095; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari WebKit menu onchange memory corruption attempt"; flow:to_client,established; file_data; content:"element = document.getElementById"; content:"element.onchange = function|28 29 20 7B 20|element.size = 50|3B 20 7D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43083; reference:cve,2010-1814; classtype:attempted-user; sid:19010; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari WebKit menu onchange memory corruption attempt"; flow:to_client,established; file_data; content:"window.layoutTestController"; content:"eventSender.keyDown|28 22|e|22 29 3B|"; distance:0; content:"eventSender.keyDown|28 22 5C|r|22 2C 20 5B 5D 29 3B|"; distance:0; content:"document.body.offsetTop|3B|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43083; reference:cve,2010-1814; classtype:attempted-user; sid:19009; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit floating point conversion memory corruption attempt"; flow:to_client,established; file_data; content:"parseFloat("; content:"NAN(ffffe"; within:25; fast_pattern; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43047; reference:cve,2010-1807; classtype:attempted-user; sid:19008; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit run-in use-after-free attempt"; flow:to_client,established; file_data; content:"p|20 7B 20|display|3A 20|run|2D|in|20 7D|"; content:"document.getElementById|28 22|run|2D|in|22 29 2E|appendChild|28|child|29 3B|"; content:"document.getElementById|28 22|test|22 29|.appendChild|28|document.getElementById|28 22|sibling|22 29 29 3B|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43049; reference:cve,2010-1806; classtype:attempted-user; sid:19004; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit run-in use-after-free attempt"; flow:to_client,established; file_data; content:"elem.setAttribute|28 22|style|22 2C 20 22|display|3A 20|run|2D|in|22 29 3B|"; content:"document.getElementById|28 22|run|2D|in|22 29 2E|appendChild|28|elem|29 3B|"; content:"document.getElementById|28 22|output|22 29|.appendChild|28|document.getElementById|28 22|block-sibling|22 29 29 3B|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43049; reference:cve,2010-1806; classtype:attempted-user; sid:19003; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit removeAllRanges use-after-free attempt"; flow:to_client,established; file_data; content:"window|2E|getSelection|28 29 2E|selectAllChildren"; content:"style|2E|display|20 3D 20 27|none|27|"; distance:0; content:"window|2E|getSelection|28 29 2E|removeAllRanges"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43079; reference:cve,2010-1812; classtype:attempted-user; sid:18995; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt"; flow:to_client,established; file_data; content:"<style>"; nocase; content:"|3A|first-letter"; distance:0; nocase; content:"display|3A 20|block"; distance:0; nocase; pcre:"/(?P<a>\w+)\s*\x7b[^\x7d]*?display\s*\x3a\s*block.*?\x3cinput(?=[^\x3e]+type\s*\x3d\s*[\x22\x27]?(button|submit))[^\x3e]+class\s*\x3d\s*[\x22\x27]?(?P=a)/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40644; reference:cve,2010-1392; classtype:attempted-user; sid:18973; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit attribute child removal code execution attempt"; flow:to_client,established; file_data; content:"elem.getAttributeNode|28 27|rows|27 29 2E|removeChild|28|nodes|5B 30 5D 29 3B|"; content:"setTimeout|28|function|28 29 20 7B 20 67|"; within:40; content:"try|20 7B 20|nodes|5B 30 5D 2E|textContent|20 7D 20|catch|20 28 65 78 29 20 7B 20 7D|"; within:100; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40642; reference:cve,2010-1119; classtype:attempted-user; sid:18958; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit attribute child removal code execution attempt"; flow:to_client,established; file_data; content:"= document.getElementById|28 22|t|22 29|"; content:"= id.getAttributeNode|28 27|id|27 29|"; within:50; content:"document.body.removeChild|28|id|29 3B|"; within:100; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40642; reference:cve,2010-1119; classtype:attempted-user; sid:18957; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari WebKit Rendering Counter Code Execution"; flow:to_client,established; file_data; content:"counter-reset|3A|"; nocase; content:"counter-reset|3A|"; distance:0; nocase; content:"counter|28|"; distance:0; nocase; content:"document.body.removeChild|28|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42036; reference:cve,2010-1784; classtype:attempted-user; sid:18903; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari WebKit range object remote code execution attempt"; flow:to_client,established; file_data; content:"document.addEventListener(|22|DOM"; nocase; content:".innerHTML|20 3D|"; distance:0; nocase; content:"document.createRange|28 29 3B|"; distance:0; nocase; content:".extractContents|28 29 3B|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,46746; reference:cve,2011-0115; classtype:attempted-user; sid:18770; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari window.parent.close unspecified remote code execution vulnerability"; flow:to_client,established; file_data; content:"for|28|var i = 0|3B| i |3C| 2|3B| i|2B 2B 29|"; content:"parent.alert|28 22|"; within:50; content:"self.close|28 29 3B|"; within:50; metadata:policy max-detect-ips drop, service http; reference:bugtraq,39990; reference:cve,2010-1939; reference:url,secunia.com/advisories/39670; classtype:attempted-user; sid:16666; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari image use after reparent attempt"; flow:to_client,established; file_data; content:"imgBar = document.body.getElementsByTagName(|22|img|22|)[0]"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,38691; reference:cve,2010-0054; reference:url,"support.apple.com/kb/HT4070"; classtype:attempted-user; sid:16632; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari image use after remove attempt"; flow:to_client,established; file_data; content:"removeChild(document.getElementsByTagName(|22|img|22|)[0])"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,38691; reference:cve,2010-0054; reference:url,"support.apple.com/kb/HT4070"; classtype:attempted-user; sid:16631; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari information disclosure and remote code execution attempt"; flow:to_client,established; file_data; content:"parent"; content:".prompt"; distance:0; pcre:"/var\s+(\w+)\s*\x3D\s*parent\s*\x3b.*\1\x2Eprompt.*\1\x2Eclose/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1939; reference:url,secunia.com/advisories/39670; classtype:attempted-user; sid:16596; rev:13;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari inline text box use after free attempt"; flow:to_client,established; file_data; content:".innerHTML"; nocase; content:"rtl"; nocase; content:"<NOBR"; fast_pattern; nocase; pcre:"/<(body|html)[^>]+dir\s*=\s*(?P<q1>\x22|\x27|)rtl(?P=q1)/smi"; pcre:"/(?P<obj>[A-Z\d_]+)\s*=\s*document\.getElementsByTagName\((?P<q2>\x22|\x27|)NOBR(?P=q2)\).*?(?P=obj)\.innerHTML\s*=\s*(\x22\x22|\x27\x27)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0049; classtype:attempted-user; sid:16492; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"var pi=3+0.14159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852"; content:"document.write|28 22|Area = pi*|28|r^2|29 22|+pi*|28|radius*radius|29 29 3B|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:16145; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari URI spoofing attempt"; flow:to_client,established; file_data; content:"setInterval"; nocase; content:"location"; within:200; nocase; pcre:"/(^|\s)setInterval\x28\s*=.*?location\s*=\s*\([^,]+,\s*\d{1,2}[^\d]/si"; metadata:service http; reference:cve,2015-1084; classtype:policy-violation; sid:35045; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari URI spoofing attempt"; flow:to_client,established; file_data; content:"location"; nocase; content:"setInterval"; distance:0; nocase; pcre:"/(^|\s)location\s*=.*?setInterval\s*\([^,]+,\s*\d{1,2}[^\d]/si"; metadata:service http; reference:cve,2015-1084; classtype:policy-violation; sid:35044; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari user assisted applescript code execution attempt"; flow:to_client,established; file_data; content:"applescript://com.apple.scripteditor"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-7007; reference:url,attack.mitre.org/techniques/T1155; reference:url,support.apple.com/en-us/HT205375; classtype:attempted-user; sid:36585; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Safari FTP URL cross-domain restriction bypass attempt"; flow:to_server,established; file_data; content:"iframe"; nocase; content:"ftp|3A|//"; within:200; fast_pattern; nocase; content:"%40"; within:100; content:"%2F"; within:100; nocase; content:"%23@"; within:100; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,73977; reference:cve,2015-1126; classtype:misc-activity; sid:41855; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari FTP URL cross-domain restriction bypass attempt"; flow:to_client,established; file_data; content:"iframe"; nocase; content:"ftp|3A|//"; within:200; fast_pattern; nocase; content:"%40"; within:100; content:"%2F"; within:100; nocase; content:"%23@"; within:100; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,73977; reference:cve,2015-1126; classtype:misc-activity; sid:41854; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit WebCore CSSSelector denial of service attempt"; flow:to_client,established; file_data; content:"*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>"; fast_pattern:only; content:"text/css"; nocase; metadata:service http; reference:cve,2010-1029; classtype:denial-of-service; sid:43298; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt"; flow:to_client,established; file_data; content:".capitalize:first-letter {|0A|text-transform: uppercase"; fast_pattern; content:".block {|0A|display: block|3B 0A|}"; within:500; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1392; classtype:attempted-user; sid:45735; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt"; flow:to_server,established; file_data; content:".capitalize:first-letter {|0A|text-transform: uppercase"; fast_pattern; content:".block {|0A|display: block|3B 0A|}"; within:500; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-1392; classtype:attempted-user; sid:45734; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt"; flow:to_client,established; file_data; content:".first:first-letter {|0A 20 20 20 20 20 20 20 20|font-size:"; fast_pattern; content:".second {|0A 20 20 20 20 20 20 20 20|display: block|3B 0A 20 20 20 20|}"; within:500; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1392; classtype:attempted-user; sid:45733; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt"; flow:to_server,established; file_data; content:".first:first-letter {|0A 20 20 20 20 20 20 20 20|font-size:"; fast_pattern; content:".second {|0A 20 20 20 20 20 20 20 20|display: block|3B 0A 20 20 20 20|}"; within:500; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-1392; classtype:attempted-user; sid:45732; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT Apple WebKit memory corruption attempt"; flow:to_server,established; file_data; content:"trigger(|27|this.result = o[0]|27|, |27|o[0] = val|27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4233; reference:url,support.apple.com/en-us/HT208848; classtype:attempted-user; sid:47023; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple WebKit memory corruption attempt"; flow:to_client,established; file_data; content:"trigger(|27|this.result = o[0]|27|, |27|o[0] = val|27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4233; reference:url,support.apple.com/en-us/HT208848; classtype:attempted-user; sid:47022; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT WebKit RegEx engine optimization arbitrary code execution attempt"; flow:to_server,established; file_data; content:"regexLastIndex.toString = function() {"; fast_pattern:only; content:"reg.lastIndex = regexLastIndex|3B|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,bugs.webkit.org/show_bug.cgi?id=191731; classtype:attempted-user; sid:48547; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT WebKit RegEx engine optimization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"regexLastIndex.toString = function() {"; fast_pattern:only; content:"reg.lastIndex = regexLastIndex|3B|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,bugs.webkit.org/show_bug.cgi?id=191731; classtype:attempted-user; sid:48546; rev:1;)
--- a/docker/etc/rules/chat.rules
+++ b/docker/etc/rules/chat.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#------------
+# CHAT RULES
+#------------
+
--- a/docker/etc/rules/content-replace.rules
+++ b/docker/etc/rules/content-replace.rules
@@ -0,0 +1,44 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------------------
+# CONTENT-REPLACE RULES
+#-----------------------
+
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CONTENT-REPLACE AIM deny out-bound file transfer attempts"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; within:8; distance:4; content:"|09|F|13|CL|7F 11 D1 82 22|DEST|00|"; content:"DEST"; distance:-5; replace:"XXXX"; byte_test:2,=,0,-24,relative; classtype:policy-violation; sid:12038; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CONTENT-REPLACE MSN deny out-bound file transfer attempts"; flow:established,to_server; content:"INVITE MSNMSGR"; nocase; replace:"AAAAAAAAAAAAAA"; content:"context"; nocase; replace:"aaaaaaa"; classtype:policy-violation; sid:12032; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts"; flow:established,to_server; content:"/notifyft"; nocase; replace:"/XXXXXXXX"; content:"Host|3A|filetransfer.msg.yahoo.com"; classtype:policy-violation; sid:12040; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"CONTENT-REPLACE Jabber deny out-bound file transfer attempts"; flow:established,to_server; content:"jabber.org/protocol"; nocase; content:"file xmlns="; nocase; content:"|22|set|22|"; replace:"|22|NOT|22|"; classtype:policy-violation; sid:12034; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CONTENT-REPLACE IRC deny out-bound file transfer attempts"; flow:established,to_server; content:"PRIVMSG"; nocase; content:"|3A 01|DCC SEND"; nocase; content:"SEND"; distance:-4; nocase; replace:"XXXX"; classtype:policy-violation; sid:12036; rev:3;)
+# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts"; flow:established,to_client; content:"YMSG"; content:"|00 DC|"; within:8; distance:6; replace:"AA"; classtype:policy-violation; sid:12041; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CONTENT-REPLACE MSN deny in-bound file transfer attempts"; flow:established,to_client; content:"MSG"; content:"msnmsgrp2p"; nocase; replace:"AAAAAAAAAA"; content:"INVITE MSNMSGR"; nocase; replace:"AAAAAAAAAAAAAA"; content:"context"; nocase; classtype:policy-violation; sid:12031; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CONTENT-REPLACE AIM deny in-bound file transfer attempts"; flow:to_client,established; content:"*|02|"; depth:2; content:"|00 04 00 07|"; within:8; distance:4; content:"|09|F|13|CL|7F 11 D1 82 22|DEST|00|"; content:"DEST"; distance:-5; replace:"XXXX"; byte_test:2,=,0,-24,relative; classtype:policy-violation; sid:12037; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts"; flow:established,to_client; content:"YMSG"; depth:4; content:"|00|F"; depth:2; offset:10; replace:"OK"; classtype:policy-violation; sid:12039; rev:3;)
+# alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"CONTENT-REPLACE Jabber deny in-bound file transfer attempts"; flow:established,to_client; content:"profile="; nocase; content:"jabber.org/protocol"; nocase; content:"id="; nocase; replace:"NO="; classtype:policy-violation; sid:12033; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts"; flow:established,to_server; content:"YMSG"; content:"|00 DC|"; within:8; distance:6; replace:"AA"; classtype:policy-violation; sid:12042; rev:3;)
+# alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"CONTENT-REPLACE IRC deny in-bound file transfer attempts"; flow:established,to_server; content:"PRIVMSG"; nocase; content:"|3A 01|DCC SEND"; nocase; content:"SEND"; distance:-4; nocase; replace:"XXXX"; classtype:policy-violation; sid:12035; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET [443,5190] (msg:"CONTENT-REPLACE AIM or ICQ deny unencrypted login connection"; flow:established,to_server; dsize:<500; content:"*|01|"; depth:2; replace:"|FF FF|"; reference:url,www.protocolbase.net/protocols/protocol_ICQ.php; classtype:policy-violation; sid:15415; rev:6;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"CONTENT-REPLACE AIM deny server certificate for encrypted login"; flow:established,to_client; ssl_version:tls1.0; content:"0|16 06 03|U|04 03 13 0F|kdc.uas.aol.com"; nocase; replace:"0|16 06 03|U|04 03 13 00|xxx.xxx.xxx.com"; classtype:policy-violation; sid:15417; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CONTENT-REPLACE MSN deny login"; flow:established,to_server; content:"USR "; depth:4; replace:"FFF "; classtype:policy-violation; sid:15420; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CONTENT-REPLACE ICQ deny http proxy login"; flow:established,to_server; content:"Host|3A| http.proxy.icq.com"; nocase; content:"GET /hello"; depth:10; nocase; replace:"GET /gdbye"; metadata:service http; classtype:policy-violation; sid:15416; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CONTENT-REPLACE Yahoo Messenger deny outbound login attempt"; flow:established,to_server; content:"YMSG"; depth:4; content:"|00|W"; depth:2; offset:10; replace:"|FF FF|"; classtype:policy-violation; sid:15429; rev:2;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"CONTENT-REPLACE QQ 2008 deny udp login"; content:"|02 12|Q|00|"; depth:4; replace:"|FF FF FF FF|"; classtype:policy-violation; sid:15440; rev:2;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"CONTENT-REPLACE QQ 2009 deny udp login"; content:"|02 16|!|00|"; depth:4; replace:"|FF FF FF FF|"; classtype:policy-violation; sid:15438; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"CONTENT-REPLACE QQ 2009 deny tcp login"; flow:established,to_server; content:"|00|N|02 12|Q|00|"; depth:6; replace:"|FF FF FF FF FF FF|"; classtype:policy-violation; sid:15441; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"CONTENT-REPLACE QQ 2009 deny tcp login"; flow:established,to_server; content:"|00|N|02 16|!|00|"; depth:6; replace:"|FF FF FF FF FF FF|"; classtype:policy-violation; sid:15439; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET [443,5222] (msg:"CONTENT-REPLACE Google Talk deny login"; flow:established,to_server; content:"<stream|3A|stream"; depth:14; nocase; replace:"<AAAAAA|3A|AAAAAA"; classtype:policy-violation; sid:15570; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,6503,6504] (msg:"CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt"; flow:established,to_server; content:"|05 00 0B|"; content:"NTLMSSP|00 01 00 00 00|"; distance:0; content:"|0A 06 00 00|"; within:4; distance:-20; replace:"|0A 02 00 00|"; metadata:policy max-detect-ips drop; classtype:protocol-command-decode; sid:18469; rev:7;)
--- a/docker/etc/rules/ddos.rules
+++ b/docker/etc/rules/ddos.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#------------
+# DDOS RULES
+#------------
+
--- a/docker/etc/rules/deleted.rules
+++ b/docker/etc/rules/deleted.rules
--- a/docker/etc/rules/dns.rules
+++ b/docker/etc/rules/dns.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------
+# DNS RULES
+#-----------
+
--- a/docker/etc/rules/dos.rules
+++ b/docker/etc/rules/dos.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------
+# DOS RULES
+#-----------
+
--- a/docker/etc/rules/experimental.rules
+++ b/docker/etc/rules/experimental.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#--------------------
+# EXPERIMENTAL RULES
+#--------------------
+
--- a/docker/etc/rules/exploit-kit.rules
+++ b/docker/etc/rules/exploit-kit.rules
@@ -0,0 +1,762 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-------------------
+# EXPLOIT-KIT RULES
+#-------------------
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Astrum exploit kit multiple exploit download request"; flow:to_server,established; urilen:>60,norm; content:"GET"; content:".. HTTP/1."; fast_pattern:only; pcre:"/\x2f[\w\x2d]*\x2e\x2e$/mU"; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31971; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flim exploit kit outbound jnlp request"; flow:to_server,established; urilen:18; content:".jnlp"; http_uri; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9]{12}\.jnlp$/U"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:26964; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flim exploit kit outbound jar request"; flow:to_server,established; urilen:14; content:".jar"; http_uri; content:" Java/1."; http_header; pcre:"/^\/[a-f0-9]{9}\.jar$/U"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:26963; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit portable executable download"; flow:to_client,established; file_data; content:"|4F CF 6A BC A1 03 01 00 69|"; depth:9; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26962; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; dsize:<400; content:"<html><body><script>"; content:"var"; within:3; distance:1; content:"document.createElement"; content:"iframe"; within:6; distance:2; content:".setAttribute("; distance:0; content:"document.body.appendChild("; distance:0; fast_pattern; pcre:"/var\s+(?P<variable>\w+)\=document\.createElement.*?\x3b(?P=variable)\.setAttribute.*?document\.body\.appendChild\x28(?P=variable)\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26961; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Zuponcic exploit kit landing page"; flow:to_client,established; file_data; content:"<iframe style="; content:"z-index|3A| -1"; within:11; distance:1; content:"scrolling="; content:"no"; within:2; distance:1; content:"src="; within:4; distance:2; content:"http|3A 2F 2F|"; within:7; distance:1; content:"mt"; within:50; distance:10; content:" id="; within:4; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26960; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 4"; flow:to_server,established; content:".php?exp=rhino&b="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26959; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 3"; flow:to_server,established; content:".php?exp=atom&b="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26958; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 2"; flow:to_server,established; content:".php?exp=lib&b="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26957; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 1"; flow:to_server,established; content:".php?exp=byte&b="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26956; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Malvertising Campaign URI request"; flow:to_server,established; content:"/.cache/?f="; fast_pattern; http_uri; content:".jar"; http_uri; pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html; classtype:trojan-activity; sid:26951; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit landing page"; flow:to_client,established; file_data; content:"<applet width="; content:"0"; within:1; distance:1; content:" height="; within:8; distance:1; content:"0"; within:1; distance:1; content:" code="; within:6; distance:1; content:"site.avi"; within:8; distance:1; nocase; content:" archive="; within:9; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26949; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; content:"filename=site.jar"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-1493; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26948; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; content:"filename=atom.jar"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26947; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit malware download"; flow:to_server,established; content:"/load.php?e="; http_uri; content:"&ip="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26897; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit Plugin detection response"; flow:to_server,established; content:"/gate.php?ver="; http_uri; content:"&p="; distance:0; http_uri; content:"&j="; distance:0; http_uri; content:"&f="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26896; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit Java V7 exploit download"; flow:to_server,established; content:"/j07.php?i="; fast_pattern:only; http_uri; content:" Java/1.7"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26895; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit Java V6 exploit download"; flow:to_server,established; content:"/j161.php?i="; fast_pattern:only; http_uri; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26894; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit landing page"; flow:to_client,established; file_data; content:"<script src="; content:"js/js.js"; distance:1; content:"AdobeReader"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26893; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".jar"; within:4; distance:24; pcre:"/filename\=[a-z0-9]{24}\.jar/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26892; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".exe"; within:4; distance:24; pcre:"/filename\=[a-z0-9]{24}\.exe/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26891; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign"; flow:to_server,established; content:"/natpay.html?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:26838; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page in.php base64 uri"; flow:to_server,established; urilen:<75; content:"/in.php"; http_uri; content:"&q="; distance:0; http_uri; content:"=="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26834; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign"; flow:to_server,established; urilen:17,norm; content:"/linkendorse.html"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:26814; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"|7C|secure|7C|length|7C|setStr|7C|getCookie|7C|setCookie|7C|indexOf|7C|v|7C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26807; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit short JNLP request"; flow:to_server,established; content:".jnlp"; fast_pattern:only; http_uri; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/U"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26806; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit encrypted binary download"; flow:to_client,established; flowbits:isset,java_user_agent; file_data; content:"|FB 67 1F 49|"; depth:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26805; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit landing page - specific structure"; flow:established,to_client; file_data; content:"<applet><param name=|22|jnlp_href|22| value=|22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/; classtype:trojan-activity; sid:26653; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT iFramer injection - specific structure"; flow:to_client,established; file_data; content:"|7B|catch(d21vd12v)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26617; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Impact/Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"var sentleft=|7B|versoin|3A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26600; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Impact/Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"/*reedjoll*/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26599; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT unknown exploit kit script injection attempt"; flow:to_client,established; file_data; content:"|22|+escape|28|"; depth:100; content:".charCodeAt|28|"; distance:0; content:"</script>id="; within:64; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatpost.com/d-c-media-sites-hacked-serving-fake-av/; classtype:trojan-activity; sid:26591; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, */*|3B| q=.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, ruleset community, service http; classtype:trojan-activity; sid:26562; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit successful redirection - jnlp bypass"; flow:to_server,established; content:"php?jnlp="; fast_pattern:only; http_uri; pcre:"/php\?jnlp\=[a-f0-9]{10}($|\x2c)/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26541; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT iFramer injection - specific structure"; flow:to_client,established; file_data; content:"try{document.body-=12|3B|}catch(dv32r3)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26540; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit pdf download detection"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<< /CreationDate (D|3A|20130404171020)>>"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26539; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit landing page received"; flow:to_client,established; file_data; content:"<html><body></body><input id=|27|"; content:"|27| value=|27 25|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26538; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit jar download detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Main.class"; content:"NOnoa.class"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26537; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"<applet  archive="; content:".jar"; within:30; distance:5; content:"  code="; within:30; content:".class"; within:30; distance:5; content:" width="; within:30; content:"  height="; within:25; content:"<param"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26536; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"jnlp_embedded"; content:"value="; distance:0; content:"PD"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26535; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit portable executable download"; flow:to_server,established; content:"/elections.php?"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/elections\.php\?([a-z0-9]+\x3d\d{1,3}\&){9}[a-z0-9]+\x3d\d{1,3}$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:26534; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt"; flow:to_server,established; content:"/info/last/index.php"; fast_pattern:only; http_uri; pcre:"/^Host:\s*?[a-f0-9]{63,64}\./Him"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26527; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Portable Executable downloaded with bad DOS stub"; flow:to_client,established; file_data; content:"MZ"; depth:2; content:"|2F 2A 14 20|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2423; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26526; rev:6;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit redirection structure"; flow:to_client,established; file_data; content:"<iframe id="; content:"frmstyle"; within:8; distance:1; content:" src="; within:5; distance:1; content:"http|3A 2F 2F|"; within:7; distance:1; content:" height="; within:250; content:"frameborder=0></iframe>"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26511; rev:6;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit java payload detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Bottom.class"; content:"Bottom10.class"; distance:0; content:"Bottom11.class"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26509; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - info.dll"; flow:to_client,established; content:"filename="; http_header; content:"info.dll"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26508; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit jar file downloaded"; flow:to_client,established; file_data; content:"Suburb.class"; content:"Suburb013.class"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26434; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; urilen:18<>21; content:".html?j="; fast_pattern:only; http_uri; pcre:"/\/[a-z]{4}\.html\?j\=\d{6,7}$/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26384; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; urilen:18<>21; content:".html?i="; fast_pattern:only; http_uri; pcre:"/\/[a-z]{4}\.html\?i\=\d{6,7}$/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26383; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit java exploit request"; flow:to_server,established; urilen:8; content:".jar"; http_uri; content:" Java/1"; http_header; content:"content-type|3A| application/x-java-archive"; fast_pattern:20,20; pcre:"/\/([0-9][0-9a-z]{2}|[0-9a-z][0-9][0-9a-z]|[0-9a-z]{2}[0-9])\.jar$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26377; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Egypack exploit kit landing page"; flow:to_client,established; file_data; content:"=new Array|3B|EGYPACK_CRYPT"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:26368; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Egypack exploit kit outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Egypack/1."; fast_pattern:only; http_header; metadata:policy security-ips drop, service http; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:26367; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Egypack exploit kit landing page"; flow:to_client,established; file_data; content:"<script language=|22|JavaScript|22|>var EGYPACK_CRYPT"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:26366; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page redirection"; flow:to_client,established; file_data; content:"<applet archive="; content:".jar"; distance:0; content:" code="; within:6; distance:1; content:"Java.class"; within:10; distance:1; content:">"; within:1; distance:1; content:"<param name="; distance:0; content:"name"; within:4; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26351; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT TDS redirection - may lead to exploit kit"; flow:to_server,established; content:"/count"; http_uri; content:".php"; within:4; distance:2; http_uri; pcre:"/\/count\d{2}\.php$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26350; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit obfuscated portable executable"; flow:to_client,established; content:"filename=setup.exe"; fast_pattern:only; http_header; file_data; content:"|8B 7F AA 11 CE 52 0A 3D 76|"; depth:9; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26349; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit java exploit delivery"; flow:to_client,established; file_data; content:"Application.class"; content:"Fazan.class"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26348; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload requested"; flow:to_server,established; urilen:8; content:".html"; http_uri; content:" Java/1"; fast_pattern; http_header; pcre:"/\/\d{2}\.html$/U"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26346; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; urilen:18<>21; content:".html?h="; fast_pattern:only; http_uri; pcre:"/\/[a-z]{4}\.html\?h\=\d{6,7}$/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26345; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page redirection"; flow:to_client,established; file_data; content:"<applet archive="; content:".jar"; distance:0; content:" code="; within:6; distance:1; content:"Application.class"; within:17; distance:1; content:">"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26344; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page"; flow:to_client,established; file_data; content:"id="; content:"swf_id"; within:6; distance:1; content:"<param name="; distance:0; content:"Play"; within:4; distance:1; content:" value="; within:7; distance:1; content:"0"; within:1; distance:1; content:"><embed src="; distance:1; content:"http|3A 2F 2F|"; within:8; distance:1; content:".swf"; pcre:"/[a-z0-9]{32}\.(?:jar|swf)/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26343; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<div class="; content:"retwretrewt"; within:11; distance:1; content:">|3A|)"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26342; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page"; flow:to_client,established; file_data; content:"<applet name="; content:" code="; within:100; content:" archive="; within:100; content:"http|3A 2F 2F|"; within:50; content:".jar"; distance:0; content:" codebase="; distance:0; pcre:"/[a-z0-9]{32}\.jar/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26341; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval - ff.php"; flow:to_server,established; urilen:>16; content:"/ff.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/ff\.php/U"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,unixfreaxjp.blogspot.jp/2013/03/ocjp-098-285blackhole-exploit-kit.html; classtype:trojan-activity; sid:26339; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT IFRAMEr injection detection - leads to exploit kit"; flow:to_client,established; file_data; content:"}catch(gdsg"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26338; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"prototype|3B|}catch("; content:".substr"; within:50; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26337; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit redirection page"; flow:to_client,established; file_data; content:"<frame marginwidth=0 marginheight=0 frameborder=0 name=|22|TOPFRAME|22|"; fast_pattern:only; content:"index.php?id="; content:"noresize>"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:26323; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit redirection page"; flow:to_client,established; file_data; content:"var"; content:"=|22|pdf|22|"; within:25; content:"location.href="; within:250; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26297; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22| code=|22|"; within:50; content:"|22| name=|22|"; within:50; content:"<param name=|22|"; within:20; distance:5; content:"|22| value=|22|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26296; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 82 (msg:"EXPLOIT-KIT Sakura exploit kit exploit request"; flow:to_server,established; content:"/news/thing.php"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26293; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client,established; file_data; content:"<object classid=|22|clsid|3A|8AD9C840-044E-11D1-B3E9-00805F499D93|22| codebase=|22|"; fast_pattern:only; content:"<param NAME=|22|ARCHIVE|22| VALUE=|22|"; metadata:service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:26253; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Impact exploit kit landing page"; flow:to_client,established; file_data; content:"<applet code=|22|"; content:".class|22| archive=|22|"; distance:0; content:".jar|22| width=|22|1|22| height=|22|1|22|><param name=|22|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2010-0188; reference:cve,2012-1723; reference:cve,2012-5076; reference:cve,2013-0422; classtype:trojan-activity; sid:26252; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:"<applet  archive=|22|"; content:"|22|  code=|22|"; within:25; content:".class|22|"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26233; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:"<script>p=parseInt|3B|ss=String|3B|asgq="; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26232; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval"; flow:to_server,established; urilen:>16; content:"/q.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{16}\/q\.php/U"; content:!"siteadvisor.com"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,unixfreaxjp.blogspot.jp/2013/03/ocjp-098-285blackhole-exploit-kit.html; classtype:trojan-activity; sid:26227; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Crimeboss exploit kit redirection attempt"; flow:to_client,established; file_data; content:"navigator.javaEnabled()"; content:"document.write(|27|"; within:100; content:"<script src=|22|"; distance:0; pcre:"/\.js\/\?[a-z]+\=[a-z]{1,4}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:26226; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit redirection page"; flow:to_client,established; file_data; content:"<applet archive=|27|http|3A 2F 2F|"; content:"|27| code=|27|JHelper|27| width=|27|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26100; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit redirection page"; flow:to_client,established; file_data; content:"if (navigator.appName == |27|Microsoft Internet Explorer|27|) {"; content:"document.write(|27|<applet archive=|22|http|3A|//"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26099; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"try{}catch("; content:"}try{"; within:50; content:"}catch("; within:50; content:"|3B|n=|5B|"; within:100; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26096; rev:6;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"|3D 5B|0x9,0x9,0x2f,0x2a,0x2a,0xa,0x9,0x9,0x20,0x2a,0x20,"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26095; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:".class|22| width=|22|10|22| height=|22|9|22|>|0D 0A|<param value=|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26094; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22 20|code=|22|"; within:25; content:"|22 20|name=|22|"; within:25; content:"|22|>|0D 0A|<param name=|22|"; within:25; content:"|22 20|value=|22|http|3A 2F 2F|"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:26090; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - setup"; flow:to_server,established; content:".php?setup=d&s="; fast_pattern:only; http_uri; pcre:"/\.php\?setup=d\&s=\d+\&r=\d+/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26045; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - redirection attempt"; flow:to_server,established; content:".php?action=jv&h="; fast_pattern:only; http_uri; pcre:"/\.php\?action=jv\&h=\d+/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26044; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt"; flow:to_server,established; content:"/Instal.jpg"; fast_pattern:only; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26043; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - stats loaded"; flow:to_server,established; content:".php?action=stats_loaded"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26042; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt"; flow:to_server,established; content:"/x4.gif"; fast_pattern:only; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26041; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt"; flow:to_server,established; content:"/Plugin.cpl"; fast_pattern:only; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1196; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26040; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Java exploit download"; flow:to_server,established; content:"/jmx.jar?r="; fast_pattern:only; http_uri; pcre:"/^\/jmx.jar?r=\d+/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26039; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Java exploit download"; flow:to_server,established; content:"/jhan.jar?r="; fast_pattern:only; http_uri; pcre:"/^\/jhan.jar?r=\d+/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26038; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Java Exploit"; flow:to_server,established; content:"/amor"; fast_pattern; http_uri; content:".jar"; within:6; http_uri; content:" Java/"; http_header; pcre:"/^\/amor\d{0,2}\.jar/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-4681; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26036; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - java on"; flow:to_server,established; content:".php?action=stats_javaon"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26035; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - stats access"; flow:to_server,established; content:".php?action=stats_access"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26034; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit iframe redirection attempt"; flow:to_client,established; file_data; content:"try{"; content:"++}catch("; within:15; content:"{try{"; within:20; content:"}catch("; within:20; content:"=|22|"; within:50; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:26033; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"<head><title></title></head><body><object WIDTH=|22|"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:26031; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sibhost exploit kit"; flow:to_server,established; content:"yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.malwaresigs.com/2013/02/26/sport-cd-am-sibhost; classtype:trojan-activity; sid:26020; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong Da exploit kit redirection page received"; flow:to_client,established; file_data; content:"+=|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22 3B|}catch(e){var"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:26013; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"/332.jar|22| code=|22|"; content:"/887.jar|22| code=|22|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:25989; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"<html><body><td><h1>Loading... Please Wait.</h1></td><script>document.write("; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:25988; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit three number PDF Request"; flow:to_server,established; urilen:8; content:".pdf"; http_uri; pcre:"/\x2F[0-9]{3}\.pdf$/U"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; classtype:trojan-activity; sid:25972; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT redirection to driveby download"; flow:to_client,established; file_data; content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25948; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit malicious payload retrieval"; flow:to_server,established; content:"/i8.php?jquery="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25824; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java V5 exploit download"; flow:to_server,established; content:"/j15.php?i="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25823; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit malicious PDF retrieval"; flow:to_server,established; content:"/p5.php?t="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25822; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit possible plugin detection attempt"; flow:to_server,established; content:"/js/rdps.js"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25821; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit landing page detection - specific-structure"; flow:to_client,established; file_data; content:"<title>Please Wait...</title></head><body><script>function"; fast_pattern:only; content:"<html><head>"; depth:12; metadata:service http; reference:cve,2012-1723; reference:cve,2012-4681; classtype:trojan-activity; sid:25808; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Whitehole exploit kit landing page"; flow:to_client,established; file_data; content:"<applet code"; content:".jar?java="; distance:0; content:"width="; within:15; content:"<param name="; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25806; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Whitehole exploit kit Java exploit retrieval"; flow:to_server,established; content:"/Java"; http_uri; content:".jar?java="; http_uri; pcre:"/\/Java([0-9]{1,2})?\.jar\?java=[0-9]{2}/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25805; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Whitehole exploit kit malicious jar download attempt"; flow:to_server,established; content:"?java="; fast_pattern:only; http_uri; pcre:"/\?java\=[0-9]{2,6}$/U"; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25804; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit encoded portable executable request"; flow:to_server,established; urilen:>40; pcre:"/^\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[0-9]{7,10}$/U"; metadata:policy max-detect-ips drop, service http; reference:cve,2013-0431; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25802; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit jar file request"; flow:to_server,established; urilen:>40; content:".jar"; http_uri; pcre:"/^\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[a-z]+\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2013-0431; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25801; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit Javascript request"; flow:to_server,established; urilen:>40; content:"/Qm"; http_uri; content:".js"; distance:0; http_uri; pcre:"/^\/[a-zA-Z0-9]{24,}\/Qm[a-zA-Z0-9]+\/[a-z]+\.js$/U"; metadata:policy max-detect-ips drop, service http; reference:cve,2013-0431; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25800; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit pdf request"; flow:to_server,established; urilen:>40; content:".pdf"; http_uri; pcre:"/^\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[a-z]+\.pdf$/U"; flowbits:set,file.exploit_kit.pdf; metadata:policy max-detect-ips alert, service http; reference:cve,2013-0431; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25799; rev:11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit 32-alpha jar request"; flow:to_server,established; flowbits:isset,java_user_agent; urilen:>36; content:"GET"; http_method; content:".jar"; nocase; http_uri; content:" Java/1"; http_header; pcre:"/\/[a-zA-Z0-9]{32}\.jar/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25798; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection successful"; flow:to_server,established; content:"/forum/links/news.php"; fast_pattern:only; http_uri; content:".ru|3A|8080|0D 0A|"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25611; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<script>try"; content:"}catch("; within:50; content:"}try{if("; within:50; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:25591; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<h5>Internet Explorer and Mozilla Firefox compatible only</h5><br>"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:25590; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"<PARAM VALUE=|22|"; content:"|22| NAME=|22|CODE|22|><PARAM NAME=|22|ARCHIVE|22| VALUE=|22|"; within:50; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25569; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval"; flow:to_server,established; urilen:>32; content:"/q.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{32}\/q\.php/U"; content:!"siteadvisor.com"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25568; rev:6;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT JDB exploit kit landing page"; flow:to_client,established; file_data; content:"<applet width=|27|0px|27| height=|27|0px|27| code=|22|"; content:"|22| archive=|22|data"; within:50; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25561; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT JDB exploit kit landing page"; flow:to_client,established; file_data; content:"setTimeout(|22|alert(|27|Adobe Flash must be updated to view this, please install the latest version!|27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25560; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT JDB exploit kit landing page retrieval"; flow:to_server,established; urilen:>33; content:"/jdb/inf.php?id="; fast_pattern:only; http_uri; pcre:"/\/jdb\/inf\.php\?id=[a-f0-9]{32}$/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25559; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit redirection"; flow:to_client,established; file_data; content:"{ var"; content:"= document.createElement(|27|iframe|27|)|3B|"; content:".src = |27|http|3A 2F 2F|"; content:"|27 3B| "; distance:0; content:".style.position = |27|absolute|27 3B|"; distance:0; content:".style.border = |27|0|27 3B| "; distance:0; content:".style.height = |27|1px|27 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:25558; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Red Dot executable retrieval attempt"; flow:to_server,established; content:"/load.php?guid="; nocase; http_uri; content:"&thread="; distance:0; nocase; http_uri; content:"&exploit="; distance:0; nocase; http_uri; content:"&version="; within:9; distance:1; nocase; http_uri; content:"&rnd="; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25540; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Red Dot java retrieval attempt"; flow:to_server,established; urilen:6; content:"/"; http_uri; content:".jar"; within:4; distance:1; http_uri; pcre:"/\/\[fx]\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25539; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Red Dot landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22| code=|22|"; within:12; distance:1; content:"width=|22|100|22| height=|22|100|22|>"; within:50; content:"<param name|22|guid"; content:"|22| value=|22|"; within:10; content:"<param name=|22|thread"; content:"|22| value=|22|"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25538; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit obfuscated payload download"; flow:to_client,established; flowbits:isset,java_user_agent; file_data; content:"|22 2A|"; depth:2; content:"s"; within:1; distance:2; content:"|27|"; within:1; distance:3; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html; classtype:trojan-activity; sid:25391; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<h1>Open your server</h1>"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:25390; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<applet  archive=|22|"; content:"|22|  code=|22|"; within:15; distance:5; content:".class|22|  width=|22|"; within:30; distance:5; content:"|22| height=|22|"; within:25; content:"<param"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:25389; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection successful"; flow:to_server,established; content:"/forum/links/public_version.php"; fast_pattern:only; http_uri; content:".ru|3A|8080|0D 0A|"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25388; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - readme.exe"; flow:to_client,established; content:"filename="; http_header; content:"readme.exe"; within:12; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25387; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - about.exe"; flow:to_client,established; content:"filename="; http_header; content:"about.exe"; within:10; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25386; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - calc.exe"; flow:to_client,established; content:"filename="; http_header; content:"calc.exe"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25385; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - contacts.exe"; flow:to_client,established; content:"filename="; http_header; content:"contacts.exe"; within:13; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25384; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - info.exe"; flow:to_client,established; content:"filename="; http_header; content:"info.exe"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25383; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit malicious jar archive download"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"hw.classPK"; fast_pattern:only; content:"test.classPK"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25302; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT redirect to malicious java archive attempt"; flow:to_client,established; file_data; content:"|3C|applet archive|3D 22 2F|read|2F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25301; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit redirection attempt"; flow:to_client,established; file_data; content:"<iframe name="; content:"=auto frameborder=no align=center height=2 width=2 src=http|3A|//"; within:75; distance:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:25255; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit portable executable download request"; flow:to_server,established; content:" Java/"; http_header; content:"&h=11"; fast_pattern:only; http_uri; pcre:"/\&h=11$/U"; flowbits:set,file.pe.styx; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25140; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit eot outbound connection"; flow:to_server,established; urilen:75<>98; content:".eot"; fast_pattern:only; http_uri; pcre:"/\/[a-zA-Z0-9]{76,81}\/[a-zA-Z0-9]{4,10}\.eot$/U"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25139; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit pdf outbound connection"; flow:to_server,established; urilen:75<>98; content:".pdf"; fast_pattern:only; http_uri; pcre:"/\/[a-zA-Z0-9]{76,81}\/[a-zA-Z0-9]{4,10}\.pdf$/U"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25138; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit jar outbound connection"; flow:to_server,established; urilen:>150; content:".jar"; fast_pattern:only; http_uri; content:!"Cookie"; nocase; http_header; pcre:"/\/[a-zA-Z0-9]{4,10}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25137; rev:9;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection"; flow:to_server,established; urilen:>100; content:"/pdfx.html"; fast_pattern:only; http_uri; pcre:"/\/pdfx\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25136; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit outbound class retrieval"; flow:to_server,established; content:"Runs.class"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; classtype:trojan-activity; sid:25053; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit Java Exploit requested - 3 digit"; flow:to_server,established; urilen:8; content:".jar"; http_uri; pcre:"/\x2f\d{3}\.jar/U"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; classtype:trojan-activity; sid:25052; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page redirection"; flow:to_client,established; file_data; content:".jar|22| code=|22|Runs.class|22|><param "; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; classtype:trojan-activity; sid:25051; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit PDF Library exploit download"; flow:to_server,established; content:"/lpdf.php?i="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25048; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java V7 exploit download"; flow:to_server,established; content:"/j17.php?i="; fast_pattern:only; http_uri; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25047; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java V6 exploit download"; flow:to_server,established; content:"/j16.php?i="; fast_pattern:only; http_uri; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25046; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<meta name=|22|keywords|22| content=|22 22| />"; content:"<title>Collocation"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:25044; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit url structure detected"; flow:to_server,established; content:".php?"; http_uri; content:"|3A|"; within:7; distance:2; http_uri; content:"|3A|"; within:1; distance:2; http_uri; content:"|3A|"; within:1; distance:2; http_uri; content:"|3A|"; within:1; distance:2; http_uri; content:"&"; distance:0; pcre:"/\.php\?[a-z]{2,8}=[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\&[a-z]{2,8}=/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25043; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit"; flow:to_client,established; flowbits:isset,java_user_agent; content:!"FTB_Launcher.exe"; nocase; http_header; content:"filename="; http_header; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy max-detect-ips drop, service http; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/11/cve-2012-5076-massively-adopted.html; classtype:trojan-activity; sid:25042; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Java User-Agent flowbit set"; flow:to_server,established; content:"User-Agent|3A 20|"; http_header; content:"Java/1."; fast_pattern; http_header; pcre:"/User-Agent\x3a[^\x0d\x0a]*Java\/1\./H"; flowbits:set,java_user_agent; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25041; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT ProPack exploit kit outbound connection"; flow:to_server,established; content:"/build/agrde/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaredomainlist.com/mdl.php?search=build%2Fagrde&colsearch=All&quantity=50&inactive=on; classtype:trojan-activity; sid:24979; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT ProPack exploit kit outbound payload request"; flow:to_server,established; content:".php?j=1&k="; fast_pattern:only; http_uri; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaredomainlist.com/mdl.php?search=build%2Fagrde&colsearch=All&quantity=50&inactive=on; classtype:trojan-activity; sid:24978; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT ProPack exploit kit outbound connection attempt"; flow:to_server,established; content:"/build2/serge/opafv.php"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,urlquery.net/search.php?q=build2%2Fserge&type=string&start=2012-11-22&end=2012-12-07&max=50; reference:url,www.malwaredomainlist.com/mdl.php?search=build2%2Fserge&colsearch=Domain&quantity=50&inactive=on; classtype:trojan-activity; sid:24977; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"{if(typeof"; content:"(0,1))|3B|}}return this|3B|}"; within:100; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; classtype:trojan-activity; sid:24888; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page in an email"; flow:to_server,established; file_data; content:"<h4>Internet Explorer/Mozilla Firefox compatible only</h4><br>"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24865; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer/Mozilla Firefox compatible only</h4><br>"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24864; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page in an email"; flow:to_server,established; file_data; content:"<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24863; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24862; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page in an email"; flow:to_server,established; file_data; content:"<h1><b>Please wait... You will be forwarded..."; content:"</h1></b>"; within:11; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24861; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure"; flow:to_client,established; file_data; content:"<h1><b>Please wait... You will be forwarded..."; content:"</h1></b>"; within:11; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24860; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sibhost exploit kit outbound JAR download attempt"; flow:to_server,established; content:"?s="; http_uri; content:"&m="; within:3; distance:1; http_uri; pcre:"/^\x2f[A-Za-z0-9]{33}\?s=\d\&m=\d$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:24841; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - JAR redirection"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:"|22| code=|22|"; within:12; distance:6; content:"|22| width|3D 22|"; within:12; distance:9; content:"|22| height|3D 22|"; within:12; content:"|0D 0A|<param"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:24840; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<meta name=|22|keywords|22| content=|22 22| />"; content:"<title>Blob"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:24839; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit Class download attempt"; flow:to_server,established; content:"/org.class"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:" Java/1."; distance:0; http_header; pcre:"/User-Agent\x3a[^\r\n]*Java\/1\./H"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:24797; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit Class download attempt"; flow:to_server,established; content:"/net.class"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:" Java/1."; distance:0; http_header; pcre:"/User-Agent\x3a[^\r\n]*Java\/1\./H"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:24796; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit Class download attempt"; flow:to_server,established; content:"/edu.class"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:" Java/1."; distance:0; http_header; pcre:"/User-Agent\x3a[^\r\n]*Java\/1\./H"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:24795; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit Class download attempt"; flow:to_server,established; content:"/com.class"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:" Java/1."; distance:0; http_header; pcre:"/User-Agent\x3a[^\r\n]*Java\/1\./H"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:24794; rev:6;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT KaiXin exploit kit Java Class download"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"GondadGondadExp.class"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; reference:url,urlquery.net/report.php?id=222114; classtype:trojan-activity; sid:24793; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit Portable Executable download"; flow:to_client,established; content:" filename="; http_header; content:".exe|0D 0A|"; distance:0; http_header; pcre:"/filename\=[a-z0-9]{24}\.exe/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24791; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Portable Executable request"; flow:to_server,established; content:"load.php?e=u"; http_uri; content:"&token="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24790; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit PDF Exploit download attempt"; flow:to_client,established; content:"application/pdf"; http_header; content:"Content-Disposition|3A| inline|3B| filename=p50"; http_header; content:".pdf|0D 0A|"; distance:0; http_header; pcre:"/filename=p50[a-z0-9]{9}[0-9]{12}\.pdf/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24789; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit PDF Exploit request structure"; flow:to_server,established; content:"p3.php?t=u"; http_uri; content:"&oh="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24788; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit Java Exploit download"; flow:to_client,established; content:" filename="; http_header; content:".jar|0D 0A|"; distance:0; http_header; pcre:"/filename\=[a-z0-9]{24}\.jar/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24787; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java Exploit request structure"; flow:to_server,established; content:"j.php?t=u"; http_uri; content:"content-type"; http_header; content:"x-java-archive|0D 0A|"; distance:0; http_header; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24786; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit possible redirection attempt"; flow:to_server,established; content:"/i.php?token="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24785; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT KaiXin exploit kit attack vector attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|CF EC E2 69 76 F1 35 BB 78 9B 5D FC CD 2E 1E 67 17 9F B3 8B D7 D9 C5 EF EC E2 79 76 F1 3D BB 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24670; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT KaiXin exploit kit attack vector attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|C0 B0 2F AC 50 78 D3 F3 C2 0E 4D 5F 94 8B 96 2D CC 52 DA 88 8C B4 61 A4 52 FA 06 DC C4 F1 38 63|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24669; rev:5;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT KaiXin exploit kit attack vector attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|CF EC E2 69 76 F1 35 BB 78 9B 5D FC CD 2E 1E 67 17 9F B3 8B D7 D9 C5 EF EC E2 79 76 F1 3D BB 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24668; rev:5;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT KaiXin exploit kit attack vector attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|C0 B0 2F AC 50 78 D3 F3 C2 0E 4D 5F 94 8B 96 2D CC 52 DA 88 8C B4 61 A4 52 FA 06 DC C4 F1 38 63|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24667; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection successful"; flow:to_server,established; content:"/forum/links/column.php"; fast_pattern:only; http_uri; content:".ru|3A|8080|0D 0A|"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24638; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection page - specific structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer compatible only</h4><br>|0D 0A 0D 0A 0D 0A|<script>try"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24637; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection page - specific structure"; flow:to_server,established; file_data; content:"<h4>Internet Explorer compatible only</h4><br>|0D 0A 0D 0A 0D 0A|<script>try"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24636; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page download attempt"; flow:to_server,established; file_data; content:"<h3>Internet Explorer or Mozilla Firefox compatible only </h3><br>"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:24608; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page received - specific structure"; flow:to_client,established; file_data; content:"<html><head><title></title></head><body><div "; depth:60; pcre:"/body\x3e\x3cdiv\s[a-z]{3}\x3d\x22[a-z]{3}\x22/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24593; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page download attempt"; flow:to_client,established; file_data; content:"<script>"; nocase; content:"try{"; within:20; nocase; content:"}catch("; within:20; nocase; content:"try{"; within:20; content:"}catch("; within:20; content:"=window["; within:100; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24548; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page download attempt"; flow:to_client,established; file_data; content:"<script>"; nocase; content:"try{"; within:20; nocase; content:"}catch("; within:20; nocase; content:"try{"; within:20; content:"}catch("; within:20; content:"=new Array("; within:100; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24547; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page download attempt"; flow:to_client,established; file_data; content:"<h3>Internet Explorer or Mozilla Firefox compatible only </h3><br>"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:24546; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole admin page outbound access attempt"; flow:to_server,established; content:"/bhadmin.php"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24544; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole admin page inbound access attempt"; flow:to_server,established; content:"/bhadmin.php"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24543; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit fallback executable download"; flow:to_server,established; content:"/adobe/update_flash_player.exe"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:24501; rev:5;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown exploit kit redirection page"; flow:to_client,established; file_data; content:"<script"; nocase; content:"|3D 22|constructor|22 3B|var|20|"; distance:0; fast_pattern; nocase; content:"|27 3B|var appVersion_var|3D 22|"; distance:0; nocase; content:"].apply(document_body_var,["; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,jsunpack.jeek.org/?report=bf7e015d53808a6e94365139395d4d29e5d41840; classtype:trojan-activity; sid:24344; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; content:"/cr1m3/"; fast_pattern:only; http_uri; content:"php?setup="; nocase; http_uri; content:"&s="; distance:0; nocase; http_uri; content:"&r="; distance:0; nocase; http_uri; pcre:"/setup=[a-z]\&s=\d\&r=\d{5}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24234; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; content:"/cr1m3/"; fast_pattern:only; http_uri; content:"php?setup="; nocase; http_uri; pcre:"/setup=[a-z]$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24233; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; content:"/cr1m3/"; fast_pattern:only; http_uri; content:"php?action="; nocase; http_uri; content:"&h="; distance:0; nocase; http_uri; pcre:"/\&h=\d{5}$/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24232; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Crimeboss exploit kit redirection attempt"; flow:to_client,established; file_data; content:"if(navigator.javaEnabled()) {"; content:"document.write("; within:30; content:"php?"; within:75; pcre:"/(action|setup)=[a-z]{1,4}/Ri"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24231; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page Received"; flow:to_client,established; file_data; content:"<applet"; content:".php?"; distance:0; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{10,64}&[a-z]{2,12}=.*?&[a-z]{2,12}=/"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24228; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page received"; flow:to_client,established; file_data; content:"value="; content:"N0b09090"; within:10; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24226; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure"; flow:to_client,established; file_data; content:"<script>try{"; content:"++"; within:20; nocase; content:"}catch("; within:10; nocase; content:"}catch("; within:50; pcre:"/\x3cscript\x3etry\x7b\w+\x2b\x2b([^\x7d]{1,4})?\x7dcatch\x28/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:24054; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure"; flow:to_client,established; file_data; content:"<html><body><applet/code=|22|"; content:"/archive=|22|"; within:20; content:".jar"; within:20; content:"<param/nam="; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:24053; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - fewbgazr catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"fewbgazr"; within:50; nocase; content:"}catch("; within:10; nocase; pcre:"/fewbgazr([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23962; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - hwehes"; flow:to_client,established; file_data; content:"hwehes"; fast_pattern:only; pcre:"/hwehes[a-z0-9]{15,22}hwehes/smi"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,jsunpack.jeek.org/dec/go?report=b50c0b809c0decade20f7f8a18116d1bdc9cd179; classtype:trojan-activity; sid:23850; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; content:"?page="; fast_pattern:only; http_uri; pcre:"/\?page\=[a-f0-9]{16}/Usmi"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:23849; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; content:"profile.php?woman="; http_uri; pcre:"/profile\.php\?woman\=[a-f0-9]{16}/Usmi"; flowbits:set,kit.blackhole; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:23848; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole redirection page"; flow:to_client,established; file_data; content:"width|3D 27|10|27| height|3D 27|10|27| style|3D 27|visibility|3A|hidden|3B|position|3A|absolute|3B|left|3A|0|3B|top|3A|0|3B 27 3E 3C 2F|iframe|3E 22|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,www.urlquery.net/report.php?id=113788; classtype:trojan-activity; sid:23797; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - Math.round catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"Math.round"; within:50; nocase; content:"}catch("; within:10; nocase; pcre:"/Math\x2eround([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23786; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - Math.floor catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"Math.floor"; within:50; nocase; content:"}catch("; within:10; nocase; pcre:"/Math\x2efloor([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23785; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client,established; file_data; content:"<html><body><script>z=function(){"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:23781; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page request - tkr"; flow:to_server,established; content:".php?"; http_uri; content:"src="; distance:0; http_uri; content:"&gpr="; distance:0; http_uri; content:"&tkr="; distance:0; fast_pattern; http_uri; pcre:"/src=\d+&gpr=\d+&tkr[ib]?=/U"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,urlquery.net/report.php?id=90530; classtype:trojan-activity; sid:23622; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch broken"; flow:to_client,established; file_data; content:"totype"; content:"}catch("; distance:0; pcre:"/totype(\x22|\x27)([^\x7d]{1,4})?\x7dcatch\x28/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,labs.sucuri.net/?malware; classtype:attempted-user; sid:23619; rev:7;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page Received - applet and flowbit"; flow:to_client,established; flowbits:isset,kit.redkit; file_data; content:"<applet"; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23225; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit landing page Requested - 8Digit.html"; flow:to_server,established; urilen:14; content:".html"; http_uri; pcre:"/^\/[0-9]{8}\.html$/U"; flowbits:set,kit.redkit; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23224; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page Received - applet and code"; flow:to_client,established; file_data; content:"<applet"; content:"code="; pcre:"/code=\"[a-z]\.[a-z][\.\"][ c]/"; metadata:policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23223; rev:8;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page Received - applet and 5 digit jar attempt"; flow:to_client,established; file_data; content:"<applet"; fast_pattern:only; pcre:"/<applet[^>]+(archive|src)\s*?=\s*?(\x22|\x27|)\s*?(\d{5}\.jar|[^>]+\/\d{5}\.jar)/smi"; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23222; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit Jar File Naming Algorithm"; flow:to_client,established; content:"Content-Disposition: inline"; nocase; http_header; content:".jar"; fast_pattern; http_header; pcre:"/=[0-9a-f]{8}\.jar/H"; file_data; content:"PK"; within:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23221; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit Java Exploit Requested - 5 digit jar"; flow:to_server,established; urilen:10; content:".jar"; http_uri; pcre:"/^\/[0-9]{5}\.jar$/U"; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23220; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit Java Exploit request to .class file"; flow:to_server,established; content:".class"; http_uri; pcre:"/^\/\w{1,2}\/\w{1,3}\.class$/U"; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23219; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit Repeated Exploit Request Pattern"; flow:to_server,established,only_stream; content:"images.php?t="; fast_pattern:only; http_uri; pcre:"/^images.php\?t=\d{2,7}$/U"; detection_filter:track by_src, count 5, seconds 15; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,snort.org/rule_docs/1-23218; classtype:trojan-activity; sid:23218; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page download attempt"; flow:to_client,established; file_data; content:"<h"; nocase; content:"><b>Please wait a moment. You will be forwarded.."; within:54; distance:1; nocase; content:"</h"; within:10; content:"></b>|0D 0A|"; within:7; distance:1; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:23159; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch"; flow:to_client,established; file_data; content:"prototype-"; content:"}catch("; distance:0; pcre:"/prototype\x2d([^\x7d]{1,5})?\x7dcatch\x28/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:23158; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear Pack exploit kit binary download"; flow:to_server,established; urilen:47; content:"/g/"; depth:3; http_uri; pcre:"/g\/\d{9}\/[0-9a-f]{32}\/[0-9]$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection; reference:url,blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/; reference:url,snort.org/rule_docs/1-23157; classtype:trojan-activity; sid:23157; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Nuclear Pack exploit kit landing page"; flow:to_server,established; urilen:43; content:"/index.php?"; fast_pattern:only; http_uri; pcre:"/index.php\?[0-9a-f]{32}$/U"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection; reference:url,blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/; reference:url,snort.org/rule_docs/1-23156; classtype:bad-unknown; sid:23156; rev:11;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Suspicious StrReverse - Scripting.FileSystemObject"; flow:to_client,established; file_data; content:"StrReverse|28 22|tcejbOmetsySeliF.gnitpircS"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23149; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Suspicious StrReverse - Shell"; flow:to_client,established; file_data; content:"StrReverse|28 22|llehS"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23148; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Suspicious taskkill script - StrReverse"; flow:to_client,established; file_data; content:"|22|taskkill"; content:"StrReverse"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23147; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fake transaction redirect page to exploit kit"; flow:to_client,established; file_data; content:"<h2>Wait your order</h2>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,stopmalvertising.com/spam-scams/paypal-payment-notification-leads-to-blackhole-exploit-kit.html; classtype:attempted-user; sid:23141; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT SET java applet load attempt"; flow:to_client,established; file_data; content:"<applet width=|22|1|22| height=|22|1|22|"; fast_pattern; content:"<param name=|22|WINDOWS|22| value="; distance:0; nocase; content:"<param name=|22|OSX|22| value="; distance:0; nocase; content:"<param name=|22|LINUX|22| value="; distance:0; nocase; content:"<param name=|22|64|22| value="; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:23106; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; content:"src.php?case="; http_uri; pcre:"/src.php\?case\=[a-f0-9]{16}/Usmi"; flowbits:set,kit.blackhole; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:22949; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole landing redirection page"; flow:to_client,established; file_data; content:"document.location|3D 27|http|3A 2F 2F|"; content:"showthread.php?t="; distance:0; pcre:"/showthread\.php\?t\=[a-f0-9]{16}\x27\x3b/smi"; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:22041; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole suspected landing page"; flow:to_client,established; file_data; content:"ype|22|].q}catch("; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,research.zscaler.com/2012/04/multiple-hijacking.html; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:22040; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole suspected landing page"; flow:to_client,established; file_data; content:"Please|3A|wait|3A|page|3A|is|3A|loading"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:22039; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit landing page with specific structure - Loading"; flow:to_client,established; file_data; content:"|0D 0A 0D 0A|<h1><b>Loading...Please Wait...</b>|0D 0A 0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:trojan-activity; sid:21876; rev:8;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Possible exploit kit post compromise activity - taskkill"; flow:to_client,established; file_data; content:"exec "; content:"taskkill /F /IM"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:successful-user; sid:21875; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Possible exploit kit post compromise activity - StrReverse"; flow:to_client,established; file_data; content:"Createobject(StrReverse("; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:successful-user; sid:21874; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=JavaSignedApplet"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21686; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Java-2010-3552"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21685; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Java-2010-0842"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21684; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Java-2010-0842Helper"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21683; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Adobe-90-2010-0188"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21682; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Adobe-80-2010-0188"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21681; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Adobe-2010-2884"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21680; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call attempt"; flow:to_server,established; content:".php?e=Adobe-2010-1297"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21679; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Adobe-2008-2992"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21678; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Java exploit kit iframe drive by attempt"; flow:to_client,established; file_data; content:"function(p,a,c,k,e,d){e=function(c)"; nocase; content:"morale.class"; distance:0; nocase; metadata:service http; reference:cve,2011-3544; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+ThreatBlog%29; classtype:attempted-user; sid:21668; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - catch"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"}catch(qq"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:21661; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page Requested - /Index/index.php"; flow:to_server,established; content:"/Index/index.php"; http_uri; flowbits:set,kit.blackhole; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:trojan-activity; sid:21660; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page Requested - /Home/index.php"; flow:to_server,established; urilen:15; content:"/Home/index.php"; http_uri; flowbits:set,kit.blackhole; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21659; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"<span style=|22|display:none|3B 22|>safsaf(|27|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21658; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><applet/"; content:"archive="; distance:0; content:"code="; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21657; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch"; flow:to_client,established; file_data; content:"prototype"; content:"}catch("; distance:0; pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\(\w{3}\)/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21646; rev:16;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Phoenix exploit kit landing page"; flow:to_client,established; file_data; content:"String.fromCharCode"; nocase; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; fast_pattern:only; content:".jar|27|"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2008-5353; reference:cve,2009-0927; reference:cve,2009-3867; reference:cve,2009-4324; reference:cve,2010-0188; reference:cve,2010-0248; reference:cve,2010-0840; reference:cve,2010-0842; reference:cve,2010-0866; reference:cve,2010-1240; reference:cve,2010-1297; reference:cve,2011-2110; reference:cve,2011-2140; reference:cve,2011-2371; reference:cve,2011-3544; reference:cve,2011-3659; reference:cve,2012-0500; reference:cve,2012-0507; reference:cve,2012-0779; classtype:attempted-user; sid:21640; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - BBB"; flow:to_client,established; file_data; content:"<h2>BBB loading to show your URGENT complain status.</h2>"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21581; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific header"; flow:to_client,established; file_data; content:"<h3>Page is loading, please wait..</h3>"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21549; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific header"; flow:to_client,established; file_data; content:"<h1>Loading ... Please  Wait....  </h1>"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21539; rev:8;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit logo transfer"; flow:to_client, established; flowbits:isset,file.jpeg; file_data; content:"|FB 27 68 DE 2D D6 BF E0 AC BF B5 82 78 7B 5C F0|"; content:"|AE 6E 3C CD EE AE BF 33 F5 0F 58 D5 2D 74 3D 2A|"; distance:0; content:"|04 67 82 31 5F 1F 7F C1 62 A7 D4 EC FC 71 FB 31|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,xylibox.blogspot.com/2012/01/another-sakura-kit.html; classtype:string-detect; sid:21510; rev:6;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit rhino jar request"; flow:to_client,established; file_data; content:"archive='rhin.jar'"; content:"archive='Goo.jar'"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:url,xylibox.blogspot.com/2012/01/another-sakura-kit.html; classtype:attempted-user; sid:21509; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch"; flow:to_client,established; content:"try"; content:"prototype"; within:30; content:"}catch("; within:30; pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21492; rev:22;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit JavaScript carat string splitting with hostile applet"; flow:to_client,established; content:"<html><body><applet|20|code="; nocase; content:"|20|archive="; distance:0; nocase; content:"display|3A|none|3B|"; distance:0; nocase; pcre:"/([@\x2da-z0-9]+?\x5e){10}/smi"; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21438; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit URL - search.php?page="; flow:to_server, established; content:"/search.php?page="; http_uri; pcre:"/search\.php\?page=[a-f0-9]{16}$/U"; flowbits:set,kit.blackhole; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21348; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit URL - .php?page="; flow:to_server, established; content:".php?"; http_uri; pcre:"/\.php\?[^=]+?=[a-f0-9]{16}$/U"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21347; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit malicious jar download"; flow:to_client, established; flowbits:isset,blackhole.jar; content:"nginx"; http_header; content:"application/java-archive"; fast_pattern:only; http_header; file_data; content:"Main.class"; content:"Main.classPK"; distance:0; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21346; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit malicious jar request"; flow:to_server, established; content:"content/rin.jar"; fast_pattern:only; http_uri; flowbits:set,blackhole.jar; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:suspicious-filename-detect; sid:21345; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit pdf download"; flow:to_client, established; flowbits:isset, blackhole.pdf; content:"application/pdf"; fast_pattern:only; http_header; file_data; content:"arr="; pcre:"/\d+(.)\d+\1\d+\1\d+\1\d+\1\d+\1/"; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21344; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit pdf request"; flow:to_server,established; content:"adp"; fast_pattern; http_uri; content:".php?"; within:5; distance:1; nocase; http_uri; pcre:"/adp\d?\.php\?[fe]=/U"; flowbits:set,blackhole.pdf; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:suspicious-filename-detect; sid:21343; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit response"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"window.document"; fast_pattern:only; content:"split"; pcre:"/\d{1,3}(.)\d{1,3}\1\d{1,3}\1\d{1,3}\1\d{1,3}\1/"; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21259; rev:5;)
+# alert tcp any $HTTP_PORTS -> any any (msg:"EXPLOIT-KIT Blackhole exploit kit control panel access"; flow:to_client, established; file_data; content:"charset=utf-8|22|/><title>Blackhole v."; pcre:"/[\d\.]+<\/title>/R"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:policy-violation; sid:21141; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT unknown exploit kit obfuscated landing page"; flow:to_client, established; file_data; content:"[]]}|7C|}{$$$$]}$]]}]]$|7C|$}$]$+]}]/$/]/${$$]$]]]]])$)$|7C|]/$+"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,blog.talosintel.com/2012/02/exploit-kit-was-sent-to-you.html; classtype:attempted-user; sid:21108; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimepack exploit kit malicious pdf request"; flow:to_server, established; content:"/pdf.php?pdf="; http_uri; pcre:"/pdf\.php\?pdf=[0-9A-F]+&type=\d+&o=[^&]+&b=/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:attempted-user; sid:21099; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Crimepack exploit kit landing page"; flow:to_client, established; file_data; content:"charCodeAt(0)+13)?c:c-26)|3B|}).replace(/@/g,'A').replace(/!/g,'B').replace(/#/g,'C')"; fast_pattern:only; content:"= 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='|3B|"; pcre:"/var ([^\s]+) = ''\x3Bvar ([^,]+), ([^,]+).*\1 = \1 \+ String\.fromCharCode\(\2\).*\!= 64\) \{ \1 = \1 \+ String\.fromCharCode\(\3\)\x3b\}.*\x3breturn unescape\(\1\)\x3b\}return 0\x3b\}/R"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:attempted-user; sid:21098; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimepack exploit kit post-exploit download request"; flow:to_server, established; content:"/load.php?spl="; http_uri; pcre:"/^\/load\.php\?spl=[^&]+&b=[^&]+&o=[^&]+&i=/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:successful-user; sid:21097; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Crimepack exploit kit control panel access"; flow:to_client, established; file_data; content:"<title>CRiMEPACK "; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:policy-violation; sid:21096; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Eleanore exploit kit post-exploit page request"; flow:to_server, established; content:"load.php?spl="; fast_pattern:only; http_uri; pcre:"/load\.php\?spl=(Spreadsheet|DirectX_DS|MS09-002|MS06-006|mdac|RoxioCP v3\.2|wvf|flash|Opera_telnet|compareTo|jno|Font_FireFox|pdf_exp|aol|javad|ActiveX_pack)/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21071; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Eleanore exploit kit pdf exploit page request"; flow:to_server, established; content:"?spl=2"; fast_pattern:only; http_header; content:"/pdf.php"; http_uri; pcre:"/\?spl=\d&br=[^&]+&vers=[^&]+&s=/H"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21070; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Eleanore exploit kit exploit fetch request"; flow:to_server, established; content:"?spl="; fast_pattern:only; http_header; pcre:"/\?spl=\d&br=[^&]+&vers=[^&]+&s=/H"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21069; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Eleanore exploit kit landing page"; flow:to_client, established; file_data; content:"X-Powered-By|3A| PHP/5.2.0|0D 0A|Content-type|3A| text/html|0D 0A 0D 0A|?>X-Powered-By|3A| PHP/5.2.0|0D 0A|"; content:"?>X-Powered-By: PHP/5.2.0"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21068; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><script>|0D 0A|if(window.document)"; fast_pattern:only; pcre:"/(,\d{1,3}){20}/"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21045; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><script>"; content:"new Date().getDay"; fast_pattern:only; pcre:"/(#\d{1,2}){20}/"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21044; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit post-compromise download attempt - .php?e="; flow:to_server, established; content:".php?e="; http_uri; pcre:"/\/[a-z]\.php\?e=[\da-f]+&f=[\da-f]+$/U"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21043; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit post-compromise download attempt - .php?f="; flow:to_server, established; content:".php?f="; http_uri; pcre:"/\/[a-z]\.php\?f=[\da-f]+&e=[\da-f]+$/U"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21042; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit URL - main.php?page="; flow:to_server, established; content:"/main.php?page="; http_uri; pcre:"/main\.php\?page=[a-f0-9]{16}$/U"; flowbits:set,kit.blackhole; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21041; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT URI request for known malicious URI - w.php?f="; flow:to_server,established; content:"/w.php?f="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/52d5b9afeb36a048f139923e57fa3ba0fa6d0f02f8ceb1224ac834ca72932584/analysis/; classtype:trojan-activity; sid:20669; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT URI request for known malicious URI - /content/v1.jar"; flow:to_server,established; content:"/content/v1.jar"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/52d5b9afeb36a048f139923e57fa3ba0fa6d0f02f8ceb1224ac834ca72932584/analysis/; classtype:trojan-activity; sid:20668; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT URI request for known malicious URI /stat2.php"; flow:to_server,established; content:"/stat2.php?w="; nocase; http_uri; content:"i="; distance:0; nocase; http_uri; pcre:"/stat2\.php\?w=\d+\x26i=[0-9a-f]{32}\x26a=\d+/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf; reference:url,www.virustotal.com/en/file/567e2dcde3c182056ef6844ef305e1f64d4ce1bf3fa09d8cdc019cca5e73f373/analysis/; reference:url,www.virustotal.com/file/8380bd105559643c88c9eed02ac16aef82a16e62ef82b72d3fa85c47b5441dc7/analysis/; classtype:trojan-activity; sid:20558; rev:7;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Portable Executable downloaded when mp3 is declared"; flow:to_client,established; content:"filename="; http_header; content:"mp3"; within:25; http_header; content:"|0D 0A|"; within:4; http_header; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27005; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rawin exploit kit outbound java retrieval"; flow:to_server,established; content:"rawin.php?b="; http_uri; content:"&v=1."; distance:0; http_uri; pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26985; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; content:"/?f=a"; http_uri; content:"&k="; distance:0; http_uri; pcre:"/\&k=\d+($|\&h=)/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:27113; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request"; flow:to_server,established; content:"php?sf="; http_uri; content:"&Ze="; distance:0; http_uri; content:"&m="; distance:0; http_uri; pcre:"/php\?sf=\d+\&Ze=\d+\&m=\d+/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:trojan-activity; sid:27110; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Momomo.class"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27109; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit malicious jar file downloaded when exe is declared"; flow:to_client,established; content:"filename="; http_header; content:"exe"; within:25; nocase; http_header; content:"|0D 0A|"; within:4; http_header; file_data; content:"PK"; content:".class"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27108; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|00|Han.class"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27107; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Bjisad.class"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27106; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit stage-1 redirect"; flow:to_client,established; content:"<html><body><script>|0A|var "; fast_pattern; content:"document.createElement("; within:80; content:".setAttribute(|22|archive|22|, "; within:65; content:".setAttribute(|22|codebase|22|, "; within:65; content:".setAttribute(|22|id|22|, "; within:65; content:".setAttribute(|22|code|22|, "; within:65; content:"|22|)|3B 0A|document.body.appendChild("; within:65; content:"</script>|0A|</body>|0A|</html>|0A 0A|"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27086; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit Hostile Jar pipe.class"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"PK"; content:"|00|pipe.class"; distance:0; content:"|00|inc.class"; distance:0; content:"|00|fdp.class"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27085; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit rhino remote code execution exploit download - autopwn"; flow:to_server,established; content:"/rhino/1.jar"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27084; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit jmxbean remote code execution exploit download - autopwn"; flow:to_server,established; content:"/jmxbean/1.jar"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27083; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit flash remote code execution exploit download - autopwn"; flow:to_server,established; content:"/flash_atf/"; fast_pattern; http_uri; content:".swf"; distance:0; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-1535; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27082; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit Internet Explorer exploit download - autopwn"; flow:to_server,established; content:"/ie_exec/2.html"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-4969; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27081; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit Firefox exploit download - autopwn"; flow:to_server,established; content:"/ff_svg/1.bin"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0757; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27080; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nailed exploit kit landing page stage 2"; flow:to_client,established; file_data; content:"global_exploit_list[exploit_idx].resource"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27079; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nailed exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<html > <head > <title > Loading"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27078; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval"; flow:to_server,established; urilen:>32; content:"/a.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{32}\/a\.php/U"; content:!"siteadvisor.com"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27072; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval"; flow:to_server,established; urilen:>16; content:"/a.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{16}\/a\.php/U"; content:!"siteadvisor.com"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27071; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious portable executable download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"c|3A 5C|Soft|5C|cebhlpod.txt"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27069; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar file download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Tretre.class"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27068; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"}catch(qwqw){"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:27067; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jovf"; flow:to_server,established; content:"/jovf.html"; fast_pattern:only; http_uri; pcre:"/\/jovf\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27042; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp"; flow:to_server,established; content:"/jlnp.html"; fast_pattern:only; http_uri; pcre:"/\/jlnp\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27041; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jorg"; flow:to_server,established; content:"/jorg.html"; fast_pattern:only; http_uri; pcre:"/\/jorg\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27040; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"<link href=|27|"; content:".css|27| rel=|27|stylesheet|27|><link href=|27|"; within:100; content:"{a={plugins|3A|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27026; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Private exploit kit outbound traffic"; flow:to_server,established; content:".php?"; http_uri; content:"content-type: application/"; http_header; content:" Java/1"; http_header; pcre:"/\x2ephp\x3f[a-z]+=[a-fA-Z0-9]+&[a-z]+=[0-9]+$/iU"; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27144; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit landing page"; flow:to_client,established; file_data; content:"|27| value=|27|JTIw"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27143; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit landing page"; flow:to_client,established; file_data; content:"<html><head><script type=|27|text/javascript|27| src=|22|js/PluginDetect.js|22|>"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27142; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit landing page"; flow:to_client,established; file_data; content:".value|3B| |09|    var"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27141; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit numerically named exe file dowload"; flow:to_client,established; content:"filename="; http_header; content:".exe"; within:4; distance:4; http_header; pcre:"/filename\=\d{4}\.exe$/H"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27140; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"counter.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:27242; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page detected"; flow:to_client,established; file_data; content:"<OBJECT CLASSID=|22|clsid|3A|5852F5ED-8BF4-11D4-A245-0080C6F74284|22| width=|22|1|22| height=|22|1|22|><PARAM name=|22|"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27241; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java Exploit request structure"; flow:to_server,established; content:"/rhino.php?hash="; fast_pattern:only; http_uri; content:"content-type"; http_header; content:"java-archive"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27274; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit iframe redirection"; flow:established,to_client; file_data; content:"<iframe style=|22|position|3A|fixed|3B|top|3A|0px|3B|left|3A|-550px|3B 22| src="; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27273; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT iFramer toolkit injected iframe detected - specific structure"; flow:to_client,established; file_data; content:"}catch(dgsgsdg"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27271; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"try{++((document.body))}catch(va){if("; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27603; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:" = jref[ind](nip[|22|charAt|22|](i))|3B|"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27602; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Kore exploit kit successful Java exploit"; flow:to_server,established; content:"?id="; http_uri; content:"&text="; distance:0; fast_pattern; http_uri; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2471; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; classtype:trojan-activity; sid:27697; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Kore exploit kit landing page"; flow:to_client,established; file_data; content:"</title>|0A|</head>|0A|<body>|0A|<script src="; content:"jquery.js"; within:9; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2471; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; classtype:trojan-activity; sid:27696; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Kore exploit kit landing page"; flow:to_client,established; file_data; content:".jnlp|22| /><param name=|22 27|+"; content:"+|27|_embedded|22|"; content:".zip|22| width=|22|10|22|><param name=|22|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2471; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; classtype:trojan-activity; sid:27695; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection page"; flow:to_client,established; file_data; content:"position|3A|absolute|3B|top|3A|-1000px|3B|left|3A|-1000px|3B|text-indent|3A|-1000|3B|width|3A|1px|3B|height|3A|1px|3B|"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27715; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection injection"; flow:to_client,established; file_data; content:"<!--f04d6c0ecc742ce800a316c742197c6evdrd33vf5rmf60vx-->"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27713; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection injection"; flow:to_client,established; file_data; content:"<!--4db55aefd91c498bc4dd1eddca98a4b5lfvknc5uxdf4g3sa-->"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27712; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong Da exploit kit possible jar download"; flow:to_client,established; flowbits:isset,file.jpeg|file.png|file.gif; file_data; content:"PK"; depth:2; content:".class"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27706; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Gong Da exploit kit Java exploit requested"; flow:to_server,established; content:"/wmck.jpg"; fast_pattern:only; http_uri; content:" Java/1"; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27705; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Gong Da exploit kit Java exploit requested"; flow:to_server,established; content:"/ckwm.jpg"; fast_pattern:only; http_uri; content:" Java/1"; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27704; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong Da exploit kit landing page"; flow:to_client,established; file_data; content:"ck_wm.indexOf(|22|linux|22|)<=-1"; content:"+expires.toGMTString()|3B|"; distance:0; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27702; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Oracle Java Jar file downloaded when zip is defined"; flow:to_client,established; content:"filename="; http_header; content:".zip|0D 0A|"; distance:0; http_header; file_data; content:"PK"; depth:2; content:".class"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26292; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Zip file downloaded by Java"; flow:to_server,established; content:".zip"; nocase; http_uri; content:" Java/1"; fast_pattern:only; http_header; flowbits:set,file.exploit_kit.jar; flowbits:noalert; metadata:policy max-detect-ips alert, service http; classtype:misc-activity; sid:27741; rev:7;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit redirection page"; flow:to_client,established; file_data; content:"|2A 2F|height=|22|"; content:"|22| code=|22|"; within:25; distance:1; content:".class|22| |2F 2A| "; distance:0; fast_pattern; content:".zip|22| width=|22|"; distance:0; content:"|22|><param name=|22|"; within:25; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27739; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit landing page"; flow:to_client,established; file_data; content:"document.write(|27|<iframe style=|22|position|3A|fixed|3B|top|3A|"; content:"px|3B|left|3A|"; within:25; distance:1; content:"|22| height=|22|"; distance:0; content:"|22| width=|22|"; within:25; content:"></iframe>|27|"; within:25; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27738; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT IFRAMEr Tool embedded javascript attack method - specific structure"; flow:to_client,established; file_data; content:"/*/0f2490*/"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27734; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT IFRAMEr Tool embedded javascript attack method - generic structure"; flow:to_client,established; file_data; content:"try|7B 3B 7D|catch("; content:"){try{"; within:30; metadata:policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27733; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit plugin detection page"; flow:to_client,established; file_data; content:"$(document).ready("; content:"=PluginDetect.getVersion,"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27783; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit malicious redirection attempt"; flow:to_server,established; content:"/n.php?h="; content:"&s="; distance:0; http_uri; pcre:"/\x2fn\.php\?h=[a-zA-Z0-9]*?\&s=[a-zA-Z0-9]{1,5}$/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27815; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit landing page request"; flow:to_server,established; urilen:7; content:"/i.html"; depth:7; fast_pattern; http_uri; content:"Referer|3A|"; http_header; content:!"|0D 0A|"; within:100; http_header; content:"|0D 0A|"; distance:0; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27814; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page with payload"; flow:to_client,established; file_data; content:"document.write(|27|<applet archive=|22|"; content:".jar|22| code=|22|"; within:50; content:"|22|><param value=|22|http|3A 2F 2F|"; content:!"|22|"; within:60; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27813; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Fiesta exploit kit redirection"; flow:to_server,established; content:"/8jxtl5i/"; depth:9; http_uri; urilen:>63; pcre:"/\x2f\?[0-9a-f]{60,66}[\x3b\d]*$/U"; metadata:service http; classtype:trojan-activity; sid:27810; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt"; flow:to_server,established; urilen:50<>150; content:"GET"; http_method; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\*\!\w-]+=[\(\)\!\*\w-]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:27907; rev:7;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - readme.dll"; flow:to_client,established; content:"filename="; http_header; content:"readme.dll"; within:12; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27898; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - calc.dll"; flow:to_client,established; content:"filename="; http_header; content:"calc.dll"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27897; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - contacts.dll"; flow:to_client,established; content:"filename="; http_header; content:"contacts.dll"; within:13; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27896; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - info.dll"; flow:to_client,established; content:"filename="; http_header; content:"info.dll"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27895; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - about.dll"; flow:to_client,established; content:"filename="; http_header; content:"about.dll"; within:10; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27894; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=2992"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2008-2992; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27893; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Acrobat Reader"; flow:to_server,established; content:"/a.php?e=2992"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2008-2992; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27892; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit secondary payload"; flow:to_server,established; content:"/p1.exe"; fast_pattern:only; http_uri; content:"p1.exe HTTP/"; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27891; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit secondary payload"; flow:to_server,established; content:"/m1.exe"; fast_pattern:only; http_uri; pcre:"/\/m1\.exe$/U"; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27890; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=900188"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27889; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=800188"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27888; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=2884"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-2884; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27887; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=1297"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-1297; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27886; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/dl.exe"; fast_pattern:only; http_uri; content:"dl.exe HTTP/"; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2465; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27885; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Oracle Java"; flow:to_server,established; content:"/TobyClass.jar"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2465; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27883; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Flash Player"; flow:to_server,established; content:"/a.php?e=2884"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-2884; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27882; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Flash Player"; flow:to_server,established; content:"/a.php?e=1297"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-1297; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27881; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Acrobat Reader 9"; flow:to_server,established; content:"/a.php?e=900188"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27880; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Acrobat Reader 8"; flow:to_server,established; content:"/a.php?e=800188"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27879; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit landing page"; flow:to_client,established; file_data; content:"(z){h=|22|harCode|22 3B|f=["; fast_pattern:only; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27878; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit landing page"; flow:to_client,established; file_data; content:"[|22|s|22|+|22|u|22|+|22|bs|22|+|22|t|22|+|22|r|22|]"; fast_pattern:only; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27877; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download"; flow:to_client,established; content:"Content-Type|3A 20|audio/mpeg"; fast_pattern:only; http_header; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27876; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Kore exploit kit outbound payload download attempt"; flow:to_server,established; content:".html1.zip"; fast_pattern:only; http_uri; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27873; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page"; flow:to_client,established; file_data; content:"<body><b></b><style>div{overflow|3A|hidden|3B|width|3A|1px|3B|height|3A|1px}</style><div>"; fast_pattern:only; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27866; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page request"; flow:to_server,established; urilen:>32; content:".php"; fast_pattern:only; http_uri; content:"GET"; http_method; pcre:"/^\/[a-f0-9]{32}\/[a-z]{1,15}-[a-z]{1,15}\.php/U"; content:!"PacketShaper"; http_header; content:!"siteadvisor.com"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27865; rev:7;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit portable executable download"; flow:to_client,established; flowbits:isset,file.pe.styx; content:"filename="; http_header; content:".exe"; within:4; distance:11; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27936; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"for("; content:"=0|3B|"; within:15; content:".innerHTML.length|3B|"; content:"+=2)"; within:15; pcre:"/for\x28(?P<var>\w+)=0\x3b(?P=var)<(?P<var2>\w+)\.innerHTML.length\x3b(?P=var)\+=2\x29\x20\w+\+=\w+\x28(?P=var2)/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27935; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT X2O exploit kit landing page"; flow:to_client,established; file_data; content:"<table>notredkit<applet><param name"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27912; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT X2O exploit kit landing page"; flow:to_client,established; file_data; content:"<table>X2O<applet><param name"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27911; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit successful redirection"; flow:to_client,established; file_data; content:"<iframe src=|27|http|3A 2F 2F|"; content:"|3A|8509|2F|"; distance:0; fast_pattern; content:"|27| border=0 width="; distance:0; content:"height="; within:25; content:"scrolling=no></iframe>"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28038; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude/Popads/Nuclear exploit kit jnlp request"; flow:to_server,established; urilen:71; content:".jnlp"; http_uri; content:"User-Agent|3A 20|JNLP"; fast_pattern:only; http_header; pcre:"/^\/[a-z0-9]{32}\/[a-z0-9]{32}\.jnlp/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28029; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt"; flow:to_server,established; urilen:50<>250; content:"GET"; http_method; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\*\!\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:28028; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"</div><i></i><style>div{overflow|3A|hidden|3B|width|3A|1px|3B|"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:28026; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - IFRAMEr injection tool"; flow:to_client,established; file_data; content:"p=parseInt|3B|ss=String|3B|asgq=|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28022; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"relay.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28021; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"rel.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28020; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"esd.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28019; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"count.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28018; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"cnt.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28017; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"clicker.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28016; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT g01pack exploit kit redirection attempt"; flow:to_client,established; file_data; content:"<iframe src=|22|http|3A 2F 2F|"; content:"|22| style=|22|border|3A|0px #FFFFFF none|3B 22| name=|22|test|22|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28015; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear/Magnitude exploit kit post Java compromise download attempt"; flow:to_server,established; urilen:35; content:" Java/1."; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\/[0-9]$/Ui"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28111; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear/Magnitude exploit kit Oracle Java exploit download attempt"; flow:to_server,established; urilen:70; content:".jar"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/Ui"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28109; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear/Magnitude exploit kit Adobe Flash exploit download attempt"; flow:to_server,established; urilen:70; content:".swf"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.swf$/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28108; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana exploit kit redirection attempt"; flow:to_server,established; content:".js?cp="; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{8}\.js\?cp\x3d/Umi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28138; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:"/JavaSignedApplet.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:28199; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:"/Java-2010-3552.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:28198; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:"/Java-2010-0842Helper.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:28197; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:"/Java-2010-0842.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:28196; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT X2O exploit kit post java exploit download attempt"; flow:to_server,established; urilen:13; content:"/blog/"; http_uri; content:" Java/1."; fast_pattern; http_header; pcre:"/^\/blog\/[a-zA-Z0-9]{3}\.(g(3|e)d|mm|vru|be|nut)$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28195; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT X2O exploit kit landing page"; flow:to_client,established; file_data; content:"<table>Adikj<applet><param name"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28194; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit redirection received"; flow:to_client,established; file_data; content:"<iframe src=|22|http|3A 2F 2F|"; content:"|3A|85|2F|"; within:30; content:"|22| width=|22|0|22|"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28213; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kits malicious pdf download"; flow:to_client,established; flowbits:isset,file.exploit_kit.pdf; file_data; content:"%PDF-"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:28238; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude/Nuclear exploit kit outbound pdf download attempt"; flow:to_server,established; content:".pdf"; fast_pattern; http_uri; content:"Referer|3A|"; http_header; pcre:"/\/[0-9a-f]{32}\/[0-9]{10}\.pdf$/U"; pcre:"/Referer\x3a.*?\.html\x0d\x0a/H"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, service http; classtype:trojan-activity; sid:28237; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Magnitude/Nuclear exploit kit landing page"; flow:to_client,established; file_data; content:"</adress><br>"; content:"<cite>"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28236; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt"; flow:to_server,established; urilen:50<>150; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]{15,25})\.php\?[ab10]+=[ab10]+&[ab10]+=[ab10]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:28233; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt"; flow:to_server,established; urilen:50<>150; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]{15,25})\.php\?[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:28291; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page attempt"; flow:to_server,established; content:".php?catalogp="; fast_pattern:only; pcre:"/\.php\?catalogp\=\d{2}$/U"; content:"Referer"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28265; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sweet Orange exploit kit java compromise successful"; flow:to_server,established; content:".php?"; http_uri; content:"&special="; distance:0; http_uri; content:"&alert="; distance:0; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28264; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Himan exploit kit payload - Oracle Java compromise"; flow:to_server,established; content:".php?ex=rhi"; http_uri; content:"&name="; distance:0; http_uri; content:"&country="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&ver=1."; distance:0; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:url,malware.dontneedcoffee.com/2013/10/HiMan.html; classtype:trojan-activity; sid:28310; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Himan exploit kit payload - Adobe Reader compromise"; flow:to_server,established; content:".php?ex=ad"; http_uri; content:"&name="; distance:0; http_uri; content:"&country="; distance:0; http_uri; content:!"&os="; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malware.dontneedcoffee.com/2013/10/HiMan.html; classtype:trojan-activity; sid:28308; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Himan exploit kit landing page"; flow:to_client,established; file_data; content:"if ((jver >= 600) && (jver < 627)) {"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-2465; reference:cve,2013-2551; reference:url,malware.dontneedcoffee.com/2013/10/HiMan.html; classtype:trojan-activity; sid:28307; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear/Magnitude exploit kit Oracle Java exploit download attempt"; flow:to_server,established; urilen:81; content:".jar"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\/\d{10}\/[a-f0-9]{32}\.jar$/Ui"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28414; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Magnitude exploit kit embedded redirection attempt"; flow:to_client,established; file_data; content:"element.style.left=|27|-"; content:"px|27 3B|element.style.top=|27|-"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28413; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit kit exploit payload retrieve attempt"; flow:to_server,established; urilen:<25; content:".ld"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/^\/\d+\.ld$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28450; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit outbound connection attempt"; flow:to_server,established; urilen:<25; content:".ee"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-zA-Z_-]+\.ee$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28449; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Glazunov exploit kit zip file download"; flow:to_server,established; content:".zip"; fast_pattern; http_uri; content:" Java/1."; http_header; pcre:"/^\/\d+\/\d\.zip$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28430; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Glazunov exploit kit outbound jnlp download attempt"; flow:to_server,established; urilen:15; content:".jnlp"; fast_pattern; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-z0-9]{9}\.jnlp$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28429; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Glazunov exploit kit landing page"; flow:to_client,established; file_data; content:"= |22|applet|22 3B 20|"; content:"= |22|object|22 3B 20|"; within:50; content:"=|27|param|27 3B 20|"; within:50; content:".zip|27 3B| </script>"; distance:0; pcre:"/\/\d+\/\d\.zip\x27\x3b/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28428; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Microsoft Internet Explorer vulnerability request"; flow:to_server,established; content:".tpl"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{32}\/\d{10}\/[a-f0-9]{32}\/\d{10}\.tpl$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2551; classtype:trojan-activity; sid:28424; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit single digit exe detection"; flow:to_client,established; content:"filename="; http_header; content:".exe"; within:6; fast_pattern; http_header; pcre:"/filename=[\x22\x27]?\d\.exe[\x22\x27]?/Hi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28423; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit landing page request"; flow:to_server,established; urilen:>100; content:"/i.html?"; depth:8; fast_pattern; http_uri; pcre:"/^\/i.html\?[a-z0-9]{4}\x3D[a-z0-9]{15}/smiU"; content:"Referer|3A|"; http_header; content:!"|0D 0A|"; within:125; http_header; content:"|0D 0A|"; distance:0; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:28478; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit outbound pdf request"; flow:to_server,established; urilen:<25; content:".pdf"; http_uri; content:"/i.html?"; fast_pattern:only; http_header; content:"Referer|3A|"; http_header; content:!"|0D 0A|"; within:100; http_header; content:"|0D 0A|"; distance:0; http_header; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:28477; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit outbound request by Java - generic detection"; flow:to_server,established; urilen:21<>39; content:":8000"; fast_pattern:only; http_header; content:" Java/1."; http_header; pcre:"/\/[a-z]+\?[a-z]+\=[a-z]+$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28476; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit outbound request - generic detection"; flow:to_server,established; urilen:20<>36,norm; content:"GET"; http_method; content:":8000/"; fast_pattern:only; http_header; content:"Referer"; http_header; pcre:"/Referer\x3a\x20[^\s]*\x3a8000\x2f[a-z]+\?[a-z]+=\d{6,7}\x0d\x0a/H"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28475; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit payload download attempt"; flow:to_server,established; urilen:15; content:"/1"; depth:2; fast_pattern; http_uri; pcre:"/^\/1[a-z]{0,13}[0-9]{0,12}[a-z][a-z0-9]{1,11}$/U"; content:!"Referer"; http_header; content:!"Host|3A| fb.me|0D 0A|"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28616; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit exploit download attempt"; flow:to_server,established; urilen:15; content:"/0"; depth:2; fast_pattern; http_uri; pcre:"/^\/0[a-z]{0,13}[0-9]{0,12}[a-z][a-z0-9]{1,11}$/U"; content:"User-Agent|3A|"; http_header; content:!"Referer"; http_header; flowbits:set,file.exploit_kit.jar; flowbits:set,file.exploit_kit.silverlight; metadata:policy max-detect-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28615; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page"; flow:to_client,established; file_data; content:"type=|22|application/x-silverlight-2|22|"; content:"<param name=|22|source|22| value=|22|/0"; distance:0; metadata:policy max-detect-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28614; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page - specific-structure"; flow:to_client,established; file_data; content:"<title>|0D 0A 20 20|Microsoft apple.com|0D 0A 0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28613; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Silverlight exploit download"; flow:to_client,established; flowbits:isset,file.exploit_kit.silverlight; file_data; content:"PK"; content:"AppManifest.xaml"; distance:0; content:".dll"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28612; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit kit outbound connection attempt"; flow:to_server,established; urilen:<25; content:".rtf"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-zA-Z_-]+\.rtf$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28611; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit kit exploit payload retreive attempt"; flow:to_server,established; content:".doc"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-zA-Z_-]+\.doc$/U"; flowbits:set,file.sakura_kit; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:28610; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit obfuscated exploit payload download"; flow:to_client,established; flowbits:isset,file.sakura_kit; file_data; content:"secretsecretsecretsecretsecretsecret"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28609; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit Atomic exploit download - specific-structure"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Main-Class|3A| atomic.Atomic"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28608; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit payload request"; flow:to_server,established; urilen:24<>26,norm; content:"/f/"; fast_pattern:only; http_uri; pcre:"/^\/f\/1\d{9}\/\d{9,10}(\/\d)+$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28596; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Oracle Java jar file retrieval"; flow:to_server,established; urilen:25<>26,norm; content:".jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/^\/\d{9,10}\/1\d{9}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28595; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Microsoft Internet Explorer vulnerability request"; flow:to_server,established; urilen:26,norm; content:".tpl"; fast_pattern:only; http_uri; pcre:"/^\/\d{10}\/\d{10}\.tpl$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28594; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit payload download"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28593; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit possibly malicious iframe embedded into a webpage"; flow:to_client,established; file_data; content:"name=Twitter scrolling=auto frameborder=no align=center height="; content:" width="; within:20; content:" src=http|3A 2F 2F|"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28798; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit binkey xored binary download attempt"; flow:to_client,established; file_data; content:"binkeybinkeybinkeybinkeybinkeybinkey"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28797; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT iFRAMEr successful cnt.php redirection"; flow:to_server,established; content:"/cnt.php?id="; fast_pattern:only; http_uri; content:"Referer|3A 20|"; http_header; pcre:"/^\/cnt\.php\?id=\d+$/U"; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:url,blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28796; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt"; flow:to_server,established; urilen:<30; content:".mp3"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/\d+\.mp3$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy max-detect-ips alert, ruleset community, service http; reference:cve,2012-0507; reference:url,blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28795; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit initial outbound request - generic detection"; flow:to_server,established; urilen:20<>36,norm; content:"GET"; http_method; content:"Host|3A|"; http_header; content:":8000"; within:55; http_header; content:"Referer"; http_header; pcre:"/\x2f[a-z]+\?[a-z]+=\d{6,7}$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28911; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string"; flow:to_server,established; content:"/tx.exe"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28969; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound flash exploit retrieval attempt"; flow:to_server,established; content:"/fla.swf"; fast_pattern:only; http_uri; content:"x-flash-version|3A 20|"; http_header; pcre:"/Referer\x3a[^\n]*fla\.php\?wq=[a-f0-9]+\x0d\x0a/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28968; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection"; flow:to_server,established; urilen:>100; content:".php?hgfc="; fast_pattern:only; http_uri; pcre:"/\.php\?hgfc\=[a-f0-9]+$/U"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:28967; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound POST connection"; flow:to_server,established; content:"POST"; http_method; content:"hyt="; depth:4; http_client_body; content:"&vre="; distance:0; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28966; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT HiMan exploit kit Flash Exploit landing page"; flow:to_client,established; file_data; content:"flash_version != null && flash_version[0] < 116000"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28963; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT SPL2 exploit kit jar exploit download"; flow:to_server,established; content:".html?jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\.html\?jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29003; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT SPL2 exploit kit Silverlight plugin outbound connection attempt"; flow:to_server,established; content:"html?sv="; fast_pattern:only; http_uri; pcre:"/\.html\?sv=[1-5](\,\d+?){1,3}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29002; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT SPL2 exploit kit landing page detection"; flow:to_client,established; content:"$$.getVersion(|22|Silverlight|22|)|3B|"; content:"$$.getVersion(|22|Java|22|)"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29001; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt"; flow:to_server,established; urilen:<16; content:".pdf"; fast_pattern:only; http_uri; pcre:"/^\/\d{1,2}(?P<letter>[A-Z])\d{1,2}(?P=letter)\d{1,2}(?P=letter)\d{1,2}\.pdf$/U"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29131; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit malicious payload download attempt"; flow:to_server,established; urilen:13; content:" Java/1."; fast_pattern:only; http_header; pcre:"/^\/\d{4}\/\d{7}$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29130; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit jar exploit download - specific structure"; flow:to_server,established; content:"/hanger.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29129; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit plugin detection page"; flow:to_client,established; file_data; content:"go2Page|28 27|/|27|+PluginDetect.getVersion|28 22|AdobeReader|22 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29128; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit XORed payload download attempt"; flow:to_client,established; file_data; content:"|7C 68 A3 34 36 36 37 38 35 32 33 34 CA C9 37 38|"; depth:16; metadata:impact_flag red, policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/12/cve-2013-5329-or-cve-2013-5330-or.html; classtype:trojan-activity; sid:29066; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit payload download attempt"; flow:to_client,established; content:".exe|0D 0A|"; fast_pattern:only; http_header; content:"filename="; http_header; content:".exe|0D 0A|"; within:6; distance:24; http_header; pcre:"/filename=(?![a-f]{24}|\d{24})[a-f\d]{24}\.exe\r\n/H"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29167; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit payload download attempt"; flow:to_server,established; content:"/loadmsie.php?id="; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29166; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound jar request"; flow:to_server,established; content:".jar"; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-f0-9]{32}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29165; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound flash request"; flow:to_server,established; content:".swf"; http_uri; content:"x-flash-version|3A|"; http_header; content:"Referer"; http_header; content:"flash.php?id="; distance:0; http_header; pcre:"/\/[a-f0-9]{32}\.swf$/U"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:29164; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound exploit request"; flow:to_server,established; content:".php?id="; http_uri; pcre:"/\/(?:java(?:db|im|rh)|silver|flash|msie)\.php\?id=[a-f\d]{20}/iU"; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf; metadata:policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:29163; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request"; flow:to_server,established; urilen:34; content:"/?"; depth:2; fast_pattern; http_uri; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:" MSIE "; http_header; content:!"Referer|3A|"; http_header; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29189; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit embedded open type font file request"; flow:to_server,established; urilen:37; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.eot$/U"; metadata:service http; classtype:trojan-activity; sid:29188; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound pdf request"; flow:to_server,established; urilen:<27; content:".pdf"; fast_pattern:only; http_uri; content:"Referer"; http_header; content:".html"; distance:0; http_header; pcre:"/^\/\d{8,11}\/1[34]\d{8}\.pdf$/U"; pcre:"/^Referer\x3a[^\r\n]+\/[\w_]{32,}\.html\r$/Hsm"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:29187; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound connection"; flow:to_server,established; urilen:<28; content:"/1"; http_uri; content:".htm"; distance:0; http_uri; content:"Referer"; http_header; content:".html"; distance:0; http_header; pcre:"/^(\/\d{8,11})?(\/\d)?\/1[34]\d{8}\.htm$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29186; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:"nib|28 27|http|3A 2F 2F|"; content:".mp3|27 29 3B|"; within:25; distance:10; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29361; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"4Um3S0Vm3"; depth:15; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29360; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit eot outbound connection"; flow:to_server,established; urilen:>100; content:".eot"; fast_pattern:only; http_uri; content:"Referer"; http_header; content:!"|0D 0A|"; within:100; content:"/fnts.html"; distance:0; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:29453; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit landing page request"; flow:to_server,established; urilen:>100; content:"/i.html?"; depth:8; http_uri; pcre:"/\/i\.html\?[a-z0-9]+\=[a-zA-Z0-9]{25}/U"; flowbits:set,styx_landing; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29452; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit outbound connection attempt"; flow:to_server,established; content:"/?id=ifrm"; fast_pattern:only; http_header; content:"/?"; depth:2; http_uri; pcre:"/\/\?[a-z0-9]{9}\=[a-zA-Z0-9]{45}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29450; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; flowbits:isset,styx_landing; file_data; content:"<textarea id=|22|"; content:"|22|>"; within:10; isdataat:300,relative; content:!"</textarea>"; within:300; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29449; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"document.write(|27|<app|27|+|27|let archive=|22|"; content:".jar|22| code=|22|"; distance:0; content:"<param val|27|+|27|ue=|22|http|3A 2F 2F|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29448; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit payload download - scandsk.exe"; flow:to_client,established; content:"attachment|3B|"; http_header; content:"scandsk.exe|0D 0A|"; fast_pattern; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:bad-unknown; sid:29447; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit jar outbound connection"; flow:to_server,established; urilen:>100; content:".jar"; fast_pattern:only; http_uri; content:"Cookie"; http_header; content:!"|0D 0A|"; within:100; content:" Java/1"; http_header; pcre:"/\.jar$/Ui"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:29446; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit fonts download page"; flow:to_server,established; content:"/fnts.html"; fast_pattern:only; http_uri; pcre:"/\/fnts\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29445; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit flashplayer11 payload download"; flow:to_client,established; content:"flashplayer11_"; http_header; file_data; content:"MZ"; depth:2; metadata:service http; classtype:trojan-activity; sid:29444; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|7D 6B F8 64 76 74 6E 66|"; depth:8; metadata:service http; classtype:trojan-activity; sid:29414; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|2C 3E F2 32 30 34 6E 68|"; depth:8; metadata:service http; classtype:trojan-activity; sid:29413; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit Java download attempt"; flow:to_server,established; urilen:49; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9_-]{48}$/Ui"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:29412; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page"; flow:to_client,established; file_data; content:"navigator.userAgent.indexOf(|27|Firefox|27|)>=0|7C 7C|navigator.userAgent.indexOf(|27|MSIE|27|)>=0))"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:29411; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; content:"/download.asp?p="; nocase; http_uri; content:" Java/1."; fast_pattern:only; http_header; pcre:"/\/download\.asp\?p\=\d$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid:29864; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java v1.6.32 and older"; flow:to_server,established; content:".php?a=h7"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30009; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 8 on Windows XP"; flow:to_server,established; content:".php?a=h6"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30008; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 7 on Windows XP with Java before v1.7.17 "; flow:to_server,established; content:".php?a=h5"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30007; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 6 on Windows XP"; flow:to_server,established; content:".php?a=h4"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30006; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Google Chrome with Java before v1.7.17"; flow:to_server,established; content:".php?a=h3"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30005; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java before v1.7.17"; flow:to_server,established; content:".php?a=h2"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30004; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt"; flow:to_server,established; content:".php?a=dw"; fast_pattern:only; http_uri; pcre:"/\?a=dw[a-z]$/U"; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2011-1255; reference:cve,2012-1723; reference:cve,2013-1489; reference:url,attack.mitre.org/techniques/T1189; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30003; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit Java download attempt"; flow:to_server,established; content:".php?a=r"; fast_pattern:only; http_uri; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30002; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit landing page detected"; flow:to_client,established; file_data; content:"document.createElement(|22|iframe|22|)"; fast_pattern:only; content:".width"; content:".height"; content:".style.visibility"; within:50; content:".php"; within:300; content:".appendChild("; within:500; pcre:"/var\s(?P<name>\w+)\s?=\s?document\.createElement\x28\x22iframe\x22\x29.*?(?P=name)\.style\.visibility.*?(?P=name)\.src\s?=\s?[\x22\x27][^\x22\x27]*\.php.*?\.appendChild\x28(?P=name)\x29/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30001; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit malicious payload delivery - specific string"; flow:to_client,established; content:"filename="; http_header; content:"very.mhh"; within:12; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30134; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"frameborder=|22|NO|22| framespacing=|22|0|22| border=|22|0|22|><frame name="; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30133; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound payload request"; flow:to_server,established; content:"/f/"; depth:3; http_uri; pcre:"/^\/f(?:\/\d)?\/1[34]\d{8}(?:\/\d{9,10})?(?:\/\d)+[^a-zA-Z]{1,6}$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30220; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound jar request"; flow:to_server,established; content:"/1"; http_uri; content:".jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/^(?:\/\d{9,10})?(?:\/\d)?\/1[34]\d{8}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30219; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Zuponcic exploit kit Oracle Java file download"; flow:to_client,established; content:"filename="; nocase; http_header; content:"FlashPlayer.jar"; within:17; fast_pattern; http_header; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/9324faaed6c7920f1721b60f81e1b04fbe317dedf9974bdfa02d8fcd1f0be18f/analysis/; classtype:trojan-activity; sid:25764; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request"; flow:to_server,established; content:".mp3?rnd="; fast_pattern:only; http_uri; pcre:"/\/\d+\.mp3\?rnd=\d+$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30319; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:"<html><th>Wait Please...</th><body>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30317; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:".xml|22| name=|22|jnlp_href|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30316; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT WhiteLotus exploit kit plugin outbound detection"; flow:to_server,established; urilen:32; content:"POST"; http_method; content:"v="; http_client_body; content:"&u="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; content:"&s={"; distance:0; http_client_body; content:"&w="; distance:0; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30312; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT SofosFO/Stamp exploit kit plugin detection page"; flow:to_client,established; file_data; content:"go2Page|28 27|/|27|+PluginDetect.getVersion|28 22|AdobeReader|22 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30306; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit Oracle Java payload request"; flow:to_server,established; urilen:>32; content:" Java/1."; http_header; pcre:"/^\/(?:[\/_]*?[a-f0-9]){32}[\/_]*?\/\d+?$/U"; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30768; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit Oracle Java payload request"; flow:to_server,established; urilen:66; content:" Java/1."; http_header; pcre:"/^\/(?:[a-f0-9]{32}\/[a-f0-9]{32})$/U"; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30767; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Magnitude exploit kit landing page"; flow:to_client,established; file_data; content:"<EMBED code="; content:"archive=|22|http|3A 2F 2F|"; distance:0; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\x22/R"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30766; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page - base64 encoded xml/jnlp statement"; flow:to_client,established; file_data; content:"Cjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+CjxqbmxwIHNwZWM9IjEuMCIgeG1"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30852; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit mp3 requested by Java"; flow:to_server,established; urilen:<50,norm; content:".mp3"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\d+\.mp3$/U"; metadata:service http; classtype:trojan-activity; sid:30878; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound PDF request"; flow:to_server,established; content:".pdf"; http_uri; content:"/1/1"; fast_pattern:only; http_uri; content:".html"; http_header; pcre:"/^\/\d{9,10}\/1\/1\d{9}\.pdf$/U"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:30937; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure"; flow:to_server,established; content:".php?req="; fast_pattern; nocase; http_uri; content:"&PHPSSESID="; distance:0; http_uri; pcre:"/\.php\?req=(?:x(?:ap|ml)|swf(IE)?|mp3|jar)\&/Ui"; flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:30936; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity/Rig exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"|3A|stroke id="; fast_pattern:only; content:"|3B|function pop(koz)"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30935; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|89 B4 F4 6A 24 1F 46 14|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30934; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit redirection gate"; flow:to_server,established; urilen:72; content:"POST"; http_method; content:".php?q="; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.php\?q=[a-f0-9]{32}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30920; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit outbound jnlp request"; flow:to_server,established; content:"/testi.jnlp"; content:" Java/1."; distance:0; metadata:impact_flag red, service http; classtype:trojan-activity; sid:30960; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Adobe Flash exploit"; flow:to_client,established; flowbits:isset,critx_flash; file_data; content:"<script>"; content:"var "; within:4; distance:1; content:"|27|toString|27|"; distance:0; pcre:"/var\s+(?P<name>\w+)\=function\(.*?\x27\x2b(?P=name)\(\d+\x29/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30976; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Oracle Java exploit"; flow:to_client,established; flowbits:isset,critx_java; file_data; content:"document.write"; content:"archive="; distance:0; content:".jar"; distance:0; pcre:"/\/[a-f0-9]{32}\.jar/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30975; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit payload request"; flow:to_server,established; content:"/load"; http_uri; content:".php"; distance:0; http_uri; pcre:"/\/load(?:(?:db|rh|silver|msie|flash|fla[0-9]{4,5}))\.php/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware-traffic-analysis.net/2014/05/29/index.html; classtype:trojan-activity; sid:30973; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Microsoft Silverlight landing page"; flow:to_server,established; content:"/silver.php"; fast_pattern:only; http_uri; flowbits:set,critx_font; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:30972; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Oracle Java landing page"; flow:to_server,established; content:"/java"; fast_pattern:only; http_uri; pcre:"/\/java(rh|db)\.php$/U"; flowbits:set,critx_java; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:trojan-activity; sid:30971; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Adobe Flash landing page"; flow:to_server,established; content:"/flash201"; fast_pattern:only; http_uri; pcre:"/\/flash201(3|4)\.php$/U"; flowbits:set,critx_flash; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:trojan-activity; sid:30970; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Microsoft Internet Explorer landing page"; flow:to_server,established; content:"/msie.php"; fast_pattern:only; http_uri; flowbits:set,critx_ie; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:30969; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to font exploit"; flow:to_client,established; flowbits:isset,critx_font; file_data; content:"/x-silverlight-2"; content:".eot"; distance:0; content:"aHR0cDov"; distance:0; pcre:"/^[\w+\/]+(?:(?:LmVvdA|5lb3Q)==?|uZW90)[\x22\x27]/Rsi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30968; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Adobe Flash exploit"; flow:to_client,established; flowbits:isset,critx_flash; file_data; content:"createFlashMarkup"; content:".swf"; distance:0; pcre:"/[a-zA-Z0-9]\/[a-f0-9]{5}\.swf[\x22\x27]/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30967; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Microsoft Internet Explorer exploit"; flow:to_client,established; flowbits:isset,critx_ie; file_data; content:"behavior:url(#default#VML"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30966; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Oracle Java exploit"; flow:to_client,established; flowbits:isset,critx_java; file_data; content:"jnlp_embedded"; content:"C9qbmxwPg=="; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30965; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound URL structure"; flow:to_server,established; urilen:70<>82; content:"= HTTP/"; fast_pattern:only; content:"User-Agent"; http_header; pcre:"/^\/[-\w]{70,78}==?$/U"; flowbits:set,file.exploit_kit.silverlight&file.exploit_kit.jar; metadata:policy max-detect-ips alert, service http; classtype:trojan-activity; sid:31046; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|21 3B E3 70 65 6E 66 64|"; depth:8; metadata:service http; classtype:trojan-activity; sid:31130; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound swf request"; flow:to_server,established; content:"/1"; http_uri; content:".swf"; fast_pattern:only; http_uri; pcre:"/^(?:\/\d{9,10})?(?:\/[16])?\/1[34]\d{8}\.swf$/U"; metadata:service http; classtype:trojan-activity; sid:31237; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound jar request"; flow:to_server,established; content:"/modules/"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/modules\/\d\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31232; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound connection"; flow:to_server,established; content:"/load_module.php?user="; fast_pattern:only; http_uri; pcre:"/\/load_module\.php\?user\=(n1|1|2|11)$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31231; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound connection"; flow:to_server,established; content:"/add_visitor.php?referrer=http://"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31230; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound Adobe Flash exploit request"; flow:to_server,established; content:"/modules/"; fast_pattern:only; http_uri; pcre:"/\/modules\/(n?\d|nu)\.swf$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31229; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:"#default#VML"; fast_pattern:only; content:"*/var "; isdataat:500,relative; content:"|3B|function "; within:50; pcre:"/\x3bfunction\s(?P<name>\w)\x28.*\x3b(?P=name)\x28\x22[\da-z]+\x22\x29\x3b/"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:31298; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit decryption page outbound request"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:2; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\sHTTP/"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2465; reference:cve,2014-0515; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31279; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit Oracle java outbound connection"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:2; content:".mkv"; distance:0; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\.mkv/"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:cve,2013-2460; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31278; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit Oracle Java outbound connection"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:2; content:".djvu"; distance:0; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\.djvu/"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:cve,2013-2460; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31277; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:35; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\/\d+\.\d+\.\d+\.\d+\//"; flowbits:set,file.exploit_kit.flash; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; reference:cve,2013-0634; reference:cve,2014-0515; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31276; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit landing page"; flow:to_client,established; content:"*/adv=|27|OrbitWhite|27|/* "; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31275; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit encrypted binary download"; flow:to_client,established; content:"filename="; content:".jat"; distance:0; pcre:"/filename=[a-z]+\.jat/"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31274; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound URL structure"; flow:to_server,established; urilen:65,norm; content:"User-Agent"; fast_pattern:only; http_header; pcre:"/^\/[\w-]{64}$/U"; flowbits:set,file.exploit_kit.silverlight&file.exploit_kit.jar&file.exploit_kit.flash; flowbits:noalert; metadata:policy max-detect-ips alert, service http; classtype:trojan-activity; sid:31332; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|2C 3E C2 32 61 34 6E 68|"; depth:8; metadata:service http; classtype:trojan-activity; sid:31331; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Angler exploit kit outbound URL structure"; flow:to_server,established; content:"GET /"; content:"HTTP/1."; within:8; distance:64; content:"Host|3A 20|"; content:"Cache-Control|3A 20|no-cache|0D 0A 0D 0A|"; content:!"Referer"; pcre:"/GET\s\/[\w-]{64}\sHTTP\/1\.[^\x2f]+Host\x3a\x20[^\x3a]+\x3a\d+\x0d\x0a/"; flowbits:set,file.exploit_kit.silverlight&file.exploit_kit.jar&file.exploit_kit.flash; metadata:policy max-detect-ips alert, service http; classtype:trojan-activity; sid:31371; rev:7;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit redirection page"; flow:to_client,established; file_data; content:"var|20|"; content:"|3B 20|var|20|"; within:20; distance:5; content:"|3B 20|if(!Array.prototype.indexOf){"; within:50; distance:5; content:"this.length|3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31370; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request"; flow:to_server,established; content:".xap"; fast_pattern:only; http_uri; pcre:"/^\/\d{2,4}\.xap$/U"; flowbits:set,file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:31369; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request"; flow:established,to_server; urilen:25<>32; content:".html?0."; depth:11; offset:2; http_uri; pcre:"/\/[a-z]{1,4}\x2ehtml\x3f0\x2e[0-9]{15,}$/U"; metadata:ruleset community, service http; reference:url,www.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-compromise; classtype:trojan-activity; sid:31455; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hanjuan exploit kit Silverlight exploit request"; flow:to_server,established; content:".x HTTP/1."; fast_pattern:only; content:" MSIE "; http_header; content:!"Referer"; nocase; http_header; flowbits:set,file.exploit_kit.silverlight; flowbits:noalert; metadata:policy max-detect-ips alert, service http; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; classtype:trojan-activity; sid:31701; rev:7;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hanjuan exploit kit landing page detection"; flow:to_client,established; file_data; content:"<li class=|22|is-new|22|>"; content:"<a href=|22|show.php"; within:17; distance:1; flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; classtype:trojan-activity; sid:31700; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hanjuan exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|71 75 B9 86 D8 51 1B 7B|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; classtype:trojan-activity; sid:31699; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|2C 36 F4 6F 6D 6A 66 67|"; depth:8; metadata:service http; classtype:trojan-activity; sid:31695; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page detected"; flow:to_client,established; file_data; content:"=|22|1|3B|url=about|3A|Tabs|22 20|http-equiv"; fast_pattern:only; content:"|5C|x72|5C|x65|5C|x70|5C|x6C|5C|x61|5C|x63|5C|x65"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31692; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detection"; flow:to_client,established; file_data; content:"=|27|+|27 20 22|re|27|+|27|pl|27|+|27|ac|27|+|27|e|22 3B 27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31734; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit jquery_datepicker domain decode attempt"; flow:to_client,established; content:"jquery_datepicker"; fast_pattern:only; pcre:"/(var jquery_datepicker=)|(jquery_datepicker.replace)/"; metadata:impact_flag red, service http; reference:url,malware-traffic-analysis.net/2014/08/18/index.html; classtype:trojan-activity; sid:31770; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit outbound connection on non-standard port"; flow:to_server,established; content:"/stargalaxy.php?nebula="; fast_pattern:only; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; metadata:policy balanced-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:31769; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit flash file download"; flow:to_client,established; flowbits:isset,file.exploit_kit.flash; file_data; content:"ZWS"; depth:3; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31903; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit flash file download"; flow:to_client,established; flowbits:isset,file.exploit_kit.flash; file_data; content:"CWS"; depth:3; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31902; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected"; flow:to_client,established; file_data; content:"nhadR2b4nhadR2b4nhadR2b4nhadR2b4nhadR2b4nhadR2b4"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31900; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash encoded shellcode detected"; flow:to_client,established; file_data; content:"SYwT6QtySYwT6QtySYwT6QtySYwT6QtySYwT6QtySYwT6Qty"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31899; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|22 29 3B 0A 0D 0A|</script>"; fast_pattern; content:"</script>|0A|<script>"; within:150; content:"|0A 0D 0A|</script>|0D 0A|<h"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31898; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8087 (msg:"EXPLOIT-KIT Scanbox exploit kit exfiltration attempt"; flow:to_server,established; content:"projectid="; depth:10; nocase; content:"&seed="; within:40; nocase; content:"&ip="; within:40; nocase; content:"&referrer="; within:40; nocase; content:"&agent="; within:40; nocase; content:"&location="; within:250; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1189; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:31859; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Scanbox exploit kit enumeration code detected"; flow:to_server,established; file_data; content:"document|2E|createElement|28|unescape|28 22 25|3Ciframe|25|20id|25|3D"; fast_pattern:only; content:"|2E|crypt|2E|_utf8_encode"; content:"|2E|push|28|"; content:"|3D 3D|c|3A 5C 5C|Program Files|5C 5C|"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1189; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:31858; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Scanbox exploit kit enumeration code detected"; flow:to_client,established; file_data; content:"document|2E|createElement|28|unescape|28 22 25|3Ciframe|25|20id|25|3D"; fast_pattern:only; content:"|2E|crypt|2E|_utf8_encode"; content:"|2E|push|28|"; content:"|3D 3D|c|3A 5C 5C|Program Files|5C 5C|"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1189; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:31857; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|DC C7 5E 47 A0 DB D2 51|"; fast_pattern:only; metadata:policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31972; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Astrum exploit kit redirection attempt"; flow:to_server,established; urilen:>60,norm; content:"POST"; http_method; pcre:"/\x2f[\w\x2d]*\x2e+$/mU"; content:"Referer|3A 20|"; http_header; content:"x-req|3A 20|"; fast_pattern; http_header; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:"Pragma|3A 20|no-cache|0D 0A|"; http_header; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; metadata:policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31970; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|F2 F7 94 75 16 7E 8E 15|"; fast_pattern:only; metadata:policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31967; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|D5 B1 F8 24 89 28 15 47|"; fast_pattern:only; metadata:policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31966; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit landing page"; flow:to_client,established; file_data; content:"{(new Image).src=|22|/"; content:"%72%6f%72%72%65%6e%6f"; distance:0; fast_pattern; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; metadata:policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31965; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong Da exploit kit landing page"; flow:to_client,established; file_data; content:"expires=|22|+expires.toGMTString()"; nocase; content:"51yes.com/click.aspx?"; fast_pattern; nocase; content:"|22|gb2312|22|"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31988; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"Last-Modified|3A| Sat, 26 Jul 2040 05|3A|00|3A|00"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32390; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Oracle Java request"; flow:to_server,established; content:"/14"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/14\d{8}(.jar)?$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32389; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"*/ new Function(|22|"; content:"|22|,|22|if("; within:20; content:" != |27 27|){"; pcre:"/new\sFunction\x28\x22(?P<a1>\w+)\x22\,\x22if\x28(?P=a1)\x20/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32388; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit jar file download"; flow:to_client,established; content:"filename="; content:".swf"; within:4; distance:8; file_data; content:"PK|03 04|"; within:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32387; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound structure"; flow:to_server,established; content:"/f/"; depth:3; http_uri; pcre:"/^\/f(\/[^\x2f]+)?\/14\d{8}(\/\d{9,10})?(\/\d)+(\/x[a-f0-9]+(\x3b\d)+?)?$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:32386; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Angler exploit kit outbound Oracle Java request"; flow:to_server,established; content:"accept-encoding|3A| pack200-gzip, gzip"; fast_pattern:only; content:"GET /"; content:"HTTP/1."; within:8; distance:64; content:"Host|3A 20|"; content:" Java/1."; content:!"Referer"; pcre:"/GET\s\/[\w-]{64}\sHTTP\/1/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blogs.cisco.com/security/talos/angler-flash-0-day; classtype:trojan-activity; sid:32399; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hellspawn exploit kit outbound Oracle Java jar request"; flow:to_server,established; content:"/Plugin.jar"; http_uri; content:" Java/1."; http_header; content:"="; depth:1; offset:32; http_cookie; pcre:"/[a-f0-9]{32}=[a-f0-9]{32}/C"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; classtype:trojan-activity; sid:32555; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hellspawn exploit kit landing page detected"; flow:to_client,established; file_data; content:"weCameFromHell(|27|<applet name=|22|Update Java"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32554; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit Oracle Java jnlp file requested on defined port"; flow:to_server,established; content:"GET"; content:".jnlp HTTP/1.1"; distance:0; content:" Java/1."; content:"Host"; content:"|3A|"; distance:0; pcre:"/(applet|testi)\.jnlp\sHTTP\/1\./"; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; metadata:service http; classtype:trojan-activity; sid:32641; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection"; flow:to_server,established; content:"GET /"; content:".php?"; fast_pattern:only; pcre:"/\w+\.php\?\w+\=\d+\s*HTTP\/1\./"; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; metadata:service http; classtype:trojan-activity; sid:32640; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port"; flow:to_server,established; content:"GET"; content:".jar HTTP/1.1"; distance:0; content:" Java/1."; content:"Host|3A|"; pcre:"/Host\x3a[^\n]+\x3a\d+\r\n/"; metadata:policy max-detect-ips drop, service http; classtype:trojan-activity; sid:32639; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit Adobe Flash exploit on defined port"; flow:to_server,established; content:"GET /"; content:"x-flash-version|3A 20|1"; fast_pattern:only; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; pcre:"/Referer\x3a[^\n]+\x3a\d+\x2f/"; metadata:service http; classtype:trojan-activity; sid:32638; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT known malicious javascript packer detected"; flow:to_client,established; file_data; content:"function|28 2F 2A|"; content:"|2A 2F|p,|2F 2A|"; within:25; content:"|2A 2F|a,|2F 2A|"; within:25; content:"|2A 2F|c,|2F 2A|"; within:25; content:"|2A 2F|k,|2F 2A|"; within:25; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/; classtype:misc-activity; sid:32804; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CK exploit kit landing page"; flow:to_client,established; file_data; content:"=|22|i|22|+|22|m|22|+|22|g|22 3B|"; content:"=|22|s|22|+|22|r|22|+|22|c|22 3B|"; within:14; distance:8; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32803; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound payload request"; flow:to_server,established; urilen:>36; content:"/ABs"; fast_pattern:only; http_uri; pcre:"/^\/ABs[A-Za-z0-9]+$/U"; flowbits:set,Nuclear; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:32880; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit payload delivery"; flow:to_client,established; flowbits:isset,Nuclear; content:"X-Powered-By|3A 20|"; http_header; content:"application/octet-stream"; http_header; content:"Content-Disposition|3A 20|inline|3B|"; http_header; content:"filename="; distance:0; http_header; pcre:"/filename=[a-z0-9]+\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32879; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request"; flow:to_server,established; content:"/14"; fast_pattern:only; http_uri; content:".swf"; http_uri; pcre:"/\/14\d{8}(?:\.swf)?$/U"; flowbits:set,file.nuclear.flash; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:32878; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request"; flow:to_server,established; content:"/13"; fast_pattern:only; http_uri; content:".swf"; http_uri; pcre:"/\/13[89]\d{7}(?:\.swf)$/U"; flowbits:set,file.nuclear.flash; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:32877; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request"; flow:to_server,established; content:".xap"; fast_pattern:only; http_uri; content:"/1"; http_uri; pcre:"/\/1(?:3[89]\d{7}|4\d{8})(?:\.xap)$/U"; flowbits:set,file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:32876; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit Adobe Flash download"; flow:to_client,established; flowbits:isset,file.nuclear.flash; content:"x-shockwave-flash"; http_header; content:"filename="; distance:0; http_header; content:".swf"; distance:0; http_header; pcre:"/filename\=\d+\.swf/H"; content:"ZWS"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32995; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; file_data; content:"|12 73 00 00 62 05 24 01 C5 25 FF 01 A8 63 05 62 03 62 05 66 01 25 FF 01 A8 62 06 C5 25 FF 01 A8|"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html; classtype:trojan-activity; sid:33187; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; file_data; content:"|62 05 66 01 25 FF 01 A8 62 06 C5 25 FF 01 A8 63 06|"; content:"|62 06 66 01 25 FF 01 A8 C5 25 FF 01 A8 63 09|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html; classtype:trojan-activity; sid:33186; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|0B C7 6A 1E 7C C2 43 EA|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33185; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash download"; flow:to_client,established; content:"Expires|3A| Sat, 26 Jul 2007 05|3A|00|3A|00 GMT"; fast_pattern:only; http_header; content:"x-shockwave-flash"; nocase; http_header; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:33184; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"Last-Modified|3A| Sat, 26 Jul 2039"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33183; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request"; flow:to_server,established; urilen:49,norm; content:"Referer"; http_header; content:"x-flash-version|3A|"; fast_pattern:only; http_header; pcre:"/^\/[\w-]{48}$/U"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:33182; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D3 62 04 66 01 73 63 0A D3 62 04 D3 62 08 66 01 61 01 D3 62 08 62 0A 61 01 62 07 24 01 C5 D2 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0311; classtype:trojan-activity; sid:33274; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|B2 67 FB 87 EF B2 72 55 DD 65 7F 2D 2C CB B8 FC 59 FE 99 FF 4F FF FD 5F B1 8C 6D 11 5E 19 C9 77|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0311; classtype:trojan-activity; sid:33273; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D3 62 04 66 01 73 63 0A D3 62 04 D3 62 08 66 01 61 01 D3 62 08 62 0A 61 01 62 07 24 01 C5 D2 60|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0311; classtype:trojan-activity; sid:33272; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B2 67 FB 87 EF B2 72 55 DD 65 7F 2D 2C CB B8 FC 59 FE 99 FF 4F FF FD 5F B1 8C 6D 11 5E 19 C9 77|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0311; classtype:trojan-activity; sid:33271; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; file_data; content:"|80 E2 3F 18 CF F1 3D 00 C4 1C 6E 7A 9F A6 2F 5D 04 11 2E BF C5 79 FC FC 26 2F F0 88 C6 76 1D C5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html; classtype:trojan-activity; sid:33286; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"allowScriptAccess=always"; fast_pattern:only; content:"param name=FlashVars"; nocase; content:"value"; within:25; nocase; content:"exec="; within:25; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blogs.cisco.com/security/talos/angler-flash-0-day; classtype:trojan-activity; sid:33292; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Angler exploit kit outbound uri structure"; flow:to_server,established; urilen:27; content:"/lists/"; fast_pattern:only; http_uri; pcre:"/^\/lists\/\d{20}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33663; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound communication"; flow:established,to_server; urilen:>160,norm; content:"/?"; depth:2; http_uri; content:"=l3S"; within:4; distance:15; fast_pattern; http_uri; pcre:"/^\/\?[A-Za-z0-9_-]{15}=l3S/U"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33906; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound communication"; flow:established,to_server; urilen:>80,norm; content:"/index.php?"; depth:11; http_uri; content:"=l3S"; within:4; distance:15; fast_pattern; http_uri; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/U"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33905; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit obfuscated file download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B 20|filename=|0D 0A 0D 0A 3F 0B D4 6C 4F 48 61 50|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2013-0074; reference:cve,2013-2465; reference:cve,2013-2471; reference:cve,2013-2551; reference:cve,2013-2883; reference:cve,2013-7331; reference:cve,2014-0515; reference:cve,2014-0556; reference:cve,2014-8439; reference:cve,2015-0311; reference:cve,2015-0336; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:33983; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"</script></head>|0D 0A|<body>|0D 0A|<h"; fast_pattern:only; content:"<textarea id=|27|"; content:"|27| title=|27|"; within:25; content:"|27| name=|27|"; within:25; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2013-0074; reference:cve,2013-2465; reference:cve,2013-2471; reference:cve,2013-2551; reference:cve,2013-2883; reference:cve,2013-7331; reference:cve,2014-0515; reference:cve,2014-0556; reference:cve,2014-8439; reference:cve,2015-0311; reference:cve,2015-0336; classtype:trojan-activity; sid:33982; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit flash file download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B 20|filename=|0D 0A 0D 0A|ZWS"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-0515; reference:cve,2014-0556; reference:cve,2014-8439; reference:cve,2015-0311; reference:cve,2015-0336; classtype:trojan-activity; sid:33981; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B|"; fast_pattern:only; http_header; content:".pdf"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b[^\x0d\x0a]filename=[a-z]{5,8}\d{2,3}\.pdf\x0d\x0a/Hm"; flowbits:set,file.exploit_kit.pdf; metadata:impact_flag red, policy max-detect-ips alert, service http; classtype:trojan-activity; sid:34334; rev:9;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit Oracle Java exploit download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B|"; http_header; content:".jar"; fast_pattern:only; http_header; pcre:"/filename=[a-z]{5,8}\d{2,3}\.jar\x0d\x0a/Hm"; file_data; content:"PK"; within:2; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy max-detect-ips drop, service http; classtype:trojan-activity; sid:34332; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit Microsoft SilverLight exploit download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B|"; http_header; content:".xap"; http_header; pcre:"/filename=[a-z]{5,8}\d{2,3}\.xap\x0d\x0a/Hm"; file_data; content:"AppManifest.xaml"; fast_pattern:only; flowbits:set,file.exploit_kit.silverlight; metadata:impact_flag red, policy max-detect-ips alert, service http; classtype:trojan-activity; sid:34331; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit Adobe Flash exploit download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B|"; http_header; content:".swf"; http_header; pcre:"/filename=[a-z]{5,8}\d{2,3}\.swf\x0d\x0a/Hm"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy max-detect-ips alert, service http; classtype:trojan-activity; sid:34330; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit payload download"; flow:to_server,established; urilen:49; content:"HTTP/1.1|0D 0A|Host|3A|"; fast_pattern:only; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:!"User-Agent|3A|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/[\w-]{48}$/U"; metadata:service http; classtype:trojan-activity; sid:34348; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Oracle Java encoded shellcode detected"; flow:to_client,established; file_data; content:"9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31901; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|0B 28 FF 53 4B 75 39 68|"; depth:8; metadata:policy max-detect-ips drop, service http; classtype:trojan-activity; sid:31694; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Fiesta exploit kit outbound connection attempt"; flow:to_server,established; urilen:>70; content:"User-Agent|3A|"; http_header; content:"/"; depth:2; offset:8; http_uri; content:!"&"; http_uri; content:!"details"; http_uri; content:!"weather"; http_uri; content:!"texture"; http_uri; content:!"mailing"; http_uri; content:!"captcha"; http_uri; content:!"/counters/"; http_uri; content:!"/results/"; http_uri; pcre:"/^\/\/?[a-z0-9_]{7,8}\/\??[0-9a-f]{60,68}[\x3b\x2c\d+]*$/U"; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.silverlight&file.exploit_kit.flash; metadata:policy max-detect-ips drop, service http; classtype:trojan-activity; sid:29443; rev:16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit outbound plugin detection response - generic detection"; flow:to_server,established; urilen:<18,norm; content:"POST"; http_method; content:"Referer|3A|"; http_header; content:"|3A|8000/"; distance:0; http_header; pcre:"/Referer\x3a\x20[^\s]*\x3a8000\x2f[a-z]+\?[a-z]+=\d{6,7}\x0d\x0a/H"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28474; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Himan exploit kit payload - Oracle Java compromise"; flow:to_server,established; content:".php?ex=jre"; http_uri; content:"&name="; distance:0; http_uri; content:"&country="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&ver=1."; distance:0; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/10/HiMan.html; classtype:trojan-activity; sid:28309; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit jar file download attempt"; flow:to_client,established; flowbits:isset,file.exploit_kit.jar; file_data; content:"PK"; depth:5; content:".class"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27816; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity/Redkit exploit kit short jar request"; flow:to_server,established; content:".jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; content:"content-type|3A| application/x-java-archive"; http_header; pcre:"/^\/[a-z0-9]{1,4}\.jar$/U"; content:!"cbssports.com"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26808; rev:11;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit jar file dropped"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"BurkinoGoso.class"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25803; rev:9;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit exploit download"; flow:to_server,established; urilen:52<>59,norm; content:"."; depth:1; offset:49; http_uri; content:"Referer|3A 20|http|3A 2F 2F|"; http_header; pcre:"/^\/[\w-]{48}\.[a-z]{2,8}[0-9]?$/U"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f[^\n]+\/\d{10,20}\x0d\x0a/Hm"; flowbits:set,file.exploit_kit.flash&file.exploit_kit.silverlight&file.exploit_kit.jar; metadata:policy max-detect-ips alert, service http; classtype:trojan-activity; sid:34720; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"<script>"; content:"/*"; within:100; content:"*/"; within:20; content:".substr|28|"; within:40; content:"/*"; within:10; content:"*/"; within:20; pcre:"/<script>.*?\x2f\x2a\w+\s\x2a\x2f\s*\x22\w+\x22\x2b\x22\w+\x22\x2esubstr\x28\d{2},\d{2}\x29\x2f\x2a\w+\s\x2a\x2f\s\x3b/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2015/06/15/index.html; classtype:trojan-activity; sid:34970; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"<p"; content:"px|3B| font-style|3A|  none|3B|   "; within:100; content:"overflow|3A|hidden|3B|"; within:25; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2015/06/15/index.html; classtype:trojan-activity; sid:34969; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Null Hole exploit kit malicious swf request"; flow:to_server,established; urilen:>37; content:".swf"; http_uri; content:"Cookie|3A| nhweb="; fast_pattern:only; pcre:"/\x2f[a-f0-9]{32}\x2f\w+\x2eswf/iU"; metadata:policy security-ips drop, service http; classtype:attempted-user; sid:35085; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Null Hole exploit kit binary download request"; flow:to_server,established; urilen:>43; content:".exe&h="; fast_pattern:only; http_uri; content:"Cookie|3A| nhweb="; content:!"Referer"; http_header; pcre:"/\x2f[a-f0-9]{32}\x2f\w+\d+\x2eexe\x26h\x3d\d/iU"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:35084; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected"; flow:to_server,established; file_data; content:"|0E|IIll1III111I11|0E|Illl1III111I11"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html; classtype:trojan-activity; sid:35110; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected"; flow:to_client,established; file_data; content:"|0E|IIll1III111I11|0E|Illl1III111I11"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html; classtype:misc-attack; sid:35109; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"<p style=|22| width|3A|7px|3B| height|3A|19px|3B| text-overflow|3A| clip|3B 22|>"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:35256; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Flash download attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|B4 51 40 A2 02 12 14 10 AF 80 38 05 B4 54 40 0B 05 34 57 40 33 05 44 2B A0 8A 02 22 14 D0 48 01|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35335; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Flash download attempt "; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|93 C5 3E 7E 94 C9 64 51 B9 4C F6 DB 7F F7 89 EC C7 B2 E7 EF B5 CC 24 7B 94 C9 A1 DF 42 59 D5 6F|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35334; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Flash download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D0 49 00 D0 2C 08 61 24 D0 2C 05 61 0C D0 2C 0A 61 35 D0 2C 0B 61 33 D0 2C 16 61 3A D0 2C 03 61 14 D0 2C 0E 61 25 D0 2C 0F 61 30 D0 2C 10 61 2F D0 2C 11 61 2E D0 2C 12 61 20 D0 2C 13 61 3C D0 2C 14 61 31 D0 2C 15 61 34 D0 2C 04 61 37 47|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35333; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"<span class=|22|text|22| id = |22|"; content:"|22| style=|22| height|3A|21px|3B| font-style|3A|  none|3B| width|3A|7px|3B| |22|><br>"; within:150; metadata:service http; classtype:trojan-activity; sid:35550; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit flash exploit download attempt"; flow:to_server,established; urilen:>80; content:"Accept|3A| */*"; content:"Proxy-Authorization|3A| NTLM "; content:"TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=="; within:56; content:"x-flash-version|3A|"; pcre:"/http\x3a\x2f\x2f\w+\x2e\w+\x2f[^\x2e\x2f]{70}/i"; metadata:service http; classtype:attempted-user; sid:35542; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"<script>"; content:"[|22|scr|22|,|22|ipt|22|]|3B|"; distance:0; content:"[|22|j|22|,|22 22|,|22|a|22|,|22|v|22|,|22|a|22|]|3B|"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:35845; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit browser version detection attempt"; flow:to_client,established; file_data; content:"inne"; content:"rHTML"; within:15; distance:3; content:"if|28|"; within:20; content:"MSIE"; within:10; content:"[0-7]|5C|.|5C|d+"; within:15; fast_pattern; content:"navigator"; within:30; content:"userAgent"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-recon; sid:36071; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Scanbox exploit kit exfiltration attempt"; flow:to_server,established; content:"/new/newscan/i/?10"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1189; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:36201; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit relay traffic detected"; flow:to_server,established; content:"DNT|3A| 1"; fast_pattern:only; http_header; content:"Content-Type|3A| application/json|3B| charset=utf-8"; http_header; content:"Content-Length|3A| 1"; http_header; content:"|7B 22|"; depth:2; http_client_body; pcre:"/^\x7b\x22[a-f0-9]{4}\x22\x3a\x22([a-f0-9]{32}|false)\x22,/smiP"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:36315; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit browser detection attempt"; flow:to_client,established; file_data; content:"navigator.maxTouchPoints&&!document.all"; fast_pattern:only; content:"Trident"; content:"window.navigator.vendor"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-recon; sid:36286; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"<p style=|22| width|3A|8px|3B|  text-overflow|3A| clip|3B| height|3A|19px|3B 22|>"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:36281; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit relay traffic detected"; flow:to_server,established; content:"access.log HTTP/1.1|0D 0A|Range: bytes="; fast_pattern:only; content:!"User-Agent:"; http_header; pcre:"/^\/[a-z0-9]+\/access\.log$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:36332; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"if|28|this   "; content:"return    -1|3B|"; within:60; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36457; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit gate detected"; flow:to_client,established; file_data; content:"|27|ad|27|+|27|dEv|27|+|27|entListe|27|+|27|ner|27|"; fast_pattern:only; content:"/Trident/"; content:"{return 0}else{return true}"; within:150; metadata:service http; reference:url,malware-traffic-analysis.net/2015/09/11/index.html; classtype:attempted-user; sid:36492; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown exploit kit landing page detected"; flow:to_client,established; file_data; content:"<object classid"; content:"&#"; within:30; pcre:"/<object classid\s*=\s*[\x22\x27][^\x22\x27]{43}/i"; metadata:service http; reference:url,malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html; classtype:attempted-user; sid:36523; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page detected"; flow:to_client, established; file_data; content:"return"; content:"join"; within:8; content:"MSIE |28 5C|d+|5C|.|5C|d+|29 3B|"; distance:0; content:"navigator["; within:60; content:!"]"; within:10; metadata:service http; classtype:attempted-user; sid:36535; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hunter exploit kit landing page detected"; flow:to_client,established; file_data; content:"eval|28|O1O|28|OlI|28|_1OO|29 29 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2015/08/cve-2014-2419-internet-explorer-and.html; classtype:attempted-user; sid:36543; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt"; flow:to_server,established; content:"viewtopic.php?t="; http_uri; content:"&f="; within:13; http_uri; pcre:"/\/viewtopic\x2Ephp\x3Ft\x3D[^\x26]{2,7}\x26f\x3D[a-z0-9_\x2d\x2e]{12}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36637; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit index uri request attempt"; flow:to_server,established; content:"index.php?PHPSESSID="; fast_pattern:only; http_uri; content:"&action="; http_uri; pcre:"/\x2findex\x2ephp\x3fPHPSESSID\x3d[^\x26]{2,5}\x26action\x3d[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36636; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit search uri request attempt"; flow:to_server,established; content:"/search.php?keyword"; fast_pattern:only; http_uri; content:"&fid0="; http_uri; pcre:"/\x2fsearch\x2ephp\x3fkeywords?\x3d[^\x26]{2,7}\x26fid0\x3d[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36635; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|27|ferrodo|27|"; content:"substr"; within:100; content:"|27|ge|27|"; within:200; content:"|27|tE|27|"; within:200; content:"|27|le|27|"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36788; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|27|plumbum|27|"; content:"substr"; within:100; content:"|27|doReMi|27|"; within:250; content:"substr"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36785; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit browser version detection attempt"; flow:to_client,established; content:"|27|rHTML|27|]"; fast_pattern:only; content:"if((|2F|(MSIE"; content:"[0-7]"; within:10; content:"navigator.userAgent"; within:50; content:".slice"; within:40; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-recon; sid:36802; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|27|sub|27|"; content:"|27|pro|27|"; within:50; content:"+   (|27|yo|27|)"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36801; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT GongDa landing page detected"; flow:to_client,established; file_data; content:"0xffffffff"; fast_pattern:only; content:"charCodeAt"; nocase; content:"length"; within:20; nocase; content:"fromCharCode"; within:200; nocase; content:"delta"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36798; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|22|g|22|"; content:"|22|ua|22|"; within:50; content:"|22|ge|22|"; within:50; content:"|22|j|22|"; within:50; content:"|22|av|22|"; within:100; content:"|22|a|22|"; within:100; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:36797; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|27|red|27|"; content:"substr"; within:100; content:"|27|c|27|"; within:150; content:"|27|um|27|"; within:50; content:"|22|char|22|"; within:150; content:"|27|ferrodo|27|"; within:150; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36796; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|27|mCh|27|"; content:"|27|fr|27|"; within:100; content:"|22|ev|22|"; within:200; content:"|27|fillip|27|"; within:150; content:"substr"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36790; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"|27|do|27|+|27|c|27|+|27|um|27|+|27|ent|27|"; fast_pattern:only; content:"|22|char|22|"; content:"ner"; within:200; content:"HT"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36808; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Known exploit kit obfuscation routine detected"; flow:to_client,established; content:"vbscript>"; content:"=Split("; within:40; content:"UBound("; within:40; content:"+Chrw(eval("; within:40; content:"End Function"; within:40; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-6332; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:36824; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"["; content:".substr  ("; within:25; content:"].appendChild ("; within:60; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36899; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DoloMalo exploit kit packer detected"; flow:to_server,established; content:"?getsrc=ok&ref="; fast_pattern:only; http_uri; content:"&url="; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:37016; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"<input>"; content:"</input>"; content:"<nobr>"; fast_pattern:only; content:"</nobr>"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:37014; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"<span style=|27| width|3A|"; content:"px"; within:3; distance:1; content:"|3B| height|3A|"; content:"px|3B 27 20 20|id=|27|"; within:11; distance:1; content:"|27 20 20 20|class=|27|text|27|"; distance:0; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy max-detect-ips alert, service http; classtype:trojan-activity; sid:37207; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page detected"; flow:to_client,established; file_data; content:"String.fromCharCode(parseInt(("; fast_pattern:only; content:"var"; content:"|22 22|"; within:2; distance:9; metadata:service http; classtype:attempted-user; sid:37355; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DarkLeech iframe injection tool detected"; flow:to_client,established; file_data; content:"<style>."; nocase; content:" { position|3A| absolute|3B| top|3A| -"; within:50; metadata:impact_flag red, policy max-detect-ips drop, service http; classtype:trojan-activity; sid:37361; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit iframe injection attempt"; flow:to_client,established; file_data; content:"document.write"; content:"<iframe"; within:10; content:"16.html|22|"; within:70; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com; classtype:attempted-user; sid:37529; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound uri request attempt"; flow:to_server,established; content:".php?c_id="; http_uri; content:"&n_id"; within:5; distance:2; http_uri; content:"&token="; within:10; distance:2; http_uri; pcre:"/\x2ephp\x3fc_id\x3d\d{2}\x26n_id\x3d\d{2,4}\x26token\x3d[a-zA-Z0-9]{32}$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com; classtype:attempted-user; sid:37528; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear landing page detected"; flow:to_client,established; file_data; content:"yId|22|"; content:"|22|inner|22|"; within:100; content:"|22|TML|22|"; within:200; content:"|22|substr|22|"; within:100; content:"|22|index|22|"; within:100; content:"+|22|f|22|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37551; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear landing page detected"; flow:to_client,established; file_data; content:"|22|I from the grandmother left, and left my grandfather.|22|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37550; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Malicious iFrame injection outbound URI request attempt"; flow:to_server,established; content:"/?id="; http_uri; content:"&keyword="; within:9; distance:7; http_uri; pcre:"/\x2f\x3fid=[0-9]{7}\x26keyword=[a-f0-9]+\x26[\w_]+\x3d/U"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37549; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Malicious iFrame redirection injection attempt"; flow:to_client,established; file_data; content:"|22 5D 5D 2E|join|28 5C 22 5C 22 29 3B 22 29 29 3B 2F 2A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:37548; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit view uri request attempt"; flow:to_server,established; content:"view.php?t="; http_uri; content:"&f="; within:13; http_uri; pcre:"/\/view\x2Ephp\x3Ft\x3D[^\x26]{2,7}\x26f\x3D[a-z0-9_\x2d\x2e]{12}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37873; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit viewthread uri request attempt"; flow:to_server,established; content:"/viewthread.php?f="; fast_pattern:only; http_uri; content:"&sid="; http_uri; pcre:"/\x2fviewthread\x2ephp\x3ff\x3d[^\x26]{2,7}\x26sid\x3D[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37872; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit index uri request attempt"; flow:to_server,established; content:"/index.php?PHPSESSID="; fast_pattern:only; http_uri; content:"&mod="; http_uri; pcre:"/\x2findex\x2ephp\x3fPHPSESSID\x3d[^\x26]{2,5}\x26mod\x3d[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37871; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit viewthread uri request attempt"; flow:to_server,established; content:"/viewthread.php?thread_id="; fast_pattern:only; http_uri; content:"&tid="; http_uri; pcre:"/\x2fviewthread\x2ephp\x3fthread_id\x3d[^\x26]{2,7}\x26tid\x3d[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37958; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit view uri request attempt"; flow:to_server,established; content:"/view.php?id="; fast_pattern:only; http_uri; content:"&course="; http_uri; pcre:"/\x2fview\x2ephp\x3fid?\x3d[^\x26]{2,7}\x26course\x3d[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37957; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong da exploit kit landing page"; flow:to_client,established; file_data; content:"/index.aspx?id="; fast_pattern:only; content:"expires=|22| +"; nocase; content:"toGMTString()"; within:50; nocase; content:"escape(document.referrer)"; within:500; nocase; content:"/sa.htm?id="; within:500; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:37919; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Magnitude exploit kit Internet Explorer exploit attempt"; flow:to_client,established; content:"|3C|html|3E 0D 0A 3C|body|3E 0D 0A 3C|div|20|id|3D 22|"; content:"|22 3E|"; within:10; pcre:"/^([0-9]{2,3}\x2A[0-9]{2,3}\x2A){5}/R"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:37918; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit search uri request attempt"; flow:to_server,established; content:"/search.php?keyword="; http_uri; content:"&type="; within:12; distance:2; http_uri; pcre:"/\x2fsearch\x2ephp\x3fkeyword\x3d[^\x26]{2,7}\x26type\x3d([a-z]{1,5}[0-9]{1,5}|[0-9]{1,5}[a-z]{1,5})/U"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38121; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit gate redirector"; flow:to_client,established; file_data; content:"charCodeAt"; nocase; content:"unescape"; within:200; nocase; content:"%256"; within:100; content:"|27|charCodeAt|27|"; within:300; nocase; content:"String"; within:100; nocase; content:"eval"; within:200; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:38133; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit view uri request attempt"; flow:to_server,established; content:"view.php?forum_id="; fast_pattern:only; http_uri; content:"&id="; http_uri; pcre:"/\x2fview\x2Ephp\x3Fforum_id\x3D[^\x26]{2,7}\x26id\x3D[a-z0-9]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38163; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit viewthread uri request attempt"; flow:to_server,established; content:"viewthread.php?thad_id="; fast_pattern:only; http_uri; content:"&tid="; http_uri; pcre:"/\x2fviewthread\x2Ephp\x3Fthad_id\x3D[^\x26]{2,7}\x26tid\x3D[a-z0-9]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38162; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit index uri request attempt"; flow:to_server,established; content:"/index.php?search="; http_uri; content:"&mod="; fast_pattern:only; http_uri; pcre:"/\x2findex\x2ephp\x3fsearch\x3d[^\x26]{2,5}\x26mod\x3d[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38161; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit gate detected"; flow:to_client,established; file_data; content:"position|3A|absolute|3B|left|3A|-1753px|3B|top|3A|0px|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38160; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Known malicious redirection attempt"; flow:to_server,established; content:"&fid=2&rds=b1714032cd63652bc95fadf5dc81dadd88cafec4&aff="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.malwarebytes.org/malvertising-2/2016/03/large-angler-malvertising-campaign-hits-top-publishers/; classtype:attempted-user; sid:38254; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit redirection attempt"; flow:to_client,established; file_data; content:"opacity|3A|0|3B|filter|3A|alpha(opacity=0)|3B|"; fast_pattern:only; content:"-moz-opacity|3A|0|3B 22|>"; content:"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"; within:500; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2016/01/26/index.html; classtype:trojan-activity; sid:38275; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit news uri structure"; flow:to_server,established; content:"/news/"; fast_pattern; http_uri; content:"/"; within:5; distance:1; http_uri; content:"/"; within:5; distance:1; http_uri; content:"/"; within:5; distance:1; http_uri; pcre:"/^\/news\/([0-9]+\/){3}[0-9]{5,10}(\.html)?$/U"; metadata:impact_flag red, policy max-detect-ips drop, service http; classtype:trojan-activity; sid:38439; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit questions uri request attempt"; flow:to_server,established; content:"/questions/"; fast_pattern:only; http_uri; pcre:"/^\/questions\/[0-9]+\/([a-zA-Z]+-){3,6}$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38438; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound uri structure"; flow:to_server,established; content:"/music/song/"; depth:12; http_uri; content:"_"; http_uri; pcre:"/^\x2fmusic\x2fsong\x2f[0-9]+_[a-zA-Z]{5,20}(\x2easpx)?$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38437; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"autotest= |22|retina|22|"; fast_pattern; content:"id = |22|e8a-48-"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38524; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"id  = |22|PLgxk1z"; fast_pattern; content:"fontbackold=|22|red|22|"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38523; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler landing page detected"; flow:to_client,established; file_data; content:"=|22|120|22| autotest= |22|retina|22| id = |22|"; fast_pattern:only; pcre:"/=\x22120\x22\x20autotest=\x20\x22retina\x22\x20id\x20=\x20\x22[a-zA-z0-9]{3}-[a-zA-z0-9]{2,3}-[a-zA-z0-9]{5,20}\x22/"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38522; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit redirect page detected"; flow:to_client,established; file_data; content:"</q>"; content:"</small>"; content:"</big>"; content:"</hl>"; content:"</em>"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:38521; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler landing page detected"; flow:to_client,established; content:"<meta name=|22|keywords|22| content=|22|HTML, CSS, XML, XHTML, JavaScript|22|>"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:38556; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler landing page detected"; flow:to_client,established; file_data; content:"|2F|*By creating and uploading Web pages to the Internet*|2F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38555; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler landing page detected"; flow:to_client,established; content:"|29 3B|eval|28|eval|28 27|"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:38553; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler landing page detected"; flow:to_client,established; file_data; content:"function|28 29 7B|var "; content:"=|22|"; within:20; distance:8; pcre:"/function.*?\x3D\x22[a-f0-9]{200}/smi"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:38552; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt"; flow:to_client,established; content:"Content-Type|3A| application/octet-stream"; http_header; file_data; content:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; depth:47; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.talosintel.com/2016/04/nuclear-exposed.html; classtype:trojan-activity; sid:38593; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt"; flow:to_server,established; content:"/test.x.test"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.talosintel.com/2016/04/nuclear-exposed.html; classtype:trojan-activity; sid:38592; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT vbscript downloading executable attempt"; flow:to_client,established; file_data; content:"createObject"; content:"Microsoft.XMLHTTP"; within:200; content:"Get.SaveToFile"; fast_pattern; content:".exe"; within:150; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38589; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"|22|push|22|"; content:"String"; within:150; content:"|22|fromCharCode|22|"; within:100; content:"|2F 5C|s|7C 5C 2E 2F|g"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:38582; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt"; flow:to_client,established; file_data; content:"<object"; content:"height="; distance:0; content:"id="; within:10; content:"width="; content:"codebase="; within:20; fast_pattern; content:"classid"; content:"movie"; distance:0; content:"value"; within:10; content:"allowScriptAccess"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38730; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler Exploit Kit email gate"; flow:to_server,established; content:"/order/order_details.html?"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38682; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Obfuscated exploit download attempt"; flow:to_client,established; file_data; content:"56,55,44,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,44,52,54,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:38876; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt"; flow:to_client,established; file_data; content:"<object"; content:"height="; distance:0; content:"codebase"; within:20; fast_pattern; content:"id="; distance:0; content:"width="; within:20; content:"classid"; content:"movie"; distance:0; content:"value"; within:10; content:"always"; distance:0; content:"allowScriptAccess"; within:25; metadata:policy max-detect-ips drop, service http; reference:url,malware-traffic-analysis.net/2016/05/25/index.html; classtype:trojan-activity; sid:39081; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Obfuscated exploit download attempt"; flow:to_client,established; file_data; content:"87,115,99,114,105,112,116,37,50,69,83,104,101,108,108"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:39130; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear gate redirect attempt"; flow:to_client,established; content:"Cache-Control|3A| no-store, no-cache, must-revalidate"; fast_pattern:only; http_header; file_data; content:"top.location.replace"; content:"top.location.href"; within:50; pcre:"/top\x2elocation\x2ereplace\s*\x28\s*(?<var>\w+)\s*\x29.*?top.location.href\s*\x3d\s*(?P=var)/s"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:39129; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear landing page detected"; flow:to_client,established; file_data; content:"yesterday weve been pushing the car"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:39128; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt"; flow:to_server,established; file_data; content:"FWS"; depth:3; content:"|00 18 01 00 44 11 19 00 00 00 41 13 00|"; content:!"|5A 0A|"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:39241; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt"; flow:to_client,established; file_data; content:"FWS"; depth:3; content:"|00 18 01 00 44 11 19 00 00 00 41 13 00|"; content:!"|5A 0A|"; within:200; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:39240; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt"; flow:to_client,established; file_data; content:"<span"; depth:70; content:"style|3D 22|display|3A|none|22|"; within:200; isdataat:1000,relative; content:!"</span>"; within:1000; content:"</span>"; distance:0; content:"<script>"; within:10; metadata:policy max-detect-ips drop, service http; classtype:trojan-activity; sid:39677; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown/Terror exploit kit landing page detected"; flow:to_client,established; file_data; content:"<meta"; nocase; content:"http-equiv=|22|X-UA-Compatible|22|"; within:35; nocase; content:"content="; within:15; nocase; content:"EmulateIE"; within:20; fast_pattern; nocase; content:"<script"; nocase; content:"VBScript"; within:20; nocase; metadata:policy max-detect-ips drop, service http; reference:url,malware-traffic-analysis.net/2016/06/15/index.html; classtype:attempted-user; sid:39754; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt"; flow:to_client,established; file_data; content:"<object"; content:"codebase="; distance:0; content:"height="; within:200; content:"width="; within:150; content:"id="; within:25; content:"movie"; within:100; content:"value"; within:40; content:"<embed"; content:"allowScriptAccess"; within:50; fast_pattern; content:"sameDomain"; within:30; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39802; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Exploit kit embedded iframe redirection attempt"; flow:to_client,established; file_data; content:"iframe"; fast_pattern; content:"style"; within:150; content:"position"; within:15; content:"absolute"; within:15; content:"width"; content:"height"; pcre:"/position\x3aabsolute\x3b\s*((top|left)\x3a-\d{4}px\x3b){1,2}\s*(width|height)\x3a\d{3}px\x3b\s*(height|width)\x3a\d{3}px\x3b/"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:40034; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPLOIT-KIT Phoenix Exploit Kit inbound geoip.php bdr exploit attempt"; flow:to_server,established; content:"/geoip.php?bdr="; fast_pattern:only; http_uri; metadata:policy security-ips drop, ruleset community, service http; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/phoenix_exec.rb; classtype:web-application-activity; sid:40184; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown exploit kit landing page detected"; flow:to_client,established; content:"X-Powered-By|3A 20|Yugoslavian Business Network"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2016/06/15/index.html; classtype:attempted-user; sid:40233; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound communication"; flow:established,to_server; urilen:>150,norm; content:"/?"; depth:2; http_uri; content:"es_sm="; fast_pattern:only; content:"&sourceid="; http_uri; content:"aqs="; http_uri; flowbits:set,file.exploit_kit.flash; content:"&ie="; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:40753; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sundown Exploit Kit redirection attempt"; flow:established,to_server; content:"/noone.php"; depth:10; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41035; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit landing page obfuscation detected"; flow:to_client,established; file_data; content:"<script "; nocase; content:"VBScript"; within:50; fast_pattern; nocase; content:"Execute"; within:200; nocase; content:"chr"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:41092; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected"; flow:to_client,established; file_data; content:"|22|script|22|"; nocase; content:"|22|createE|22|"; within:50; nocase; content:"|22|lement|22|"; within:20; nocase; content:"|22|type|22|"; within:50; nocase; content:"|22|text/j|22|"; within:50; nocase; content:"|22|avascript|22|"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:41084; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig exploit kit landing page detected"; flow:established,to_client; file_data; content:"<iframe"; nocase; content:"onload"; within:20; nocase; content:"window.setTimeout"; within:100; nocase; content:"style"; within:100; nocase; content:"visibility:hidden"; within:30; nocase; content:"<script"; nocase; content:"http://"; within:30; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:41314; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit URL outbound communication"; flow:established,to_server; urilen:>140,norm; content:"/?"; depth:2; http_uri; content:"qtuif="; fast_pattern:only; content:"oq="; nocase; content:"q="; nocase; content:"ct="; nocase; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41783; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Exploit kit Pseudo-Darkleech Gate redirection attempt"; flow:to_client,established; file_data; content:"<span"; fast_pattern; content:"style"; within:150; content:"position"; within:15; content:"absolute"; within:15; content:"width"; content:"height"; pcre:"/position\x3aabsolute\x3b\s*((top|left)\x3a-\d{4}px\x3b){1,2}\s*(width|height)\x3a\d{3}px\x3b\s*(height|width)\x3a\d{3}px\x3b/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:41908; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Exploit Kit EITest Gate redirection attempt detected"; flow:established,to_client; file_data; content:"<script"; nocase; content:"type"; within:20; nocase; content:"text/javascript"; within:35; nocase; content:"iframe"; within:50; nocase; content:"|22|0px"; within:200; nocase; content:"setAttribute"; nocase; content:"frameborder"; within:30; nocase; content:"|22|0"; within:10; nocase; content:"http://"; within:200; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:42018; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blacole inbound malformed pdf download attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%%EOF"; isdataat:500,relative; content:"iframe"; within:1000; nocase; content:"1px"; within:200; nocase; content:"getElementbyId"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/602F2B47BF63A0776673378FE95B9C025C93A3959C503D0DB3D7B82E7B7C5823/analysis/; reference:url,virustotal.com/en/file/C22015F1132AC29EDAC89D219988595257E5F92EB4C34A2284D499154176224F/analysis/; classtype:trojan-activity; sid:42397; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blacole inbound malformed pdf download attempt"; flow:to_client; flowbits:isset,file.pdf; file_data; content:"%%EOF"; isdataat:500,relative; content:"iframe"; within:1000; nocase; content:"1px"; within:200; nocase; content:"getElementbyId"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/602F2B47BF63A0776673378FE95B9C025C93A3959C503D0DB3D7B82E7B7C5823/analysis/; reference:url,virustotal.com/en/file/C22015F1132AC29EDAC89D219988595257E5F92EB4C34A2284D499154176224F/analysis/; classtype:trojan-activity; sid:42396; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit URL outbound communication"; flow:to_server,established; urilen:140<>250,norm; content:"/?"; depth:2; http_uri; content:"ct="; http_uri; content:"oq="; fast_pattern:only; http_uri; content:"q="; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:42806; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig/Grandsoft Exploit Kit IE exploit attempt"; flow:to_client,established; file_data; content:"<meta"; content:"http-equiv"; within:15; content:"X-UA-Compatible"; within:30; content:"IE=10"; within:40; content:"<meta"; within:20; content:"charset"; within:20; content:"UTF-8"; within:20; content:"<script"; within:50; metadata:policy max-detect-ips drop, service http; classtype:attempted-admin; sid:43729; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Landing Page Request Attempt"; flow:to_server,established; urilen:>180; content:"/?"; depth:2; http_uri; content:"&"; within:5; distance:3; http_uri; content:"x"; distance:0; http_uri; content:"Q"; distance:0; http_uri; content:"R"; within:1; distance:5; http_uri; pcre:"/\/\?[A-Za-z]{3,7}&.*x[HX3].+Q[cdM].{3}[ab]R/U"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:43332; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit redirection attempt"; flow:to_client,established; file_data; content:"<html"; depth:5; content:"<meta"; within:50; content:"http-equiv"; within:20; content:"REFRESH"; within:20; content:"URL="; within:50; content:"http://"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:43217; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit URL outbound communication"; flow:to_server,established; urilen:>140,norm; content:"/tr?"; depth:4; http_uri; content:"id="; http_uri; content:"confirm="; http_uri; content:"size="; http_uri; content:"noframe="; http_uri; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:43187; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT RIG exploit kit Adobe Flash exploit download"; flow:to_client,established; file_data; content:"|16|FilePrivateNS:mersedes"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:43835; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Exploit Kit malicious redirection attempt"; flow:to_client,established; file_data; content:"<script"; content:"type"; within:20; content:"javascript"; within:30; content:"ActiveXObject"; within:100; content:"Shockwave"; within:200; content:"Flash"; within:30; content:"document.write"; within:200; content:"<iframe"; within:30; content:"src='http"; within:50; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:43885; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT TERROR exploit kit FlashVars parameter shellcode"; flow:to_client,established; file_data; content:"FlashVars"; content:"8B5E04311EC10E0183EEFCE2F3"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:43932; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT RIG exploit kit shellcode detected"; flow:to_client,established; file_data; content:"unescape|28|"; content:"498034088485C975F7FFE0E8"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:43931; rev:1;)
+# alert tcp $EXTERNAL_NET [$HTTP_PORTS,1986,38,6780,9812] -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected"; flow:to_client,established; file_data; content:"<meta"; nocase; content:"http-equiv="; within:20; content:"|22|X-UA-Compatible"; within:40; nocase; content:"content="; within:15; nocase; content:"IE="; within:20; nocase; content:"<script"; within:250; nocase; content:"VBScript"; within:30; fast_pattern; nocase; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:44738; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown/Terror malicious flash file load attempt"; flow:to_client,established; file_data; content:"<div"; content:"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"; within:100; content:"allowscriptaccess"; within:40; content:"always"; within:20; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:45080; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"dW5rbm93bg=="; content:"ZGVub21pbmF0aW9ucw=="; content:"bG9jYXRlZA=="; content:"Y2FwaXRhbA=="; content:"bWlzc2luZw=="; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45455; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"bWlzc2luZw=="; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45532; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"Y2FwaXRhbA=="; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45531; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"bG9jYXRlZA=="; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45530; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"ZGVub21pbmF0aW9ucw=="; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45529; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"dW5rbm93bg=="; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45528; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"YXR0YWNrcw=="; content:"bWlzc2luZw=="; content:"c3Rvcm1lZA=="; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45527; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Terror EK page access attempt"; flow:to_client,established; file_data; content:"XiaoBa"; content:"|E8 BD AF E4 BB B6 E4 B8 8B E8 BD BD E7 AB 99|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:45925; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Terror EK dll download attempt"; flow:to_client,established; file_data; content:"Server"; nocase; content:"HFS 2"; within:20; fast_pattern; nocase; content:"HFS_SID_"; content:"filename"; content:".dll"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:45923; rev:1;)
+alert tcp $EXTERNAL_NET [$HTTP_PORTS,384] -> $HOME_NET any (msg:"EXPLOIT-KIT Terror EK exe download attempt"; flow:to_client,established; file_data; content:"Server"; nocase; content:"HFS 2"; within:20; fast_pattern; nocase; content:"HFS_SID_"; content:"filename"; content:".exe"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:45922; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Terror EK resource access attempt"; flow:to_server,established; file_data; content:"GET "; nocase; content:"/"; within:1; content:"/"; within:1; distance:2; content:"/"; within:1; distance:2; content:".css"; within:4; distance:36; nocase; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45921; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown/Terror EK landing page attempt"; flow:to_client,established; file_data; content:"Set-Cookie"; content:"streams"; within:50; content:"campaigns"; within:50; content:"time"; within:50; content:"30"; within:2; http_stat_code; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:45919; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT FakeFlash update attempt"; flow:to_server,established; content:"Referer: http://ssiapawz.com/watch?"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:46662; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected"; flow:to_client,established; file_data; content:"X-UA-Compatible"; nocase; content:"EmulateIE8"; fast_pattern:only; content:"VBScript"; nocase; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:47034; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Qadars exploit kit attempt"; flow:to_server,established; content:".php"; http_uri; content:"=die(md5(Ch3ck1ng))"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:48440; rev:1;)
--- a/docker/etc/rules/exploit.rules
+++ b/docker/etc/rules/exploit.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#---------------
+# EXPLOIT RULES
+#---------------
+
--- a/docker/etc/rules/file-executable.rules
+++ b/docker/etc/rules/file-executable.rules
@@ -0,0 +1,383 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------------------
+# FILE-EXECUTABLE RULES
+#-----------------------
+
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|E0 00 22 01 0B 01 0A 00 00 64 00 00 00 2E 00 00|"; fast_pattern; content:"|00 B0 00 00 50 0E 00 00 30 15 00 00 1C 00 00 00|"; within:16; distance:112; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-024; classtype:attempted-user; sid:26601; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|E0 00 22 01 0B 01 0A 00 00 64 00 00 00 2E 00 00|"; fast_pattern; content:"|00 B0 00 00 50 0E 00 00 30 15 00 00 1C 00 00 00|"; within:16; distance:112; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-024; classtype:attempted-user; sid:26590; rev:5;)
+# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-EXECUTABLE Microsoft Windows executable file save onto SMB share attempt"; flow:to_server,established; content:"SMB"; depth:3; offset:5; content:"MZ"; within:150; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; fast_pattern; metadata:service netbios-ssn; classtype:policy-violation; sid:26385; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|83 EC 40 C7 04 24 54 4D 45 4D C7 44 24 04 4F 2E 4A 54 C7 44 24 08 44 00 00 00 8B C4 50 BB E8 C5 3F 21 FF 13 83 C4 40 E9 B2 BF FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0707; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:26071; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|83 EC 40 C7 04 24 54 4D 45 4D C7 44 24 04 4F 2E 4A 54 C7 44 24 08 44 00 00 00 8B C4 50 BB E8 C5 3F 21 FF 13 83 C4 40 E9 B2 BF FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0707; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:26070; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|D8 7B 7B 6F 6E B9 9B 95 BB 99 81 A8 E0 AF 32 23 75 57 DB AC 5C BD 34 A4 94 A6 E3 4A DC EF EB F5|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0151; classtype:attempted-user; sid:25779; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft .NET blacklisted method reflection sandbox bypass attempt"; flow:to_client,established; file_data; content:"_FieldInfo"; fast_pattern:only; content:"Main|00|mscoree.dll"; content:"EndInvoke"; content:"BeginInvoke"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-074; classtype:misc-activity; sid:24665; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft .NET blacklisted method reflection sandbox bypass attempt"; flow:to_server,established; file_data; content:"_FieldInfo"; fast_pattern:only; content:"Main|00|mscoree.dll"; content:"EndInvoke"; content:"BeginInvoke"; metadata:policy security-ips drop, service smtp; reference:cve,2012-1895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-074; classtype:misc-activity; sid:24664; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE ClamAV UPX File Handling Heap overflow attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|33 32 B2 FD FF 25 1C C1 40 00 05 18 14 10 7F FB|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19381; reference:cve,2006-4018; classtype:attempted-user; sid:24238; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE ClamAV UPX File Handling Heap overflow attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|33 32 B2 FD FF 25 1C C1 40 00 05 18 14 10 7F FB|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,19381; reference:cve,2006-4018; classtype:attempted-user; sid:24237; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|57 69 6E 5A 69 70|"; depth:6; offset:29; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1432; classtype:attempted-user; sid:23313; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"MZ"; depth:2; content:"JFIF"; depth:4; offset:6; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1433; classtype:attempted-user; sid:23312; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|19 04 00 10|"; depth:4; offset:8; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1434; classtype:attempted-user; sid:23311; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"PKLITE"; depth:6; offset:30; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1435; classtype:attempted-user; sid:23310; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"MZ|2D 6C 68|"; depth:5; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1436; classtype:attempted-user; sid:23309; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows .NET Framework xbap DataObject object pointer attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"GetFormats"; content:"System.Runtime.InteropServices.ComTypes.IDataObject.GetDataHere.GetDataHere.sender.e.connectionId"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1855; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-038; classtype:attempted-user; sid:23181; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows .NET xbap STGMEDIUM.unionmember arbitrary number overwrite attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|0E 43 6C 69 63 6B 20 74 6F 20 72 65 70 72 6F 99 FD 24 0A D0 FF 04 4C 65 66 74 3D FF 24 09 C8 FF|"; fast_pattern:only; content:"System.Runtime.InteropServices.ComTypes.IDataObject.GetDataHere"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1855; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-038; classtype:attempted-user; sid:23127; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE APP-CONTROL Thunder p2p application download detection"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"C|00|o|00|m|00|p|00|a|00|n|00|y|00|N|00|a|00|m|00|e"; nocase; content:"|F1 6D 33 57 02 5E C5 8F F7 96 51 7F DC 7E 80 62 2F 67 09 67 50 96 6C 51 F8 53|"; distance:0; content:"P|00|r|00|o|00|d|00|u|00|c|00|t|00|N|00|a|00|m|00|e"; distance:0; content:"|C5 8F F7 96|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Xunlei; classtype:policy-violation; sid:21173; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows afd.sys kernel-mode memory corruption attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|8B 45 FC 50 6A|"; byte_test:1,>,24,0,relative; content:"|8D 8D A0 FD FF FF 51 68 BB 20 01 00 8B 55 F8 52 FF 15 18|"; content:"|40 00|"; within:2; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-080; classtype:attempted-admin; sid:20270; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows CSRSS SrvDeviceEvent exploit attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|06 7C BD EB 05 BA CC CC CC CC 8B 75 08 33 FF 8B C6 85 F6 74 56 8B 40 04 47 85 C0 75 F8 85 F6 74 4A 39 16 75 0F 39 56 14 75 0A 39 56 18 75 05 39|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1967; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-063; classtype:attempted-user; sid:19680; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows NDISTAPI Driver code execution attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|FF 25 A8 81 41 00 FF 25 C4 82 41 00 CC CC CC CC 75 01 C3 55 8B EC 83 EC 00 50 52 53 56 57 8B 45 04 6A 00 50 E8 D0 FC FF FF 83 C4 08 5F 5E 5B 5A|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1974; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-062; classtype:attempted-admin; sid:19679; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FILE-EXECUTABLE potentially executable file upload via FTP"; flow:established,to_server; content:"STOR"; depth:4; nocase; pcre:"/^STOR[^\r\n]+?\.(com|dll|exe|js|vbs)\s+/smi"; metadata:service ftp; reference:url,tools.ietf.org/html/rfc959; classtype:policy-violation; sid:16363; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE download of executable content"; flow:to_client,established; content:"application/x-msdos-program"; fast_pattern; nocase; http_header; pcre:"/^Content-Type\x3a[\x20\x09]+application\/x-msdos-program/smiH"; file_data; content:"MZ"; within:2; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.microsoft.com/smallbusiness/resources/technology/security/practice_safe_computing_and_thwart_online_thugs.mspx; classtype:policy-violation; sid:16313; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows .NET MSIL CombineImpl suspicious usage attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00|CombineImpl|00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-0091; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-061; classtype:attempted-user; sid:16183; rev:14;)
+# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows Vista Windows mail file execution attempt"; flow:to_client,established; content:"href|3D|"; nocase; pcre:"/^[^\x22]*?\x22([a-z]\x3A[\x2F\x5C]|[\x2F\x5C]{2,4})/iR"; metadata:policy max-detect-ips drop; reference:cve,2007-1658; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-034; classtype:attempted-user; sid:16023; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows NtUserMessageCall implementation exploitation attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; file_data; content:"schlamperei.x86.dll|00|_ReflectiveLoader"; fast_pattern:only; metadata:service smtp; reference:cve,2013-1300; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-053; classtype:attempted-user; sid:30940; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows NtUserMessageCall implementation exploitation attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; file_data; content:"schlamperei.x86.dll|00|_ReflectiveLoader"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1300; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-053; classtype:attempted-user; sid:30939; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows DosDevices mapping privilege escalation attempt"; flow:to_server,established; file_data; content:"|0F BE C9 88 5C 01 04 33 C0 40 8B 4D FC 5F 5E 33 CD 5B E8 EF 63 FF FF 8B E5 5D C3 80 39 30 75 05|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1644; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-038; classtype:attempted-user; sid:34081; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows DosDevices mapping privilege escalation attempt"; flow:to_server,established; file_data; content:"|E8 40 03 00 00 59 59 85 C0 0F 84 A3 00 00 00 FF 76 14 8B 45 08 FF 70 18 57 E8 C2 B4 FF FF 83 C4|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-1644; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-038; classtype:attempted-user; sid:34080; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows DosDevices mapping privilege escalation attempt"; flow:to_client,established; file_data; content:"|0F BE C9 88 5C 01 04 33 C0 40 8B 4D FC 5F 5E 33 CD 5B E8 EF 63 FF FF 8B E5 5D C3 80 39 30 75 05|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1644; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-038; classtype:attempted-user; sid:34079; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows DosDevices mapping privilege escalation attempt"; flow:to_client,established; file_data; content:"|E8 40 03 00 00 59 59 85 C0 0F 84 A3 00 00 00 FF 76 14 8B 45 08 FF 70 18 57 E8 C2 B4 FF FF 83 C4|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1644; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-038; classtype:attempted-user; sid:34078; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Adobe Flash Player Internet Explorer broker process directory traversal attempt"; flow:to_server,established; file_data; content:"|2F 00 63 00 61 00 6C 00 63 00 2E 00 62 00 61 00 74 00 00 00 46 61 69 6C 65 64 20 74 6F 20 63 72|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-3085; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34480; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Adobe Flash Player Internet Explorer broker process directory traversal attempt"; flow:to_client,established; file_data; content:"|2F 00 63 00 61 00 6C 00 63 00 2E 00 62 00 61 00 74 00 00 00 46 61 69 6C 65 64 20 74 6F 20 63 72|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3085; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-09.html; classtype:attempted-user; sid:34479; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Adobe Reader AcroBroker registry value out of bounds attempt"; flow:to_server,established; file_data; content:"|6A 08 6A 41 8D 85 08 FF FF FF 50 E8 3D F9 FF FF 83 C4 0C 8D 85 08 FF FF FF 50 E8 00 FA FF FF 83|"; fast_pattern:only; content:"|89 85 FC FE FF FF B8 08 00 00 00 6B C0 00 8B 8D FC FE FF FF C7 44 01 10 07 00 00 00 8B F4 68 00 10 00 00 8B 85 FC FE FF FF|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3048; reference:url,helpx.adobe.com/security/products/acrobat/apsb15-10.html; classtype:attempted-user; sid:34467; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Adobe Reader AcroBroker registry value out of bounds attempt"; flow:to_client,established; file_data; content:"|6A 08 6A 41 8D 85 08 FF FF FF 50 E8 3D F9 FF FF 83 C4 0C 8D 85 08 FF FF FF 50 E8 00 FA FF FF 83|"; fast_pattern:only; content:"|89 85 FC FE FF FF B8 08 00 00 00 6B C0 00 8B 8D FC FE FF FF C7 44 01 10 07 00 00 00 8B F4 68 00 10 00 00 8B 85 FC FE FF FF|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3048; reference:url,helpx.adobe.com/security/products/acrobat/apsb15-10.html; classtype:attempted-user; sid:34466; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|D8 7B 7B 6F 6E B9 9B 95 BB 99 81 A8 E0 AF 32 23 75 57 DB AC 5C BD 34 A4 94 A6 E3 4A DC EF EB F5|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0151; classtype:attempted-user; sid:25357; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows .NET Framework System.Uri.ReCreateParts System.Uri.PathAndQuery overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|12 00 32 06 7B 00 12 00 38 06 7B 00 12 00 67 06 5B 06 06 00 83 06 7B 00 06 00 91 06 7B 00 06 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0015; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-016; classtype:attempted-user; sid:25253; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows .NET Framework System.Uri.ReCreateParts System.Uri.PathAndQuery overflow attempt"; flow:to_client,established; file_data; content:"|12 00 32 06 7B 00 12 00 38 06 7B 00 12 00 67 06 5B 06 06 00 83 06 7B 00 06 00 91 06 7B 00 06 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0015; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-016; classtype:attempted-user; sid:25252; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Software Installer MSI binary file magic detected"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isset,file.ole; flowbits:isset,file.exe; file_data; content:"This program cannot be run in DOS"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:25061; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Armadillo v1.71 packer file magic detected"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isnotset,file.packed; flowbits:isset,file.exe; file_data; isdataat:17; content:"|55 8B EC 6A FF 68|"; content:"|68|"; within:1; distance:4; content:"|64 A1|"; within:2; distance:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:23256; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"MZ"; depth:2; nocase; byte_jump:4,60,little,from_beginning; content:"PE|00 00|"; within:4; nocase; content:"|0B 02|"; within:2; distance:20; byte_test:4,<,0x3d,142,relative,little; byte_test:4,>,0x0,142,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0151; classtype:attempted-user; sid:22942; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows .NET invalid parsing of graphics data attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"System|2E|Drawing|2E|Drawing2D|00|GraphicsPath"; fast_pattern:only; content:"W|00|p|00|f|00|B|00|r|00|o|00|w|00|s|00|e|00|r|00|A|00|p|00|p|00|l|00|i|00|c|00|a|00|t|00|i|00|o|00|n|00 2E 00|P|00|r|00|o|00|p|00|e|00|r|00|t|00|i|00|e|00|s|00 2E 00|R|00|e|00|s|00|o|00|u|00|r|00|c|00|e|00|s"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-025; classtype:attempted-user; sid:22042; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"MZ"; depth:2; nocase; byte_jump:4,60,little,from_beginning; content:"PE|00 00|"; within:4; nocase; content:"|0B 01|"; within:2; distance:20; byte_test:4,<,0x3d,126,relative,little; byte_test:4,>,0x0,126,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0151; classtype:attempted-user; sid:21795; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows .NET invalid parsing of graphics data attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"System|2E|Drawing|00|Bitmap|00|Graphics"; fast_pattern:only; content:"A|00|t|00|t|00|e|00|m|00|p|00|t|00|i|00|n|00|g|00 20 00|t|00|o|00 20 00|w|00|r|00|i|00|t|00|e|00 20 00|8|00 20 00|P|00|o|00|i|00|n|00|t|00|s|00 20 00|i|00|n|00|t|00|o"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-025; classtype:attempted-user; sid:21792; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft .NET Framework System.Uri.ReCreateParts System.Uri.PathAndQuery overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|59 A3 0F 90 16 C4 78 40 A0 36 F0 3A 84 0E 02 97 00 08 B7 7A 5C 56 19 34 E0 89 05 00 01 01 1D 0E|"; fast_pattern:only; content:"get_PathAndQuery"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0015; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-016; classtype:attempted-user; sid:21305; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows win32k.sys kernel mode null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|68 A2 01 00 00 68 FF FF 00 00 FF 15 30|"; fast_pattern; content:"|41 00|"; within:2; distance:1; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-077; classtype:attempted-admin; sid:20261; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE ClamAV UPX File Handling Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|55 50 58 31 00 00 00 00 00 50 00 00 00 10 10 00 00 48 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 E0|"; content:"|D7 FE EF 14 02 2D 8B F8 8D 44 24 18 50 FF 74 04 10 03 7F 1D 2F FF 6F DF 8B D8 19 B5 2E 18 5F 5E 8B C3 5B C3 83 3D E8 A6 02 74 05 BE BD EB 76 16|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14866; reference:cve,2005-2920; classtype:attempted-user; sid:17358; rev:11;)
+# alert tcp $HOME_NET [139,445] -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows executable file load from SMB share attempt"; flow:to_client,established; content:"SMB"; depth:3; offset:5; content:"MZ"; within:150; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; fast_pattern; metadata:policy max-detect-ips drop, service netbios-ssn; classtype:policy-violation; sid:17210; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows Vista Windows mail file execution attempt"; flow:to_server,established; content:"href|3D|"; nocase; pcre:"/<a[^>]+href\s*=\s*(3D)?(\x22|\x27|)([a-z]\x3A[\x2F\x5C]|[\x2F\x5C]{2,4})/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-1658; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-034; classtype:attempted-user; sid:16022; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Portable Executable binary file magic detected"; flow:to_client,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:15306; rev:22;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE download of executable content"; flow:to_client,established; content:"application/octet-stream"; fast_pattern; nocase; http_header; pcre:"/^Content-Type\x3a[\x20\x09]+application\/octet-stream/smiH"; file_data; content:"MZ"; within:2; metadata:policy max-detect-ips drop, service http; reference:url,www.microsoft.com/smallbusiness/resources/technology/security/practice_safe_computing_and_thwart_online_thugs.mspx; classtype:policy-violation; sid:11192; rev:20;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft .NET CreateDelegate method arbitrary code execution attempt "; flow:to_client,established; content:"|06 00 8E 01 26 00|"; content:"|06 00 59 00 17 00|"; within:6; distance:80; content:"Delegate|00|CreateDelegate|00|"; distance:0; fast_pattern; metadata:service http; reference:cve,2010-1898; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-060; classtype:attempted-user; sid:17118; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft .NET MSIL stack corruption attempt "; flow:to_client,established; flowbits:isset,file.exe; content:"Func1|00|StackSmasher|00|argIterator"; metadata:service http; reference:cve,2009-0090; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-061; classtype:attempted-user; sid:16182; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft .NET MSIL CLR interface multiple instantiation attempt "; flow:to_client,established; flowbits:isset,file.exe; content:"MyStructCaller|00|Program"; metadata:service http; reference:cve,2009-2497; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-061; classtype:attempted-user; sid:16179; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE GDI+ .NET image property parsing memory corruption "; flow:established,to_client; flowbits:isset,file.exe; file_data; content:"|00|<Module>|00|"; nocase; content:"System.Drawing.Imaging"; distance:0; nocase; content:"SetPropertyItem"; distance:0; nocase; metadata:service http; reference:cve,2009-2504; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16154; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-EXECUTABLE IIS ASP/ASP.NET potentially malicious file upload attempt "; flow:to_server,established; content:"DtcGetTransactionManagerEx|28|"; fast_pattern:only; metadata:service http; reference:cve,2008-1436; reference:cve,2009-0078; reference:cve,2009-0079; reference:cve,2009-0080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-012; classtype:attempted-user; sid:15470; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-EXECUTABLE Adobe Reader NtSetInformationFile privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|64 A3 00 00 00 00 8B F1 89 75 EC C7 45 FC 00 00 00 00 C7 45 F0 00 00 00 00 68 2C 48 01 10 C7 06|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-4446; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35806; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Adobe Reader NtSetInformationFile privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|64 A3 00 00 00 00 8B F1 89 75 EC C7 45 FC 00 00 00 00 C7 45 F0 00 00 00 00 68 2C 48 01 10 C7 06|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-4446; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35805; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE NtGdiStretchBlt buffer overflow privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|68 CA 00 C0 00 68 B8 90 EB 46 6A 50 68 4E 8D 86 10 68 F2 C8 B5 9E|"; content:"|26 68 9A EB C8 FF 6A 29 6A 2E|"; within:10; distance:5; metadata:service smtp; reference:cve,2015-2512; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-097; classtype:attempted-admin; sid:35989; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE NtGdiStretchBlt buffer overflow privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|68 CA 00 C0 00 68 B8 90 EB 46 6A 50 68 4E 8D 86 10 68 F2 C8 B5 9E|"; content:"|26 68 9A EB C8 FF 6A 29 6A 2E|"; within:10; distance:5; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2512; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-097; classtype:attempted-admin; sid:35988; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE McAfee LiveSafe malformed executable denial of service attempt"; flow:to_server,established; file_data; content:"MZ"; depth:2; content:"PE|00 00 4C 01|"; within:6; distance:126; content:"|0B 01|"; within:2; distance:18; content:"."; within:400; distance:222; byte_test:4,>=,0x14000000,11,relative,little; metadata:service smtp; reference:cve,2016-4535; classtype:attempted-dos; sid:39464; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE McAfee LiveSafe malformed executable denial of service attempt"; flow:to_client,established; file_data; content:"MZ"; depth:2; content:"PE|00 00 4C 01|"; within:6; distance:126; content:"|0B 01|"; within:2; distance:18; content:"."; within:400; distance:222; byte_test:4,>=,0x14000000,11,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4535; classtype:attempted-dos; sid:39463; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft CLFS.sys information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"AddLogContainer"; fast_pattern:only; content:"CreateLogMarshallingArea"; content:!"ReserveAndAppendLog"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7295; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-153; classtype:attempted-recon; sid:40937; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft CLFS.sys information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"AddLogContainer"; fast_pattern:only; content:"CreateLogMarshallingArea"; content:!"ReserveAndAppendLog"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7295; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-153; classtype:attempted-recon; sid:40936; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|C7|"; content:"|33 33 33 33 C7|"; within:5; distance:5; content:"|01 00 00 00 6A 00 6A FF 68 00 00 00 80 6A FF 68 00 00 00 80|"; within:20; distance:5; fast_pattern; content:"|FF|"; within:5; distance:1; metadata:service smtp; reference:cve,2013-1334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-046; classtype:attempted-dos; sid:41465; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|C7|"; content:"|33 33 33 33 C7|"; within:5; distance:5; content:"|01 00 00 00 6A 00 6A FF 68 00 00 00 80 6A FF 68 00 00 00 80|"; within:20; distance:5; fast_pattern; content:"|FF|"; within:5; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-046; classtype:attempted-dos; sid:41464; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|C7|"; content:"|33 33 33 33 C7|"; within:5; distance:5; content:"|01 00 00 00 6A 00 6A FF 68 00 00 00 80 6A FF 68 00 00 00 80|"; within:20; distance:5; fast_pattern; content:"|E8|"; within:1; distance:1; metadata:service smtp; reference:cve,2013-1334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-046; classtype:attempted-dos; sid:41463; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|C7|"; content:"|33 33 33 33 C7|"; within:5; distance:5; content:"|01 00 00 00 6A 00 6A FF 68 00 00 00 80 6A FF 68 00 00 00 80|"; within:20; distance:5; fast_pattern; content:"|E8|"; within:1; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-046; classtype:attempted-dos; sid:41462; rev:1;)
+# alert tcp $SMTP_SERVERS any -> $HOME_NET 25 (msg:"FILE-EXECUTABLE QuickHeal Internet Security malformed Mach-O file buffer overflow attempt"; flow:to_server,established; file_data; content:"|CF FA ED FE|"; depth:4; fast_pattern; content:"|05 00 00 00|"; distance:0; byte_test:4,<,0xd,4,relative,little; byte_test:4,>,200,0,relative,little; metadata:service smtp; reference:cve,2017-5005; classtype:attempted-admin; sid:41641; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE QuickHeal Internet Security malformed Mach-O file buffer overflow attempt"; flow:to_client,established; file_data; content:"|CF FA ED FE|"; depth:4; fast_pattern; content:"|05 00 00 00|"; distance:0; byte_test:4,<,0xd,4,relative,little; byte_test:4,>,200,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-5005; classtype:attempted-admin; sid:41640; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows Com Session Moniker pivilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; content:"IHxHelpPaneServer"; fast_pattern:only; metadata:service smtp; reference:cve,2017-0100; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-012; classtype:attempted-user; sid:41990; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows Com Session Moniker pivilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"IHxHelpPaneServer"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-0100; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-012; classtype:attempted-user; sid:41989; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Nvidia Windows kernel mode driver denial of service attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"D3DKMTEscape"; fast_pattern:only; content:"N|00|V|00|S|00|P|00|C|00|A|00|P|00|S|00 5C 00|a|00|a|00|1|00|8|00|e|00|b|00|c|00|4|00|-|00|0|00|1|00|9|00|d|00|-|00|4|00|e|00|c|00|0|00|-|00|b|00|f|00|1|00|d|00|-|00|d|00|6|00|3|00|0|00|0|00|2|00|1|00|8|00|b|00|f|00|5|00|2"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8823; reference:url,www.talosintelligence.com/reports/TALOS-2016-0217/; classtype:attempted-user; sid:40935; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Nvidia Windows kernel mode driver denial of service attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"D3DKMTEscape"; fast_pattern:only; content:"N|00|V|00|S|00|P|00|C|00|A|00|P|00|S|00 5C 00|a|00|a|00|1|00|8|00|e|00|b|00|c|00|4|00|-|00|0|00|1|00|9|00|d|00|-|00|4|00|e|00|c|00|0|00|-|00|b|00|f|00|1|00|d|00|-|00|d|00|6|00|3|00|0|00|0|00|2|00|1|00|8|00|b|00|f|00|5|00|2"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8823; reference:url,www.talosintelligence.com/reports/TALOS-2016-0217/; classtype:attempted-user; sid:40934; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Hopper Disassembler ELF section header memory corruption attempt"; flow:to_server,established; file_data; content:"|04 00 00 00 42 00 00 00 00 00 00 00 38 18 40 00 00 00 00 00 38 18 00 00 00 00 00 00 CE FA AD DE|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8390; reference:url,www.talosintelligence.com/reports/TALOS-2016-0222; classtype:attempted-user; sid:40489; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Hopper Disassembler ELF section header memory corruption attempt"; flow:to_client,established; file_data; content:"|04 00 00 00 42 00 00 00 00 00 00 00 38 18 40 00 00 00 00 00 38 18 00 00 00 00 00 00 CE FA AD DE|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8390; reference:url,www.talosintelligence.com/reports/TALOS-2016-0222; classtype:attempted-user; sid:40488; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Kaspersky Anti-Virus unhandled windows messages denial of service vulnerability attempt"; flow:to_server,established; file_data; content:"Kaspersky Anti-Virus"; fast_pattern:only; content:"win32api"; content:"RegisterWindowMessage"; within:100; content:"win32api"; content:"PostMessage"; within:50; content:"win32con"; within:50; content:"HWND_BROADCAST"; within:50; metadata:service smtp; reference:cve,2016-4329; reference:url,www.talosintelligence.com/reports/TALOS-2016-0175; classtype:attempted-dos; sid:39919; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Kaspersky Anti-Virus unhandled windows messages denial of service vulnerability attempt"; flow:to_client,established; file_data; content:"Kaspersky Anti-Virus"; fast_pattern:only; content:"win32api"; content:"RegisterWindowMessage"; within:100; content:"win32api"; content:"PostMessage"; within:50; content:"win32con"; within:50; content:"HWND_BROADCAST"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4329; reference:url,www.talosintelligence.com/reports/TALOS-2016-0175; classtype:attempted-dos; sid:39918; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Symantec Norton Security IDSvix86 out of bounds read attempt"; flow:to_server,established; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; byte_jump:2,16,relative,little,post_offset 2; byte_test:4,>,0x10000000,16,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-5308; reference:url,www.talosintelligence.com/reports/TALOS-2016-0182; classtype:attempted-dos; sid:39467; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Symantec Norton Security IDSvix86 out of bounds read attempt"; flow:to_client,established; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; byte_jump:2,16,relative,little,post_offset 2; byte_test:4,>,0x10000000,16,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5308; reference:url,www.talosintelligence.com/reports/TALOS-2016-0182; classtype:attempted-dos; sid:39466; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Kaspersky Internet Security kl1.sys out of bounds read attempt"; flow:to_server,established; file_data; content:"|01 8B 85 F8 FA FF FF 50 68 70 20 22 00 8B 8D F4 FA FF FF 51 FF 15 08 20 41 00 89 85 EC FA FF FF|"; fast_pattern:only; metadata:service smtp; reference:cve,2016-4307; reference:url,www.talosintelligence.com/reports/TALOS-2016-0169; classtype:attempted-user; sid:39048; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Kaspersky Internet Security kl1.sys out of bounds read attempt"; flow:to_client,established; file_data; content:"|01 8B 85 F8 FA FF FF 50 68 70 20 22 00 8B 8D F4 FA FF FF 51 FF 15 08 20 41 00 89 85 EC FA FF FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4307; reference:url,www.talosintelligence.com/reports/TALOS-2016-0169; classtype:attempted-user; sid:39047; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE AnC MMU side channel ASLR bypass attack"; flow:to_server,established; file_data; content:"|0F AE F0 31 C0 0F A2 0F 01 F9 49 89 D0 49 89 C1 0F AE F0 C6 07 5A 0F AE F0 0F 01 F9 48 89 C7 48 89 D6 31 C0 0F A2 0F AE F0 48 89 F0 49 C1 E0 20 48 C1 E0 20 4D 09 C8 48 09 F8 4C 29 C0|"; fast_pattern:only; content:"|48 3D E7 03 00 00 4C 8B|"; content:"|E8|"; within:1; distance:-13; content:"|4C 8B|"; within:2; distance:15; metadata:service smtp; reference:cve,2017-5925; reference:cve,2017-5926; reference:cve,2017-5927; reference:url,www.vusec.net/projects/anc/; classtype:attempted-recon; sid:42101; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE AnC MMU side channel ASLR bypass attack"; flow:to_client,established; file_data; content:"|0F AE F0 31 C0 0F A2 0F 01 F9 49 89 D0 49 89 C1 0F AE F0 C6 07 5A 0F AE F0 0F 01 F9 48 89 C7 48 89 D6 31 C0 0F A2 0F AE F0 48 89 F0 49 C1 E0 20 48 C1 E0 20 4D 09 C8 48 09 F8 4C 29 C0|"; fast_pattern:only; content:"|48 3D E7 03 00 00 4C 8B|"; content:"|E8|"; within:1; distance:-13; content:"|4C 8B|"; within:2; distance:15; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-5925; reference:cve,2017-5926; reference:cve,2017-5927; reference:url,www.vusec.net/projects/anc/; classtype:attempted-recon; sid:42100; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Win.Trojan.DoubleAgent download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"RegRenameKey"; fast_pattern:only; content:"V|00|e|00|r|00|i|00|f|00|i|00|e|00|r|00|D|00|l|00|l|00|s"; nocase; content:"G|00|l|00|o|00|b|00|a|00|l|00|F|00|l|00|a|00|g"; nocase; metadata:impact_flag red, service smtp; reference:url,virustotal.com/en/file/99b42acbafeaadc68af9b217e1b2620cef13a0d61d1bc600c13889cc0414e307/analysis/1493236455/; classtype:attempted-user; sid:42419; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Win.Trojan.DoubleAgent download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"RegRenameKey"; fast_pattern:only; content:"V|00|e|00|r|00|i|00|f|00|i|00|e|00|r|00|D|00|l|00|l|00|s"; nocase; content:"G|00|l|00|o|00|b|00|a|00|l|00|F|00|l|00|a|00|g"; nocase; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/99b42acbafeaadc68af9b217e1b2620cef13a0d61d1bc600c13889cc0414e307/analysis/1493236455/; classtype:attempted-user; sid:42418; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xff encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B2 A5|"; depth:2; content:"|AF BA FF FF|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42748; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xfe encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B3 A4|"; depth:2; content:"|AE BB FE FE|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42747; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xfd encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B0 A7|"; depth:2; content:"|AD B8 FD FD|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42746; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xfc encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B1 A6|"; depth:2; content:"|AC B9 FC FC|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42745; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xfb encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B6 A1|"; depth:2; content:"|AB BE FB FB|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42744; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xfa encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B7 A0|"; depth:2; content:"|AA BF FA FA|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42743; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf9 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B4 A3|"; depth:2; content:"|A9 BC F9 F9|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42742; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf8 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B5 A2|"; depth:2; content:"|A8 BD F8 F8|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42741; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf7 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|BA AD|"; depth:2; content:"|A7 B2 F7 F7|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42740; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf6 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|BB AC|"; depth:2; content:"|A6 B3 F6 F6|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42739; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf5 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B8 AF|"; depth:2; content:"|A5 B0 F5 F5|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42738; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf4 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|B9 AE|"; depth:2; content:"|A4 B1 F4 F4|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42737; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf3 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|BE A9|"; depth:2; content:"|A3 B6 F3 F3|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42736; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf2 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|BF A8|"; depth:2; content:"|A2 B7 F2 F2|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42735; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf1 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|BC AB|"; depth:2; content:"|A1 B4 F1 F1|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42734; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xf0 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|BD AA|"; depth:2; content:"|A0 B5 F0 F0|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42733; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xef encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A2 B5|"; depth:2; content:"|BF AA EF EF|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42732; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xee encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A3 B4|"; depth:2; content:"|BE AB EE EE|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42731; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xed encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A0 B7|"; depth:2; content:"|BD A8 ED ED|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42730; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xec encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A1 B6|"; depth:2; content:"|BC A9 EC EC|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42729; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xeb encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A6 B1|"; depth:2; content:"|BB AE EB EB|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42728; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xea encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A7 B0|"; depth:2; content:"|BA AF EA EA|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42727; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe9 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A4 B3|"; depth:2; content:"|B9 AC E9 E9|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42726; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe8 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A5 B2|"; depth:2; content:"|B8 AD E8 E8|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42725; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe7 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|AA BD|"; depth:2; content:"|B7 A2 E7 E7|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42724; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe6 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|AB BC|"; depth:2; content:"|B6 A3 E6 E6|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42723; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe5 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A8 BF|"; depth:2; content:"|B5 A0 E5 E5|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42722; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe4 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|A9 BE|"; depth:2; content:"|B4 A1 E4 E4|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42721; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe3 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|AE B9|"; depth:2; content:"|B3 A6 E3 E3|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42720; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe2 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|AF B8|"; depth:2; content:"|B2 A7 E2 E2|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42719; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe1 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|AC BB|"; depth:2; content:"|B1 A4 E1 E1|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42718; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xe0 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|AD BA|"; depth:2; content:"|B0 A5 E0 E0|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42717; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xdf encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|92 85|"; depth:2; content:"|8F 9A DF DF|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42716; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xde encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|93 84|"; depth:2; content:"|8E 9B DE DE|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42715; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xdd encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|90 87|"; depth:2; content:"|8D 98 DD DD|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42714; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xdc encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|91 86|"; depth:2; content:"|8C 99 DC DC|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42713; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xdb encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|96 81|"; depth:2; content:"|8B 9E DB DB|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42712; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xda encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|97 80|"; depth:2; content:"|8A 9F DA DA|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42711; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd9 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|94 83|"; depth:2; content:"|89 9C D9 D9|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42710; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd8 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|95 82|"; depth:2; content:"|88 9D D8 D8|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42709; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd7 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|9A 8D|"; depth:2; content:"|87 92 D7 D7|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42708; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd6 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|9B 8C|"; depth:2; content:"|86 93 D6 D6|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42707; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd5 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|98 8F|"; depth:2; content:"|85 90 D5 D5|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42706; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd4 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|99 8E|"; depth:2; content:"|84 91 D4 D4|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42705; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd3 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|9E 89|"; depth:2; content:"|83 96 D3 D3|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42704; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd2 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|9F 88|"; depth:2; content:"|82 97 D2 D2|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42703; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd1 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|9C 8B|"; depth:2; content:"|81 94 D1 D1|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42702; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xd0 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|9D 8A|"; depth:2; content:"|80 95 D0 D0|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42701; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xcf encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|82 95|"; depth:2; content:"|9F 8A CF CF|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42700; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xce encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|83 94|"; depth:2; content:"|9E 8B CE CE|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42699; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xcd encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|80 97|"; depth:2; content:"|9D 88 CD CD|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42698; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xcc encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|81 96|"; depth:2; content:"|9C 89 CC CC|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42697; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xcb encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|86 91|"; depth:2; content:"|9B 8E CB CB|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42696; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xca encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|87 90|"; depth:2; content:"|9A 8F CA CA|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42695; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc9 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|84 93|"; depth:2; content:"|99 8C C9 C9|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42694; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc8 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|85 92|"; depth:2; content:"|98 8D C8 C8|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42693; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc7 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|8A 9D|"; depth:2; content:"|97 82 C7 C7|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42692; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc6 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|8B 9C|"; depth:2; content:"|96 83 C6 C6|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42691; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc5 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|88 9F|"; depth:2; content:"|95 80 C5 C5|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42690; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc4 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|89 9E|"; depth:2; content:"|94 81 C4 C4|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42689; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc3 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|8E 99|"; depth:2; content:"|93 86 C3 C3|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42688; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc2 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|8F 98|"; depth:2; content:"|92 87 C2 C2|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42687; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc1 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|8C 9B|"; depth:2; content:"|91 84 C1 C1|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42686; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xc0 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|8D 9A|"; depth:2; content:"|90 85 C0 C0|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42685; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xbf encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F2 E5|"; depth:2; content:"|EF FA BF BF|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42684; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xbe encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F3 E4|"; depth:2; content:"|EE FB BE BE|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42683; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xbd encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F0 E7|"; depth:2; content:"|ED F8 BD BD|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42682; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xbc encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F1 E6|"; depth:2; content:"|EC F9 BC BC|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42681; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xbb encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F6 E1|"; depth:2; content:"|EB FE BB BB|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42680; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xba encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F7 E0|"; depth:2; content:"|EA FF BA BA|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42679; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb9 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F4 E3|"; depth:2; content:"|E9 FC B9 B9|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42678; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb8 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F5 E2|"; depth:2; content:"|E8 FD B8 B8|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42677; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb7 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|FA ED|"; depth:2; content:"|E7 F2 B7 B7|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42676; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb6 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|FB EC|"; depth:2; content:"|E6 F3 B6 B6|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42675; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb5 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F8 EF|"; depth:2; content:"|E5 F0 B5 B5|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42674; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb4 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|F9 EE|"; depth:2; content:"|E4 F1 B4 B4|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42673; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb3 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|FE E9|"; depth:2; content:"|E3 F6 B3 B3|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42672; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb2 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|FF E8|"; depth:2; content:"|E2 F7 B2 B2|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42671; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb1 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|FC EB|"; depth:2; content:"|E1 F4 B1 B1|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42670; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xb0 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|FD EA|"; depth:2; content:"|E0 F5 B0 B0|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42669; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xaf encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E2 F5|"; depth:2; content:"|FF EA AF AF|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42668; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xae encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E3 F4|"; depth:2; content:"|FE EB AE AE|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42667; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xad encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E0 F7|"; depth:2; content:"|FD E8 AD AD|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42666; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xac encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E1 F6|"; depth:2; content:"|FC E9 AC AC|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42665; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xab encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E6 F1|"; depth:2; content:"|FB EE AB AB|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42664; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xaa encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E7 F0|"; depth:2; content:"|FA EF AA AA|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42663; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa9 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E4 F3|"; depth:2; content:"|F9 EC A9 A9|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42662; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa8 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E5 F2|"; depth:2; content:"|F8 ED A8 A8|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42661; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa7 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|EA FD|"; depth:2; content:"|F7 E2 A7 A7|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42660; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa6 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|EB FC|"; depth:2; content:"|F6 E3 A6 A6|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42659; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa5 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E8 FF|"; depth:2; content:"|F5 E0 A5 A5|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42658; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa4 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|E9 FE|"; depth:2; content:"|F4 E1 A4 A4|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42657; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa3 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|EE F9|"; depth:2; content:"|F3 E6 A3 A3|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42656; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa2 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|EF F8|"; depth:2; content:"|F2 E7 A2 A2|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42655; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa1 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|EC FB|"; depth:2; content:"|F1 E4 A1 A1|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42654; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0xa0 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|ED FA|"; depth:2; content:"|F0 E5 A0 A0|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42653; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x9f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D2 C5|"; depth:2; content:"|CF DA 9F 9F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42652; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x9e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D3 C4|"; depth:2; content:"|CE DB 9E 9E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42651; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x9d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D0 C7|"; depth:2; content:"|CD D8 9D 9D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42650; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x9c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D1 C6|"; depth:2; content:"|CC D9 9C 9C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42649; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x9b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D6 C1|"; depth:2; content:"|CB DE 9B 9B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42648; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x9a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D7 C0|"; depth:2; content:"|CA DF 9A 9A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42647; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x99 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D4 C3|"; depth:2; content:"|C9 DC 99 99|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42646; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x98 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D5 C2|"; depth:2; content:"|C8 DD 98 98|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42645; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x97 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|DA CD|"; depth:2; content:"|C7 D2 97 97|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42644; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x96 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|DB CC|"; depth:2; content:"|C6 D3 96 96|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42643; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x95 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D8 CF|"; depth:2; content:"|C5 D0 95 95|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42642; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x94 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|D9 CE|"; depth:2; content:"|C4 D1 94 94|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42641; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x93 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|DE C9|"; depth:2; content:"|C3 D6 93 93|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42640; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x92 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|DF C8|"; depth:2; content:"|C2 D7 92 92|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42639; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x91 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|DC CB|"; depth:2; content:"|C1 D4 91 91|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42638; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x90 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|DD CA|"; depth:2; content:"|C0 D5 90 90|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42637; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x8f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C2 D5|"; depth:2; content:"|DF CA 8F 8F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42636; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x8e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C3 D4|"; depth:2; content:"|DE CB 8E 8E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42635; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x8d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C0 D7|"; depth:2; content:"|DD C8 8D 8D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42634; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x8c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C1 D6|"; depth:2; content:"|DC C9 8C 8C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42633; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x8b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C6 D1|"; depth:2; content:"|DB CE 8B 8B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42632; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x8a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C7 D0|"; depth:2; content:"|DA CF 8A 8A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42631; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x89 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C4 D3|"; depth:2; content:"|D9 CC 89 89|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42630; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x88 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C5 D2|"; depth:2; content:"|D8 CD 88 88|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42629; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x87 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|CA DD|"; depth:2; content:"|D7 C2 87 87|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42628; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x86 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|CB DC|"; depth:2; content:"|D6 C3 86 86|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42627; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x85 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C8 DF|"; depth:2; content:"|D5 C0 85 85|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42626; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x84 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|C9 DE|"; depth:2; content:"|D4 C1 84 84|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42625; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x83 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|CE D9|"; depth:2; content:"|D3 C6 83 83|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42624; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x82 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|CF D8|"; depth:2; content:"|D2 C7 82 82|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42623; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x81 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|CC DB|"; depth:2; content:"|D1 C4 81 81|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42622; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x80 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|CD DA|"; depth:2; content:"|D0 C5 80 80|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42621; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x7f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|32 25|"; depth:2; content:"|2F 3A 7F 7F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42620; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x7e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|33 24|"; depth:2; content:"|2E 3B 7E 7E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42619; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x7d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|30 27|"; depth:2; content:"|2D 38 7D 7D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42618; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x7c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|31 26|"; depth:2; content:"|2C 39 7C 7C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42617; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x7b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|36 21|"; depth:2; content:"|2B 3E 7B 7B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42616; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x7a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|37 20|"; depth:2; content:"|2A 3F 7A 7A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42615; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x79 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|34 23|"; depth:2; content:"|29 3C 79 79|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42614; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x78 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|35 22|"; depth:2; content:"|28 3D 78 78|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42613; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x77 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|3A 2D|"; depth:2; content:"|27 32 77 77|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42612; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x76 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|3B 2C|"; depth:2; content:"|26 33 76 76|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42611; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x75 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|38 2F|"; depth:2; content:"|25 30 75 75|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42610; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x74 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|39 2E|"; depth:2; content:"|24 31 74 74|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42609; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x73 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|3E 29|"; depth:2; content:"|23 36 73 73|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42608; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x72 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|3F 28|"; depth:2; content:"|22 37 72 72|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42607; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x71 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|3C 2B|"; depth:2; content:"|21 34 71 71|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42606; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x70 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|3D 2A|"; depth:2; content:"|20 35 70 70|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42605; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x6f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|22 35|"; depth:2; content:"|3F 2A 6F 6F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42604; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x6e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|23 34|"; depth:2; content:"|3E 2B 6E 6E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42603; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x6d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|20 37|"; depth:2; content:"|3D 28 6D 6D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42602; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x6c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|21 36|"; depth:2; content:"|3C 29 6C 6C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42601; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x6b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|26 31|"; depth:2; content:"|3B 2E 6B 6B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42600; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x6a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|27 30|"; depth:2; content:"|3A 2F 6A 6A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42599; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x69 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|24 33|"; depth:2; content:"|39 2C 69 69|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42598; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x68 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|25 32|"; depth:2; content:"|38 2D 68 68|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42597; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x67 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|2A 3D|"; depth:2; content:"|37 22 67 67|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42596; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x66 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|2B 3C|"; depth:2; content:"|36 23 66 66|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42595; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x65 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|28 3F|"; depth:2; content:"|35 20 65 65|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42594; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x64 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|29 3E|"; depth:2; content:"|34 21 64 64|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42593; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x63 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|2E 39|"; depth:2; content:"|33 26 63 63|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42592; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x62 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|2F 38|"; depth:2; content:"|32 27 62 62|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42591; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x61 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|2C 3B|"; depth:2; content:"|31 24 61 61|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42590; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x60 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|2D 3A|"; depth:2; content:"|30 25 60 60|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42589; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x5f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|12 05|"; depth:2; content:"|0F 1A 5F 5F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42588; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x5e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|13 04|"; depth:2; content:"|0E 1B 5E 5E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42587; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x5d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|10 07|"; depth:2; content:"|0D 18 5D 5D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42586; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x5c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|11 06|"; depth:2; content:"|0C 19 5C 5C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42585; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x5b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|16 01|"; depth:2; content:"|0B 1E 5B 5B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42584; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x5a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|17 00|"; depth:2; content:"|0A 1F 5A 5A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42583; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x59 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|14 03|"; depth:2; content:"|09 1C 59 59|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42582; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x58 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|15 02|"; depth:2; content:"|08 1D 58 58|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42581; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x57 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|1A 0D|"; depth:2; content:"|07 12 57 57|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42580; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x56 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|1B 0C|"; depth:2; content:"|06 13 56 56|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42579; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x55 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|18 0F|"; depth:2; content:"|05 10 55 55|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42578; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x54 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|19 0E|"; depth:2; content:"|04 11 54 54|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42577; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x53 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|1E 09|"; depth:2; content:"|03 16 53 53|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42576; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x52 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|1F 08|"; depth:2; content:"|02 17 52 52|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42575; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x51 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|1C 0B|"; depth:2; content:"|01 14 51 51|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42574; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x50 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|1D 0A|"; depth:2; content:"|00 15 50 50|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42573; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x4f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|02 15|"; depth:2; content:"|1F 0A 4F 4F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42572; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x4e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|03 14|"; depth:2; content:"|1E 0B 4E 4E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42571; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x4d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|00 17|"; depth:2; content:"|1D 08 4D 4D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42570; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x4c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|01 16|"; depth:2; content:"|1C 09 4C 4C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42569; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x4b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|06 11|"; depth:2; content:"|1B 0E 4B 4B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42568; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x4a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|07 10|"; depth:2; content:"|1A 0F 4A 4A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42567; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x49 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|04 13|"; depth:2; content:"|19 0C 49 49|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42566; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x48 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|05 12|"; depth:2; content:"|18 0D 48 48|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42565; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x47 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|0A 1D|"; depth:2; content:"|17 02 47 47|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42564; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x46 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|0B 1C|"; depth:2; content:"|16 03 46 46|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42563; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x45 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|08 1F|"; depth:2; content:"|15 00 45 45|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42562; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x44 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|09 1E|"; depth:2; content:"|14 01 44 44|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42561; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x43 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|0E 19|"; depth:2; content:"|13 06 43 43|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42560; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x42 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|0F 18|"; depth:2; content:"|12 07 42 42|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42559; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x41 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|0C 1B|"; depth:2; content:"|11 04 41 41|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42558; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x40 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|0D 1A|"; depth:2; content:"|10 05 40 40|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42557; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x3f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|72 65|"; depth:2; content:"|6F 7A 3F 3F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42556; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x3e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|73 64|"; depth:2; content:"|6E 7B 3E 3E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42555; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x3d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|70 67|"; depth:2; content:"|6D 78 3D 3D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42554; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x3c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|71 66|"; depth:2; content:"|6C 79 3C 3C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42553; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x3b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|76 61|"; depth:2; content:"|6B 7E 3B 3B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42552; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x3a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|77 60|"; depth:2; content:"|6A 7F 3A 3A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42551; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x39 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|74 63|"; depth:2; content:"|69 7C 39 39|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42550; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x38 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|75 62|"; depth:2; content:"|68 7D 38 38|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42549; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x37 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|7A 6D|"; depth:2; content:"|67 72 37 37|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42548; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x36 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|7B 6C|"; depth:2; content:"|66 73 36 36|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42547; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x35 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|78 6F|"; depth:2; content:"|65 70 35 35|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42546; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x34 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|79 6E|"; depth:2; content:"|64 71 34 34|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42545; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x33 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|7E 69|"; depth:2; content:"|63 76 33 33|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42544; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x32 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|7F 68|"; depth:2; content:"|62 77 32 32|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42543; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x31 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|7C 6B|"; depth:2; content:"|61 74 31 31|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42542; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x30 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|7D 6A|"; depth:2; content:"|60 75 30 30|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42541; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x2f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|62 75|"; depth:2; content:"|7F 6A 2F 2F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42540; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x2e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|63 74|"; depth:2; content:"|7E 6B 2E 2E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42539; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x2d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|60 77|"; depth:2; content:"|7D 68 2D 2D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42538; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x2c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|61 76|"; depth:2; content:"|7C 69 2C 2C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42537; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x2b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|66 71|"; depth:2; content:"|7B 6E 2B 2B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42536; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x2a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|67 70|"; depth:2; content:"|7A 6F 2A 2A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42535; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x29 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|64 73|"; depth:2; content:"|79 6C 29 29|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42534; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x28 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|65 72|"; depth:2; content:"|78 6D 28 28|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42533; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x27 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|6A 7D|"; depth:2; content:"|77 62 27 27|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42532; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x26 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|6B 7C|"; depth:2; content:"|76 63 26 26|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42531; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x25 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|68 7F|"; depth:2; content:"|75 60 25 25|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42530; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x24 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|69 7E|"; depth:2; content:"|74 61 24 24|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42529; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x23 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|6E 79|"; depth:2; content:"|73 66 23 23|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42528; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x22 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|6F 78|"; depth:2; content:"|72 67 22 22|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42527; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x21 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|6C 7B|"; depth:2; content:"|71 64 21 21|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42526; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x20 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|6D 7A|"; depth:2; content:"|70 65 20 20|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42525; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x1f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|52 45|"; depth:2; content:"|4F 5A 1F 1F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42524; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x1e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|53 44|"; depth:2; content:"|4E 5B 1E 1E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42523; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x1d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|50 47|"; depth:2; content:"|4D 58 1D 1D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42522; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x1c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|51 46|"; depth:2; content:"|4C 59 1C 1C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42521; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x1b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|56 41|"; depth:2; content:"|4B 5E 1B 1B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42520; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x1a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|57 40|"; depth:2; content:"|4A 5F 1A 1A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42519; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x19 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|54 43|"; depth:2; content:"|49 5C 19 19|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42518; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x18 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|55 42|"; depth:2; content:"|48 5D 18 18|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42517; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x17 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|5A 4D|"; depth:2; content:"|47 52 17 17|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42516; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x16 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|5B 4C|"; depth:2; content:"|46 53 16 16|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42515; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x15 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|58 4F|"; depth:2; content:"|45 50 15 15|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42514; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x14 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|59 4E|"; depth:2; content:"|44 51 14 14|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42513; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x13 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|5E 49|"; depth:2; content:"|43 56 13 13|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42512; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x12 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|5F 48|"; depth:2; content:"|42 57 12 12|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42511; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x11 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|5C 4B|"; depth:2; content:"|41 54 11 11|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42510; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x10 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|5D 4A|"; depth:2; content:"|40 55 10 10|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42509; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x0f encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|42 55|"; depth:2; content:"|5F 4A 0F 0F|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42508; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x0e encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|43 54|"; depth:2; content:"|5E 4B 0E 0E|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42507; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x0d encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|40 57|"; depth:2; content:"|5D 48 0D 0D|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42506; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x0c encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|41 56|"; depth:2; content:"|5C 49 0C 0C|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42505; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x0b encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|46 51|"; depth:2; content:"|5B 4E 0B 0B|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42504; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x0a encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|47 50|"; depth:2; content:"|5A 4F 0A 0A|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42503; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x09 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|44 53|"; depth:2; content:"|59 4C 09 09|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42502; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x08 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|45 52|"; depth:2; content:"|58 4D 08 08|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42501; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x07 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|4A 5D|"; depth:2; content:"|57 42 07 07|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42500; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x06 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|4B 5C|"; depth:2; content:"|56 43 06 06|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42499; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x05 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|48 5F|"; depth:2; content:"|55 40 05 05|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42498; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x04 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|49 5E|"; depth:2; content:"|54 41 04 04|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42497; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x03 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|4E 59|"; depth:2; content:"|53 46 03 03|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42496; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x02 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|4F 58|"; depth:2; content:"|52 47 02 02|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42495; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE XOR 0x01 encrypted portable executable file download attempt"; flow:to_client,established; file_data; content:"|4C 5B|"; depth:2; content:"|51 44 01 01|"; depth:255; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:42494; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE SandboxEscaper WER download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"R|00|e|00|p|00|o|00|r|00|t|00|Q|00|u|00|e|00|u|00|e|00|"; fast_pattern:only; nocase; content:"w|00|e|00|r|00|"; nocase; content:"U|00|S|00|O|00|P|00|r|00|i|00|v|00|a|00|t|00|e|00|"; nocase; metadata:impact_flag red, service smtp; classtype:attempted-user; sid:43633; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE SandboxEscaper WER download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"R|00|e|00|p|00|o|00|r|00|t|00|Q|00|u|00|e|00|u|00|e|00|"; fast_pattern:only; nocase; content:"w|00|e|00|r|00|"; nocase; content:"U|00|S|00|O|00|P|00|r|00|i|00|v|00|a|00|t|00|e|00|"; nocase; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:43632; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Invincea Dell Protected Workspace InvProtectDrv sandbox escape attempt"; flow:to_server,established; file_data; content:"|50 6A 00 6A 00 6A 00 6A 00 68|"; fast_pattern; content:"|FF 15|"; within:2; distance:4; byte_extract:3,1,functsOffset,relative; content:"|50 68 00 10 00 00 8D|"; within:200; content:"|FF 15|"; within:40; byte_test:3,=,functsOffset,1,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8732; reference:url,www.talosintelligence.com/reports/TALOS-2016-0246; classtype:attempted-user; sid:41313; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Invincea Dell Protected Workspace InvProtectDrv sandbox escape attempt"; flow:to_client,established; file_data; content:"|50 6A 00 6A 00 6A 00 6A 00 68|"; fast_pattern; content:"|FF 15|"; within:2; distance:4; byte_extract:3,1,functsOffset,relative; content:"|50 68 00 10 00 00 8D|"; within:200; content:"|FF 15|"; within:40; byte_test:3,=,functsOffset,1,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8732; reference:url,www.talosintelligence.com/reports/TALOS-2016-0246; classtype:attempted-user; sid:41312; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Invincea-X SboxDrv.sys local privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|C7 06 01 00 34 12|"; content:"|6A 00 8D 85 F4 FE FF FF 50 68 00 01 00 00 53 6A 40 56 68 07 20 22 00 57 FF 15 1C 00 41 00|"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-9038; reference:url,www.talosintelligence.com/reports/TALOS-2016-0256/; classtype:attempted-admin; sid:41307; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Invincea-X SboxDrv.sys local privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|C7 06 01 00 34 12|"; content:"|6A 00 8D 85 F4 FE FF FF 50 68 00 01 00 00 53 6A 40 56 68 07 20 22 00 57 FF 15 1C 00 41 00|"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-9038; reference:url,www.talosintelligence.com/reports/TALOS-2016-0256/; classtype:attempted-admin; sid:41306; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Win.Trojan.CoinMiner attempted download"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"CryptoNight"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/8bf1def5479b39376b3790a83380831d288c57dd4fbad8e64abc3a9062eb56bb; classtype:trojan-activity; sid:45548; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Binutils objdump integer overflow attempt"; flow:to_server,established; file_data; content:"|01 00 00 00 00 00 00 00 7B 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 64 00 00 00 FF FF FF FF|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-6543; classtype:denial-of-service; sid:45934; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Binutils objdump integer overflow attempt"; flow:to_client,established; file_data; content:"|01 00 00 00 00 00 00 00 7B 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 64 00 00 00 FF FF FF FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-6543; classtype:denial-of-service; sid:45933; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Win.Ransomware.Rapid download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"R9zZwUnk1v5JRhOMddAPogx0yIVCOdxJ"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/125c2bcb0cd05512391a695f907669b2f55a8b69c9d4df2ce1b6c9c5a1395b61/; classtype:trojan-activity; sid:46397; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Win.Ransomware.Rapid download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"R9zZwUnk1v5JRhOMddAPogx0yIVCOdxJ"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/125c2bcb0cd05512391a695f907669b2f55a8b69c9d4df2ce1b6c9c5a1395b61/; classtype:trojan-activity; sid:46396; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows NTFS privilege escalation attempt"; flow:to_server,established; file_data; content:"|02 02 7B 18 00 00 04 7E 37 00 00 0A 02 7B 1A 00 00 04 02 7B 1B 00 00 04 6F 38 00 00 0A 7D 1C 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8411; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8411; classtype:attempted-user; sid:48058; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows NTFS privilege escalation attempt"; flow:to_client,established; file_data; content:"|02 02 7B 18 00 00 04 7E 37 00 00 0A 02 7B 1A 00 00 04 02 7B 1B 00 00 04 6F 38 00 00 0A 7D 1C 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8411; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8411; classtype:attempted-user; sid:48057; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows Win32k privilege escalation attempt"; flow:to_server,established; file_data; content:"|6A 00 6A 00 68 7B 04 00 00 FF 35 BC A2 41 00 FF 15 3C 21 41 00 68 E8 03 00 00 FF 15 24 20 41 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8404; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8404; classtype:attempted-user; sid:47504; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows Win32k privilege escalation attempt"; flow:to_client,established; file_data; content:"|6A 00 6A 00 68 7B 04 00 00 FF 35 BC A2 41 00 FF 15 3C 21 41 00 68 E8 03 00 00 FF 15 24 20 41 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8404; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8404; classtype:attempted-user; sid:47503; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows kernel use-after-free attempt"; flow:to_server,established; file_data; content:"|48 8B 1D F1 9E 01 00 FF 15 F3 E6 00 00 48 8D 15 EC 5A 01 00 48 8B C8 FF 15 EB E6 00 00 48 8B CB FF D0|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8611; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8611; classtype:attempted-user; sid:48613; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows kernel use-after-free attempt"; flow:to_client,established; file_data; content:"|48 8B 1D F1 9E 01 00 FF 15 F3 E6 00 00 48 8D 15 EC 5A 01 00 48 8B C8 FF 15 EB E6 00 00 48 8B CB FF D0|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8611; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8611; classtype:attempted-user; sid:48612; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows data sharing service privilege escalation attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|52 53 44 53 AC E2 DA 2C 27 7A A5 46 AA 56 A9 C5 AE 82 29 F3 01 00 00 00 43 3A 5C 55 73 65 72 73|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0574; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0574; classtype:attempted-admin; sid:48769; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows data sharing service privilege escalation attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|52 53 44 53 AC E2 DA 2C 27 7A A5 46 AA 56 A9 C5 AE 82 29 F3 01 00 00 00 43 3A 5C 55 73 65 72 73|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0574; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0574; classtype:attempted-admin; sid:48768; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-EXECUTABLE Microsoft Windows kernel user after free attempt"; flow:to_server,established; file_data; content:"|FF 84 C0 0F 84 36 01 00 00 40 32 F6 40 88 74 24 20 E8 5B B8 FF FF 8A D8 8B 0D 3A 4E 07 00 83 F9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0685; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0685; classtype:attempted-admin; sid:49689; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-EXECUTABLE Microsoft Windows kernel user after free attempt"; flow:to_client,established; file_data; content:"|FF 84 C0 0F 84 36 01 00 00 40 32 F6 40 88 74 24 20 E8 5B B8 FF FF 8A D8 8B 0D 3A 4E 07 00 83 F9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0685; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0685; classtype:attempted-admin; sid:49688; rev:1;)
--- a/docker/etc/rules/file-flash.rules
+++ b/docker/etc/rules/file-flash.rules
--- a/docker/etc/rules/file-identify.rules
+++ b/docker/etc/rules/file-identify.rules
--- a/docker/etc/rules/file-image.rules
+++ b/docker/etc/rules/file-image.rules
@@ -0,0 +1,651 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#------------------
+# FILE-IMAGE RULES
+#------------------
+
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle Outside In FlashPix image processing overflow attempt"; flow:to_server,established; flowbits:isset,file.fpx; file_data; content:"|03 01 22 00 02 11 01 03 62 01 FF DA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-1744; classtype:attempted-user; sid:26978; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows WMF denial of service attempt"; flow:to_server,established; flowbits:isset,file.wmf; file_data; content:"|FC 02|"; pcre:"/\xFC\x02[\x08\x06]\x00.{4}(?!\x00\x00)/s"; metadata:service smtp; reference:bugtraq,21992; reference:cve,2006-4071; classtype:web-application-attack; sid:26909; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected zTXt overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"zTXt"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26866; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; fast_pattern; content:"tEXt"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:cve,2009-2501; reference:cve,2012-5470; reference:cve,2013-1331; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-062; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-051; classtype:attempted-user; sid:26865; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected iTXt overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"iTXt"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26864; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected tIME overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"tIME"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26863; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sPLT overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"sPLT"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26862; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected pHYs overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"pHYs"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26861; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected hIST overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"hIST"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26859; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected bKGD overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"bKGD"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26858; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sRGB overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"sRGB"; distance:0; content:!"iCCP"; within:4; distance:-8; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26857; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sBIT overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"sBIT"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26856; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt"; flow:to_server,established; flowbits:isset,file.pictmov; file_data; content:"|00 07|"; offset:512; fast_pattern; byte_test:2,>,0x7fff,2,relative; content:"|00 07 00 01 00|"; within:5; distance:4; metadata:service smtp; reference:bugtraq,49144; reference:cve,2011-0257; classtype:attempted-user; sid:26701; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.pictmov; file_data; content:"|00 07|"; offset:512; fast_pattern; byte_test:2,>,0x7fff,2,relative; content:"|00 07 00 01 00|"; within:5; distance:4; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,49144; reference:cve,2011-0257; classtype:attempted-user; sid:26700; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt"; flow:to_server,established; flowbits:isset,file.pictmov; file_data; content:"|00 07|"; offset:512; byte_test:2,>,0x7fff,2,relative; content:!"|00 07|"; distance:0; metadata:service smtp; reference:bugtraq,49144; reference:cve,2011-0257; classtype:attempted-user; sid:26699; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE BMP extremely large xpos opcodes"; flow:to_server,established; file_data; content:"BM"; depth:2; content:"|00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00|"; content:"|00 02 FF 00 00 02 FF 00 00 02 FF 00|"; within:12; distance:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26665; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_server; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF ED|"; depth:4; content:"8BIM"; within:4; distance:16; content:"|04 09|"; within:2; content:"|FF D8 FF ED|"; distance:0; content:"8BIM"; within:4; distance:16; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:26373; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_server; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF ED|"; depth:4; content:"8BIM"; within:4; distance:16; content:"|04 0C|"; within:2; content:"|FF D8 FF ED|"; distance:0; content:"8BIM"; within:4; distance:16; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:26372; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] (msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt"; distance:0; fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; content:"|00|"; within:79; distance:12; content:"|00|"; within:1; metadata:policy max-detect-ips drop, service http, service smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:25066; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt"; distance:0; fast_pattern; isdataat:512,relative; byte_test:4,>,0x7ffffff,-8,relative; content:"|00|"; within:79; distance:12; content:"|00|"; within:1; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:25065; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple QuickTime PICT file opcode corruption attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"|00 11 02 FF|"; isdataat:2,relative; content:!"|0C 00|"; within:2; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53584; reference:cve,2012-0671; reference:url,community.qualys.com/docs/DOC-3511; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:24695; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"PICT"; depth:4; isdataat:594,relative; content:"|00 07|"; within:2; distance:594; byte_test:2,>,0x7fff,2,relative; metadata:service smtp; reference:bugtraq,49144; reference:cve,2011-0257; classtype:attempted-user; sid:24553; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt"; flow:to_server,established; flowbits:isset,file.pictmov; file_data; content:"|00 07|"; byte_test:2,>,0x7fff,2,relative; metadata:service smtp; reference:bugtraq,49144; reference:cve,2011-0257; classtype:attempted-user; sid:24552; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.pictmov; file_data; content:"|00 07|"; offset:512; byte_test:2,>,0x7fff,2,relative; content:!"|00 07|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,49144; reference:cve,2011-0257; classtype:attempted-user; sid:24551; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE XPM file format overflow attempt"; flow:to_server,established; flowbits:isset,file.xpm; file_data; content:"/* XPM */"; pcre:"/^\s*\x22[^\x22\n]{300}/mi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,23620; reference:cve,2007-2193; classtype:attempted-user; sid:24189; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|"; depth:8; offset:278; content:"|02 01 03 00 04 00 00 00 16 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|"; distance:0; metadata:service smtp; reference:bugtraq,36646; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:23590; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|"; depth:8; offset:266; content:"|02 01 03 00 04 00 00 00 0A 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|"; distance:0; metadata:service smtp; reference:bugtraq,36646; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:23589; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Kodak Imaging large offset malformed tiff - big-endian"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 02 00 03|"; byte_test:4,>,6,0,relative,big; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-2217; reference:cve,2010-3950; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:23561; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows graphics rendering engine buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|20|EMF"; depth:4; offset:40; byte_test:4,<,0x58,4,little; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,11375; reference:cve,2004-0209; classtype:attempted-user; sid:23110; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple QuickDraw PICT images ARGB records handling memory corruption attempt"; flow:to_server,established; file_data; content:"|00 11 02 FF|"; depth:4; offset:522; content:"|00 9A 00 00 00 FF 80|"; distance:0; content:!"|00|"; within:1; distance:10; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,22207; reference:cve,2007-0462; classtype:attempted-user; sid:21766; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI+ arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|58 00 69 00 62 00 6E 00 61 00 57 00 6D 00 5A 00 31 00 63 00 38 00 42 00 4B 00 37 00 4D 00 71 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2011-0041; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-029; classtype:attempted-user; sid:21439; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|"; depth:8; offset:278; content:"|02 01 03 00 04 00 00 00 16 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36646; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:21160; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple Quicktime PictureViewer GIF rendering vulnerability"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"GIF"; depth:3; content:"|01 00 00 00 21 F9 04 00 00 00 00 00 2C 00 00 00 00 00 01 00 01 00 FF FF|"; within:24; distance:6; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2005-1106; classtype:attempted-user; sid:20059; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe jpeg 2000 image exploit attempt"; flow:to_client,established; file_data; content:"|FF 52 40 C3 AF 47 81 32 CF 93 99 8C FF 47 1E 0D D9 88 28|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2098; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19247; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI+ arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|60 00 00 00 02 10 C0 DB 09 00 00 00 00 00 00 00 00 00 80 3F 00 00 80 3F 00 00 FA 44 02 00 00 4D|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0041; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-029; classtype:attempted-user; sid:18645; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime PictureViewer buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|4A 46 49 46|"; content:"|EB 06 44 00|"; distance:0; content:"|42 42 42 42|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16202; reference:cve,2005-2340; classtype:attempted-user; sid:18600; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft FlashPix tile length overflow attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|FF 5F 00 00 02 00 00 00 00 11 01 FE 56 0B 00 00 3C 0A 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-3952; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:18229; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe BMP image handler buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.bmp; content:"Content-Type: text/plain|0D 0A 0D 0A|BM"; fast_pattern:only; file_data; content:"BM"; content:"|00 00 00 00|"; within:4; distance:4; byte_test:4, >, 256, 36, relative, little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28874; reference:cve,2008-1765; classtype:attempted-user; sid:17678; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Sun Microsystems Java gif handling memory corruption attempt"; flow:to_client,established; file_data; content:"|52 4B 55 F6 EF DF 63 70 A3 6C 5C 5B 48 71 BB 7A 70 77 3B 44 69 5B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22085; reference:cve,2007-0243; classtype:attempted-user; sid:17628; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE OpenOffice EMF file EMR record parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|54 00 00 00|"; byte_test:4,>=,0x80000000,40,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-2238; reference:cve,2017-3052; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,www.openoffice.org/security/cves/CVE-2008-2238.html; classtype:attempted-user; sid:17388; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe tiff oversized image length attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|14 01 00 00 01 01 04 00 01 00 00 00 01 01 01 01 02 01 03 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2995; classtype:attempted-user; sid:16321; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI+ interlaced PNG file parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; byte_test:4,>,59000,0,relative,big; byte_test:4,>,32000,4,relative,big; byte_test:1,>,7,8,relative; content:"|06|"; within:1; distance:9; content:"|01|"; within:1; distance:2; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3126; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16186; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|"; depth:8; offset:266; content:"|02 01 03 00 04 00 00 00 0A 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36646; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16184; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows malformed WMF meta escape record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"WMFC|01 00 00 00|"; byte_test:4,>,1000000,14,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2500; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16153; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows 2000 Kodak Imaging large offset malformed tiff 2"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"MM|00|*"; byte_jump:4,0,relative,big; content:"|01 02 00 03|"; distance:-8; byte_test:4,>,6,0,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-2217; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-055; classtype:attempted-user; sid:12634; rev:18;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows WMF denial of service attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"|FC 02|"; pcre:"/\xFC\x02[\x08\x06]\x00.{4}(?!\x00\x00)/s"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,21992; reference:cve,2006-4071; classtype:web-application-attack; sid:10115; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle Java Virtual Machine malformed GIF buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"GIF"; byte_test:1,!&,128,7,relative; content:","; within:1; distance:10; content:"|00 00|"; within:2; distance:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22085; reference:cve,2007-0243; classtype:attempted-user; sid:10062; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected zTXt overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"zTXt"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6701; rev:19;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected iTXt overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"iTXt"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6699; rev:19;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected tIME overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"tIME"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6698; rev:19;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sPLT overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"sPLT"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6697; rev:19;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected pHYs overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"pHYs"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6696; rev:19;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected hIST overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"hIST"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6694; rev:19;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected bKGD overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"bKGD"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6693; rev:19;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sBIT overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"sBIT"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6691; rev:19;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected iCCP overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"iCCP"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6690; rev:19;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Mozilla GIF single packet heap overflow - ANIMEXTS1.0"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"GIF"; content:"!|FF 0B|ANIMEXTS1.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12881; reference:cve,2005-0399; reference:nessus,17605; classtype:attempted-user; sid:6502; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player zero length bitmap heap overflow attempt"; flow:to_client,established; flowbits:isset,file.bmp; file_data; content:"BM|00 00 00 00|"; depth:6; pcre:"/^BM\x00\x00\x00\x00/sm"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16633; reference:cve,2006-0006; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-005; reference:url,www.eeye.com/html/research/advisories/AD20060214.html; classtype:attempted-admin; sid:5711; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft PNG large colour depth download attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:1,>,16,8,relative; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3134; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Multiple Products PNG large image height download attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32767,4,relative; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11481; reference:bugtraq,11523; reference:cve,2004-0599; reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,2007-5503; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3133; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft and libpng multiple products PNG large image width overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32767,0,relative; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,2007-5503; reference:url,sourceforge.net/p/png-mng/mailman/message/33173462/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3132; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE JPEG parser multipacket heap overflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|00 48 00 00 FF|"; fast_pattern:only; pcre:"/\x00\x48\x00\x00\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11173; reference:cve,2004-0200; reference:cve,2017-16392; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-028; classtype:attempted-admin; sid:2707; rev:14;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Multiple Products JPEG parser heap overflow attempt"; flow:to_client,established; content:"Content-Type"; nocase; http_header; content:"image/"; nocase; http_header; pcre:"/^Content-Type\x3A\s*image\x2F/smiH"; file_data; content:"|FF D8|"; within:2; fast_pattern; pcre:"/^.{0,100}\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/sR"; metadata:ruleset community, service http; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-user; sid:2705; rev:18;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE libpng tRNS overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,10872; reference:cve,2004-0597; classtype:attempted-user; sid:2673; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Directshow GIF logical height overflow attempt"; flow:to_server,established; file_data; content:"GIF8"; depth:4; byte_extract:2,8,gif_height,little; content:!"|00 3B|"; within:1500; content:"|2C 00 00|"; within:3; distance:387; byte_test:2,>,gif_height,0,relative,little; content:!"|96 00|"; within:2; distance:6; metadata:policy security-ips drop, service smtp; reference:cve,2013-3174; classtype:attempted-user; sid:27530; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Directshow GIF logical height overflow attempt"; flow:to_server,established; file_data; content:"GIF8"; depth:4; byte_extract:2,8,gif_height,little; content:!"|00 3B|"; within:1500; content:"|2C 00 00|"; within:3; distance:387; byte_test:2,>,gif_height,4,relative,little; content:!"|96 00|"; within:2; distance:6; metadata:policy security-ips drop, service smtp; reference:cve,2013-3174; classtype:attempted-user; sid:27529; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Directshow GIF logical width overflow attempt"; flow:to_server,established; file_data; content:"GIF8"; depth:4; byte_extract:2,6,gif_width,little; content:!"|00 3B|"; within:1500; content:"|2C 00 00|"; within:3; distance:389; byte_test:2,>,gif_width,2,relative,little; content:!"|96 00|"; within:2; distance:4; metadata:policy security-ips drop, service smtp; reference:cve,2013-3174; classtype:attempted-user; sid:27528; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Directshow GIF logical height overflow attempt"; flow:to_client,established; file_data; content:"GIF8"; depth:4; byte_extract:2,8,gif_height,little; content:!"|00 3B|"; within:1500; content:"|2C|"; distance:0; byte_test:2,>,gif_height,2,relative,little; content:"|08 FF 00|"; within:3; distance:9; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3174; classtype:attempted-user; sid:27527; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Directshow GIF logical height overflow attempt"; flow:to_client,established; file_data; content:"GIF8"; depth:4; byte_extract:2,8,gif_height,little; content:!"|00 3B|"; within:1500; content:"|2C|"; distance:0; byte_test:2,>,gif_height,6,relative,little; content:!"|96 00|"; within:2; distance:6; content:"|08 FF 00|"; within:3; distance:9; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3174; classtype:attempted-user; sid:27526; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Directshow GIF logical width overflow attempt"; flow:to_client,established; file_data; content:"GIF8"; depth:4; byte_extract:2,6,gif_width,little; content:!"|00 3B|"; within:1500; content:"|2C|"; distance:0; byte_test:2,>,gif_width,4,relative,little; content:!"|96 00|"; within:2; distance:4; content:"|08 FF 00|"; within:3; distance:9; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3174; classtype:attempted-user; sid:27525; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE JPEG parser multipacket heap overflow attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|00 48 00 00 FF|"; fast_pattern:only; pcre:"/\x00\x48\x00\x00\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; metadata:service smtp; reference:bugtraq,11173; reference:cve,2004-0200; reference:cve,2017-16392; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-028; classtype:attempted-admin; sid:27569; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple QuickTime PICT file overread buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"|00 11 02 FF 0C 00 FF|"; byte_jump:2,-17,relative,post_offset -4,big; isdataat:1,relative; content:!"|00 FF|"; within:2; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,28583; reference:cve,2008-1019; classtype:attempted-user; sid:29434; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|80 38 9B CD 97 FB A5 C8 B8 00 0C 06 6E 00 00 10 0C 03 00 00 1F EF F8 8C 56 2D 17 8A BF DF D1 10|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:29433; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Photoshop malformed PNG detected tRNS overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; content:"tRNS"; distance:0; fast_pattern; byte_test:4,>,256,-8,relative; metadata:service smtp; reference:bugtraq,13941; reference:bugtraq,18385; reference:cve,2005-1211; reference:cve,2006-0025; reference:cve,2012-4170; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:29620; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.tga; content:"|00 00 02 00 00 00 00 00 00 00 00 00|"; depth:12; byte_test:2,>,0x2AAA,0,relative,little; metadata:policy security-ips drop, service smtp; reference:bugtraq,56438; reference:cve,2012-3755; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25378; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.tga; content:"|00 00 02 00 00 00 00 00 00 00 00 00|"; depth:12; byte_test:2,>,0x2AAA,0,relative,little; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56438; reference:cve,2012-3755; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25376; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE GIMP heap buffer overflow vulnerability attempt"; flow:to_server,established; flowbits:isset,file.psd; file_data; content:"8BPS|00 01 00 00 00 00 00 00|"; depth:12; byte_test:2,>,56,0,relative; metadata:service smtp; reference:cve,2012-3402; classtype:attempted-user; sid:30213; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE GIMP heap buffer overflow vulnerability attempt"; flow:to_client,established; flowbits:isset,file.psd; file_data; content:"8BPS|00 01 00 00 00 00 00 00|"; depth:12; byte_test:2,>,56,0,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-3402; classtype:attempted-user; sid:30212; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE XnView PCT file processing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"|36 32 36 36 32 3C 36 32 3C 32 15 32 33 34 44 43 42 41 AA AA AA AA 34 35 36 37 38 90 91 26 32 32|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2577; reference:url,www.coresecurity.com/advisories/xnview-buffer-overflow-vulnerability; classtype:attempted-user; sid:31041; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE XnView PCT file processing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"|7F 7F 7F 7F 97 01 8F EE 8C 8F 83 7F 7D 73 71 6D 6D 67 66 61 65 60 5E 59 57 56 01 55 E6 57 5C 56|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2577; reference:url,www.coresecurity.com/advisories/xnview-buffer-overflow-vulnerability; classtype:attempted-user; sid:31040; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE XnView PCT file processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|36 32 36 36 32 3C 36 32 3C 32 15 32 33 34 44 43 42 41 AA AA AA AA 34 35 36 37 38 90 91 26 32 32|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2577; reference:url,www.coresecurity.com/advisories/xnview-buffer-overflow-vulnerability; classtype:attempted-user; sid:31039; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE XnView PCT file processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|7F 7F 7F 7F 97 01 8F EE 8C 8F 83 7F 7D 73 71 6D 6D 67 66 61 65 60 5E 59 57 56 01 55 E6 57 5C 56|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2577; reference:url,www.coresecurity.com/advisories/xnview-buffer-overflow-vulnerability; classtype:attempted-user; sid:31038; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE GIMP XWD RedMask file-handling stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xwd; file_data; content:"|00 00 00 64 00 00 00 07|"; depth:8; isdataat:48,relative; content:!"|00 FF 00 00|"; within:4; distance:48; metadata:service smtp; reference:bugtraq,56647; reference:cve,2012-5576; classtype:attempted-user; sid:31576; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE GIMP XWD GreenMask file-handling stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xwd; file_data; content:"|00 00 00 64 00 00 00 07|"; depth:8; isdataat:52,relative; content:!"|00 00 FF 00|"; within:4; distance:52; metadata:service smtp; reference:bugtraq,56647; reference:cve,2012-5576; classtype:attempted-user; sid:31575; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE GIMP XWD BlueMask file-handling stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.xwd; file_data; content:"|00 00 00 64 00 00 00 07|"; depth:8; isdataat:56,relative; content:!"|00 00 00 FF|"; within:4; distance:56; metadata:service smtp; reference:bugtraq,56647; reference:cve,2012-5576; classtype:attempted-user; sid:31574; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE GIMP XWD RedMask file-handling stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xwd; file_data; content:"|00 00 00 64 00 00 00 07|"; depth:8; isdataat:48,relative; content:!"|00 FF 00 00|"; within:4; distance:48; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,56647; reference:cve,2012-5576; classtype:attempted-user; sid:31573; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE GIMP XWD GreenMask file-handling stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xwd; file_data; content:"|00 00 00 64 00 00 00 07|"; depth:8; isdataat:52,relative; content:!"|00 00 FF 00|"; within:4; distance:52; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,56647; reference:cve,2012-5576; classtype:attempted-user; sid:31572; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE GIMP XWD BlueMask file-handling stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xwd; file_data; content:"|00 00 00 64 00 00 00 07|"; depth:8; isdataat:56,relative; content:!"|00 00 00 FF|"; within:4; distance:56; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,56647; reference:cve,2012-5576; classtype:attempted-user; sid:31571; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Multiple Products JPEG parser heap overflow attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|00 10|JFIF"; depth:6; offset:4; pcre:"/^.{0,100}\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/s"; metadata:ruleset community, service smtp; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-user; sid:31719; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; file_data; content:"|6D 36 54 55 6C 6A 43 41 43 7A 56 2F 77 79 35 34|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:32833; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; file_data; content:"|72 ED A6 A4 B6 87 E8 BE ED 5A 64 F4 51 DD 37 F3 31 40 00 B4 B7 3A 61 16 DD 75 A0 40 0F 03 82 16|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:32832; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; file_data; content:"|CE 28 C5 56 76 58 A4 26 88 A0 A2 AA 57 D1 FA 7A 23 93 93 A7 A2 D6 0A 18 F9 D5 43 CD 9A 32 88 75|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:32831; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_server,established; file_data; content:"|6D 36 54 55 6C 6A 43 41 43 7A 56 2F 77 79 35 34|"; fast_pattern:only; metadata:service smtp; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:32830; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_server,established; file_data; content:"|72 ED A6 A4 B6 87 E8 BE ED 5A 64 F4 51 DD 37 F3 31 40 00 B4 B7 3A 61 16 DD 75 A0 40 0F 03 82 16|"; fast_pattern:only; metadata:service smtp; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:32829; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_server,established; file_data; content:"|CE 28 C5 56 76 58 A4 26 88 A0 A2 AA 57 D1 FA 7A 23 93 93 A7 A2 D6 0A 18 F9 D5 43 CD 9A 32 88 75|"; fast_pattern:only; metadata:service smtp; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:32828; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft and libpng multiple products PNG large image width overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32767,0,relative; metadata:ruleset community, service smtp; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,2007-5503; reference:url,sourceforge.net/p/png-mng/mailman/message/33173462/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:32889; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; file_data; content:"|49 49 2A 00|"; depth:4; content:"|02 01 03 00 04 00 00 00|"; depth:100; content:"|06 01 04 00 01 00 00 00 05 00 00 00 0D 01 02 00|"; within:16; distance:4; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36646; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:33518; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_server,established; file_data; content:"|49 49 2A 00|"; depth:4; content:"|02 01 03 00 04 00 00 00|"; depth:100; content:"|06 01 04 00 01 00 00 00 05 00 00 00 0D 01 02 00|"; within:16; distance:4; metadata:service smtp; reference:bugtraq,36646; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:33517; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_server,established; file_data; content:"|4D 4D 00 2A|"; depth:4; content:"|01 02 00 03 00 00 00 04 00 00 00|"; depth:100; content:"|01 06 00 04 00 00 00 01 00 00 00 05 01 0D 00 02 00 00 00|"; within:19; distance:1; metadata:service smtp; reference:bugtraq,36646; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:33516; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; file_data; content:"|4D 4D 00 2A|"; depth:4; content:"|01 02 00 03 00 00 00 04 00 00 00|"; depth:100; content:"|01 06 00 04 00 00 00 01 00 00 00 05 01 0D 00 02 00 00 00|"; within:19; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36646; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:33515; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Photoshop CS4 TIFF parsing heap overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|03 01 03 00 01 00 00 00 74 87|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-2027; reference:url,www.adobe.com/support/security/bulletins/apsb12-11.html; classtype:attempted-user; sid:33591; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Photoshop CS4 TIFF parsing heap overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 03 00 03 00 00 00 01 87 74|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-2027; reference:cve,2017-3028; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,www.adobe.com/support/security/bulletins/apsb12-11.html; classtype:attempted-user; sid:33590; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 TIFF parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 03 00 03 00 00 00 01 87 74|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2027; reference:cve,2017-3028; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,www.adobe.com/support/security/bulletins/apsb12-11.html; classtype:attempted-user; sid:33589; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt"; flow:to_server,established; flowbits:isset,file.gif; file_data; content:"|08 0A 00 00 00 2C|"; content:"|00 66 00|"; within:3; distance:1; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:2; metadata:service smtp; reference:bugtraq,49106; reference:cve,2011-2131; classtype:attempted-user; sid:33615; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Internet Explorer PNG tRNS chuck size 1 information disclosure attempt"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:"IHDR"; within:4; distance:4; content:"|00|"; within:1; distance:9; content:"|00 00 00 01|tRNS"; distance:0; fast_pattern; metadata:service smtp; reference:cve,2015-0080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-024; classtype:misc-attack; sid:33761; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Internet Explorer PNG tRNS chuck size 1 information disclosure attempt"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:"IHDR"; within:4; distance:4; content:"|00|"; within:1; distance:9; content:"|00 00 00 01|tRNS"; within:500; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-0080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-024; classtype:misc-attack; sid:33760; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft emf file download request"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:" EMF"; depth:4; offset:40; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,10120; reference:bugtraq,28819; reference:bugtraq,9707; reference:cve,2003-0906; reference:cve,2007-5746; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-001; classtype:misc-activity; sid:33740; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Kodak Imaging small offset malformed tiff - little-endian"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|02 01 03 00|"; byte_test:4,>,6,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-2217; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-055; classtype:attempted-user; sid:34135; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Flash Player element array stack overflow attempt"; flow:to_server,established; file_data; content:"|A3 9F 58 B1 37 36 62 A8 E4 74 1B 82 A4 13 60 D8 84 4C F6 40 74 8D 06 A4 12 F2 39 43 19 70 DF 53|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0350; classtype:attempted-user; sid:34134; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Flash Player element array stack overflow attempt"; flow:to_client,established; file_data; content:"|A3 9F 58 B1 37 36 62 A8 E4 74 1B 82 A4 13 60 D8 84 4C F6 40 74 8D 06 A4 12 F2 39 43 19 70 DF 53|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0350; classtype:attempted-user; sid:34133; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows wmf integer overflow attempt"; flow:to_client,established; content:"|D7 CD C6 9A 00 00|"; content:"|00 00 00 00|"; within:4; distance:10; content:"|09 00|"; within:2; distance:4; content:"|38 05|"; distance:0; byte_test:4,<,255,-6,relative,little; byte_test:2,>,4095,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25302; reference:cve,2007-3034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-046; classtype:web-application-attack; sid:34294; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows wmf integer overflow attempt"; flow:to_server,established; flowbits:isset,file.wmf; file_data; content:"|D7 CD C6 9A 00 00|"; content:"|00 00 00 00|"; within:4; distance:10; content:"|09 00|"; within:2; distance:4; content:"|38 05|"; distance:0; byte_test:4,<,255,-6,relative,little; byte_test:2,>,4095,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,25302; reference:cve,2007-3034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-046; classtype:web-application-attack; sid:34293; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle Outside In FlashPix image processing overflow attempt"; flow:to_server,established; flowbits:isset,file.fpx; file_data; content:"|FF D8 FF C0 00 11 08 00 40 00 40 03 01 22 00 02 11 01 03 FF 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-1744; classtype:attempted-user; sid:26979; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle Outside In FlashPix image processing overflow attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|FF D8 FF C0 00 11 08 00 40 00 40 03 01 22 00 02 11 01 03 FF 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1744; classtype:attempted-user; sid:26977; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle Outside In FlashPix image processing overflow attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|03 01 22 00 02 11 01 03 62 01 FF DA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1744; classtype:attempted-user; sid:26976; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected tRNS overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"tRNS"; distance:0; byte_test:4,>,7000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,13941; reference:bugtraq,18385; reference:cve,2005-1211; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26860; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected iCCP overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"iCCP"; distance:0; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26855; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected cHRM overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"IHDR"; fast_pattern; content:"cHRM"; distance:0; byte_test:4,>,7000,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:26854; rev:7;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE BMP extremely large xpos opcodes"; flow:to_client,established; file_data; content:"BM"; depth:2; content:"|00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00 00 02 FF 00|"; content:"|00 02 FF 00 00 02 FF 00 00 02 FF 00|"; within:12; distance:100; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59918; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26664; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_client; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF ED|"; depth:4; content:"8BIM"; within:4; distance:16; content:"|04 09|"; within:2; content:"|FF D8 FF ED|"; distance:0; content:"8BIM"; within:4; distance:16; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:26374; rev:9;)
+# alert tcp any any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE ImageMagick EXIF resolutionunit handling memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg|file.tiff; file_data; content:"|DE 00 00 00|(|01 03 00 CE FF FF 7F|(|01 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0247; classtype:attempted-user; sid:25348; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IMAGE ImageMagick EXIF resolutionunit handling memory corruption attempt"; flow:to_server,established; content:"POST"; http_method; content:"Content-Disposition|3A|"; http_client_body; content:".jpg"; distance:0; http_client_body; pcre:"/Content-Disposition\x3a[^\r\n]*?filename\s*=\s*[\x22\x27][^\x22\x27]*?\.(jpe?g|tiff?)[\x22\x27]/iP"; content:"|DE 00 00 00|(|01 03 00 CE FF FF 7F|(|01 00 00|"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0247; classtype:attempted-user; sid:25347; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick EXIF resolutionunit handling memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg|file.tiff; file_data; content:"|DE 00 00 00|(|01 03 00 CE FF FF 7F|(|01 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0247; classtype:attempted-user; sid:25346; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle Outside In JPEG COC parameter buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.jp2; content:"|FF 90|"; fast_pattern:only; content:"|FF 53|"; byte_jump:2,0,relative,post_offset -6; byte_test:1,>,32,0,relative; content:"|FF 93|"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-4516; classtype:attempted-user; sid:24718; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle Outside In JPEG COD parameter buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.jp2; content:"|FF 90|"; fast_pattern:only; content:"|FF 52|"; byte_jump:2,0,relative,post_offset -7; byte_test:1,>,32,0,relative; content:"|FF 93|"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-4516; classtype:attempted-user; sid:24717; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle Outside In JPEG COC parameter buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.jp2; content:"|FF 4F FF 51|"; fast_pattern:only; content:"|FF 53|"; byte_jump:2,0,relative,post_offset -6; byte_test:1,>,32,0,relative; content:"|FF 5C|"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-4516; classtype:attempted-user; sid:24716; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle Outside In JPEG COD parameter buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.jp2; content:"|FF 4F FF 51|"; fast_pattern:only; content:"|FF 52|"; byte_jump:2,0,relative,post_offset -7; byte_test:1,>,32,0,relative; content:"|FF 5C|"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-4516; classtype:attempted-user; sid:24715; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle Outside In JPEG COC parameter buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.jp2; content:"|FF 90|"; fast_pattern:only; content:"|FF 53|"; byte_jump:2,0,relative,post_offset -6; byte_test:1,>,32,0,relative; content:"|FF 93|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-4516; classtype:attempted-user; sid:24714; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle Outside In JPEG COD parameter buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.jp2; content:"|FF 90|"; fast_pattern:only; content:"|FF 52|"; byte_jump:2,0,relative,post_offset -7; byte_test:1,>,32,0,relative; content:"|FF 93|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-4516; classtype:attempted-user; sid:24713; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle Outside In JPEG COC parameter buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.jp2; content:"|FF 4F FF 51|"; fast_pattern:only; content:"|FF 53|"; byte_jump:2,0,relative,post_offset -6; byte_test:1,>,32,0,relative; content:"|FF 5C|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-4516; classtype:attempted-user; sid:24712; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle Outside In JPEG COD parameter buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.jp2; content:"|FF 4F FF 51|"; fast_pattern:only; content:"|FF 52|"; byte_jump:2,0,relative,post_offset -7; byte_test:1,>,32,0,relative; content:"|FF 5C|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-4516; classtype:attempted-user; sid:24711; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime PICT file opcode corruption attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|00 11 02 FF|"; depth:4; offset:522; isdataat:2,relative; content:!"|0C 00|"; within:2; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53584; reference:cve,2012-0671; reference:url,community.qualys.com/docs/DOC-3511; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:24694; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] (msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iCCP"; distance:0; fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy max-detect-ips drop, service http, service smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22109; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] (msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt"; distance:0; fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy max-detect-ips drop, service http, service smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22108; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [25,631] (msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"zTXt"; distance:0; fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy max-detect-ips drop, service http, service smtp; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22107; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iCCP"; distance:0; fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22106; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt"; distance:0; fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; content:"|00|"; within:79; distance:12; content:"|01|"; within:1; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22105; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"zTXt"; distance:0; fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22104; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 TIFF parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|03 01 03 00 01 00 00 00 74 87|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2027; reference:url,www.adobe.com/support/security/bulletins/apsb12-11.html; classtype:attempted-user; sid:21948; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|FF 00 9B 09 1C 28 D0 CA 1A 02 02 49 28 20 C8 70 C0 40 32 11 46 34|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49106; reference:cve,2011-2131; classtype:attempted-user; sid:20637; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|04 7F FF 00 00 08 0D 00 01 00 B0 63 67 20 C1 83 08 ED 04 04 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49106; reference:cve,2011-2131; classtype:attempted-user; sid:20636; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Public LibTiff Exploit"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|63 89 E7 68 2F 73 68 00 68 2F 62 69 6E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-3459; classtype:attempted-user; sid:20295; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Reader and Acrobat Libtiff TIFFFetchShortPair stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|49 49 2A 00 1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 01 03 00 01 00 00 00 08 00 00 00 01 01 03 00 01 00 00 00 08 00 00 00 03 01 03 00 01 00 00 00 AA 00 00 00 06 01 03 00 01 00 00 00 BB 00 00 00 11 01 04 00 01 00 00 00 08 00 00 00 17 01 04 00 01 00 00 00 15 00 00 00 1C 01 03 00 01 00 00 00 01 00 00 00 50 01 03 00|"; fast_pattern:only; content:"|84 00 00 00 00 00 00 00|"; isdataat:196; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-3459; classtype:attempted-user; sid:20294; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Paint jpeg with malformed SOFx field integer overflow attempt"; flow:to_server,established; file_data; content:"|FF C0 00 11 08 FF 37 55 99 03 01 22 00 02 11 01 03 11 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-005; classtype:attempted-user; sid:19130; rev:17;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime PictureViewer buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|4A 46 49 46|"; content:"|B8 EC 12 00|"; within:4; distance:269; content:"|42 42 42 42|"; within:4; distance:37; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16202; reference:cve,2005-2340; classtype:attempted-user; sid:18599; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows wmf integer overflow attempt"; flow:to_client,established; file_data; content:"|D7 CD C6 9A 00 00|"; content:"|00 00 00 00|"; within:4; distance:10; content:"|09 00|"; within:2; distance:4; content:"|38 05|"; distance:0; byte_test:4,<,255,-6,relative,little; byte_test:2,>,4095,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25302; reference:cve,2007-3034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-046; classtype:web-application-attack; sid:18583; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime PICT file overread buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; stream_size:server,<,16000; content:"|00 11 02 FF 0C 00 FF|"; byte_jump:2,-17,relative,post_offset -4,big; isdataat:1,relative; content:!"|00 FF|"; within:2; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28583; reference:cve,2008-1019; classtype:attempted-user; sid:18561; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime FlashPix Movie file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|00 01 00 54 C1 CE 11 85 53 00 AA 00 A1 F9 5B 01 00 00 00|"; byte_test:4,>,0x0FFFFFFF,12,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,39020; reference:cve,2010-0519; classtype:attempted-user; sid:18510; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Flashpix graphics filter fpx32.flt remote code execution attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|FE FF 00 00|"; content:"|00 64 61 56 54 C1 CE 11 85 53 00 AA 00 A1 F9 5B 01 00 00 00 00 64 61 56 54 C1 CE 11 85 53 00 AA 00 A1 F9 5B|"; within:36; distance:4; byte_jump:4,0,relative,little; byte_test:4,>,0,-44,relative; content:"|00 00 00 00|"; within:4; distance:-40; byte_jump:4,0,relative,little; byte_test:4,>,0x100,-8,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-3951; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:18237; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple Quicktime FlashPix processing overflow attempt"; flow:to_client, established; flowbits:isset,file.fpx; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:"|FE FF 09 00|"; within:4; distance:20; content:"|00 00 80 00|"; within:4; distance:12; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,36328; reference:cve,2009-2798; classtype:attempted-user; sid:17740; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"FILE-IMAGE CUPS Gif Decoding Routine Buffer Overflow attempt"; flow:to_server,established; content:"GIF89a"; content:"|3A 00 0B 00 00 0D 2C 00 FF|"; within:1024; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28544; reference:cve,2008-1373; classtype:attempted-user; sid:17558; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle Java Web Start Splashscreen GIF decoding buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|46 38 39 61 FF FF FF FF B3 FF 00 FF FF FF CD CD CD A6 A6 A3 0E 0D 0D 05 05 83 ED EC EC AB AB B4|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-2086; classtype:attempted-user; sid:17395; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_client; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF ED|"; depth:4; content:"8BIM"; within:4; distance:16; content:"|04 0C|"; within:2; content:"|FF D8 FF ED|"; distance:0; content:"8BIM"; within:4; distance:16; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:17390; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GRE WMF Handling Memory Read Exception attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"|00 09 00 00 03|"; content:"|04 00 00 00|"; distance:0; pcre:"/^(\x01|\x02)\x00\x09\x00{2}\x03/m"; pcre:"/\x04\x00{3}(\x26|\xff)/Rm"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16167; reference:cve,2006-0143; classtype:attempted-user; sid:17330; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Kodak Imaging large offset malformed tiff - big-endian"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 02 00 03|"; byte_test:4,>,6,0,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-2217; reference:cve,2010-3950; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:17232; rev:21;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Kodak Imaging small offset malformed tiff - little-endian"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|02 01 03 00|"; byte_test:4,>,6,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-2217; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-055; classtype:attempted-user; sid:17231; rev:19;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 ABR file processing buffer overflow attempt"; flow:to_client,established; file_data; content:"AnglUntF|23|Ang"; byte_test:4,>,1020,8,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40389; reference:cve,2010-1296; classtype:attempted-user; sid:17147; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 GRD file processing buffer overflow attempt"; flow:to_client,established; file_data; content:"|00|G|00|r|00|a|00|d|00|i|00|e|00|n|00|t"; nocase; byte_test:4,>,1020,13,relative,big; content:"8BGR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40389; reference:cve,2010-1296; classtype:attempted-user; sid:17146; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 ASL file processing buffer overflow attempt"; flow:to_client,established; file_data; content:"Stylenum"; nocase; byte_test:4,>,1020,8,relative,big; content:"8BSL"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40389; reference:cve,2010-1296; classtype:attempted-user; sid:17145; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 ABR file processing buffer overflow attempt - 2"; flow:to_client,established; file_data; content:"AnglUntF"; nocase; byte_test:4,>,1020,12,relative,big; content:"8BBR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40389; reference:cve,2010-1296; classtype:attempted-user; sid:17144; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 ABR file processing buffer overflow attempt - 1"; flow:to_client,established; file_data; content:"AnglUntF"; nocase; byte_test:4,>,1020,12,relative,big; content:"8BIM"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40389; reference:cve,2010-1296; classtype:attempted-user; sid:17143; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE multiple products PNG processing buffer overflow attempt"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; depth:16; pcre:"/\x89PNG\x0D\x0A\x1A\x0A\x00\x00\x00\x0DIHDR([^\x00]|\x00[^\x00]|.{4}[^\x00]|.{4}\x00[^\x00]|.{8}[\x11-\xff])/s"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34240; reference:cve,2009-1097; reference:cve,2017-3077; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:16716; rev:17;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Paint JPEG with malformed SOFx field integer overflow attempt"; flow:to_client,established; file_data; content:"|FF C0 00 11 08 FF 00 55 AC 03 01 22 00 02 11 01 03 11 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-005; classtype:attempted-user; sid:16422; rev:19;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime bitmap multiple header overflow"; flow:to_client,established; flowbits:isset,file.bmp; file_data; content:"BM"; content:"|00 00 00 00|"; within:4; distance:4; byte_test:4,>,65535,4,relative,little; byte_test:4,>,3,12,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17953; reference:cve,2006-2238; classtype:attempted-user; sid:16054; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickDraw PICT images ARGB records handling memory corruption attempt"; flow:to_client,established; file_data; content:"|00 11 02 FF|"; depth:4; offset:522; content:"|00 9A 00 00 00 FF 80|"; distance:0; content:!"|00|"; within:1; distance:10; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22207; reference:cve,2007-0462; classtype:attempted-user; sid:16001; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Sun Microsystems Java gif handling memory corruption attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|F9 04 01 00 00 10 00|,|00 00 00 00 00 00 90 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22085; reference:cve,2007-0243; classtype:attempted-user; sid:16000; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ACD Systems ACDSee XPM file format overflow attempt"; flow:to_client,established; flowbits:isset,file.xpm; file_data; content:"/* XPM */"; pcre:"/^\s*\x22[^\x22\n]{300}/mi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23620; reference:cve,2007-2193; classtype:attempted-user; sid:15236; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"|01 00 09 00|"; pcre:"/(\x40\x09.{19}|\x41\x0b.{23})[\xf0-\xff].{8}\x01\x00[\x00\x01\x02\x04\x08\x10\x18\x20]\x00/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-2249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-071; classtype:attempted-admin; sid:15105; rev:19;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE BMP image handler buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.bmp; content:"image/bmp"; fast_pattern:only; http_header; file_data; content:"BM"; content:"|00 00 00 00|"; within:4; distance:4; byte_test:4, >, 256, 36, relative, little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28874; reference:cve,2008-1765; reference:cve,2008-3020; classtype:attempted-user; sid:13865; rev:18;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows metafile SetPaletteEntries heap overflow attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"|00 09 00|"; content:"|FF FF FF|"; distance:12; content:"|00|"; within:1; distance:2; pcre:"/[\x00\x01]\x00\x09\x00.*?\xff\xff\xff[\xff\xf7][\x36\x37]\x00/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15356; reference:cve,2005-2124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-053; classtype:attempted-user; sid:13807; rev:16;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime uncompressed PICT stack overflow attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|00 00 00 00 00 00 00 00 00 00|"; content:"|00 11 02 FF|"; distance:0; fast_pattern; content:"|82 01|"; distance:0; byte_test:4,<,50,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26344; reference:cve,2007-4672; classtype:attempted-user; sid:12757; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop PNG file handling stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"PLTE"; byte_test:4,>,768,-8,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23698; reference:cve,2007-2365; classtype:attempted-user; sid:11267; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF C4 02 11 00 FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12905; reference:cve,2005-0903; classtype:attempted-user; sid:10126; rev:19;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected tRNS overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; content:"tRNS"; distance:0; fast_pattern; byte_test:4,>,7000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13941; reference:bugtraq,18385; reference:cve,2005-1211; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6695; rev:24;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sRGB overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; content:"sRGB"; distance:0; fast_pattern; content:!"iCCP"; within:4; distance:-8; byte_test:4,>,10000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6692; rev:24;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected cHRM overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"IHDR"; content:"cHRM"; distance:0; fast_pattern; byte_test:4,>,7000,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; classtype:attempted-user; sid:6689; rev:23;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple QuickTime fpx file SectNumMiniFAT overflow attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; byte_test:4,>,8388606,56,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,17074; reference:cve,2006-1249; classtype:attempted-user; sid:6505; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Media Player invalid data offset bitmap heap overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.bmp; content:"BM"; depth:2; byte_test:4,<,14,8,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16633; reference:cve,2006-0006; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-005; reference:url,www.eeye.com/html/research/advisories/AD2006021.html; classtype:attempted-admin; sid:5712; rev:17;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt"; flow:to_client,established; file_data; content:"BM"; depth:2; content:"|28 00 00 00|"; within:4; distance:12; byte_test:4,>,83386080,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11171; reference:cve,2004-0904; reference:cve,2008-3015; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=255067; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-052; classtype:attempted-admin; sid:3632; rev:25;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Mozilla GIF single packet heap overflow - NETSCAPE2.0"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"GIF"; content:"!|FF 0B|NETSCAPE2.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12881; reference:cve,2005-0399; reference:nessus,17605; classtype:attempted-user; sid:3534; rev:26;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 4 "; flow:established,to_client; content:"|B8 B9 B8 B0 AD AF B1 A7 9F DC D1 7B 8C 96 9C FF A1 20 9D 9E 9F 99 B8 FF F2 A4 9F AB AC A6 9F 96|"; fast_pattern:only; reference:cve,2010-1279; reference:url,www.adobe.com/support/security/bulletins/apsb10-10.html; classtype:attempted-user; sid:16564; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 3 "; flow:established,to_client; content:"|CA 2C 24 FC BD B7 00 28 A8 38 88 DB 62 D4 23 A9 0B 50 D1 A0 C0 63 42 D0 34 E0 00 16 83 01 68 A9|"; fast_pattern:only; reference:cve,2010-1279; reference:url,www.adobe.com/support/security/bulletins/apsb10-10.html; classtype:attempted-user; sid:16563; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 2 "; flow:established,to_client; content:"|86 6B 82 58 34 09 86 67 95 72 5C 72 46 32 73 49 36 8A 57 3C D2 9D 7F E8 C5 D6 EB C4 B2 EA C3 AE|"; fast_pattern:only; reference:cve,2010-1279; reference:url,www.adobe.com/support/security/bulletins/apsb10-10.html; classtype:attempted-user; sid:16562; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 1 "; flow:established,to_client; content:"|39 3E 45 4A 4E 55 5A 5E 63 67 6C 70 72 76 7A 7C 80 83 87 89 8B 8C 90 92 94 96 98 9A 9A 9C 9E A0|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2010-1279; reference:cve,2017-3028; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,www.adobe.com/support/security/bulletins/apsb10-10.html; classtype:attempted-user; sid:16561; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe PNG empty sPLT exploit attempt "; flow:to_client,established; file_data; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"|00 00 00 00|sPLT"; offset:8; metadata:service http, service imap, service pop3; reference:cve,2009-2984; classtype:attempted-user; sid:16320; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt"; flow:to_server,established; file_data; content:"MM|00|*"; depth:4; content:"|01 12 00 03|"; byte_test:4,>,8,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5097; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35363; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt"; flow:to_client,established; file_data; content:"MM|00|*"; depth:4; content:"|01 12 00 03|"; byte_test:4,>,8,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5097; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35362; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt"; flow:to_server,established; file_data; content:"II*|00|"; depth:4; content:"|12 01 03 00|"; byte_test:4,>,8,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5097; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35361; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader DC TIFF orientation heap buffer overflow attempt"; flow:to_client,established; file_data; content:"II*|00|"; depth:4; content:"|12 01 03 00|"; byte_test:4,>,8,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5097; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35360; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat GIF to PDF conversion heap overflow attempt"; flow:to_server,established; file_data; content:"|F6 FF 00 2D 59 B2 01 42 60 1D 34 64 72 74 49 90 40 A0 43 87 F9 04 C2 98 31 A3 80 84 02 07 0A 14|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5096; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35752; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat GIF to PDF conversion heap overflow attempt"; flow:to_client,established; file_data; content:"|F6 FF 00 2D 59 B2 01 42 60 1D 34 64 72 74 49 90 40 A0 43 87 F9 04 C2 98 31 A3 80 84 02 07 0A 14|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5096; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35751; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt"; flow:to_server,established; flowbits:isset,file.pcx; file_data; content:"|0A 05 01 08|"; depth:4; content:"|00 03 11 11|"; within:4; distance:60; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5105; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35799; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt"; flow:to_client,established; flowbits:isset,file.pcx; file_data; content:"|0A 05 01 08|"; depth:4; content:"|00 03 11 11|"; within:4; distance:60; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5105; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35798; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; content:"|28 00 00 00|"; within:4; distance:12; byte_test:4,>,83386080,0,little,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,11171; reference:cve,2004-0904; reference:cve,2008-3015; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=255067; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-052; classtype:attempted-admin; sid:35848; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|42 4D|"; depth:2; content:"|28 00 00 00|"; within:4; distance:12; content:"|01 00 04 00|"; within:4; distance:8; content:!"|00|"; within:1; content:"|01 02 03 04 01 02 03 04 01 02 03 04 01 02 03 04 01 02 03 04 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3664; classtype:attempted-user; sid:36310; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|42 4D|"; depth:2; content:"|6C 00 00 00|"; within:4; distance:12; byte_test:4,<,6,0,relative,little; content:"|01 00 04 00|"; within:4; distance:8; content:!"|00|"; within:1; content:"|00 01|"; within:2; distance:90; byte_test:1,>,0x21,-4,relative; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3664; classtype:attempted-user; sid:36309; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.bmp; content:"|42 4D|"; depth:2; content:"|28 00 00 00|"; within:4; distance:12; content:"|01 00 04 00|"; within:4; distance:8; content:!"|00|"; within:1; content:"|01 02 03 04 01 02 03 04 01 02 03 04 01 02 03 04 01 02 03 04 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3664; classtype:attempted-user; sid:36308; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.bmp; content:"|42 4D|"; depth:2; content:"|6C 00 00 00|"; within:4; distance:12; byte_test:4,<,6,0,relative,little; content:"|01 00 04 00|"; within:4; distance:8; content:!"|00|"; within:1; content:"|00 01|"; within:2; distance:90; byte_test:1,>,0x21,-4,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3664; classtype:attempted-user; sid:36307; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows Paint JPEG with malformed SOFx field integer overflow attempt"; flow:to_server,established; file_data; content:"|FF DA 00 0C 03 01 00 02 11 03 11 00 3F 00 CB A2 8A 2B F1 73 F8 0C 28 A2 8A 00 28 A2 8A 00 28 A2|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2010-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-005; classtype:attempted-user; sid:36818; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Paint JPEG with malformed SOFx field integer overflow attempt"; flow:to_client,established; file_data; content:"|FF DA 00 0C 03 01 00 02 11 03 11 00 3F 00 CB A2 8A 2B F1 73 F8 0C 28 A2 8A 00 28 A2 8A 00 28 A2|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-005; classtype:attempted-user; sid:36817; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows malformed WMF meta escape record memory corruption attempt"; flow:to_server,established; flowbits:isset,file.wmf; file_data; content:"WMFC|01 00 00 00|"; byte_test:4,>,1000000,14,relative,little; metadata:service smtp; reference:cve,2009-2500; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:36856; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows Paint jpeg with malformed SOFx field integer overflow attempt"; flow:to_client,established; file_data; content:"|FF C0 00 11 08 FF 37 55 99 03 01 22 00 02 11 01 03 11 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-005; classtype:attempted-user; sid:36884; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|02 7C B3 03 84 CB 3B 72 65 E4 39 0B DA 46 1D D3 66 20 67 4C 8E 84 23 F5 15 6F 6E 43 F4 56 0E 62|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37342; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|02 7C B3 03 84 CB 3B 72 65 E4 39 0B DA 46 1D D3 66 20 67 4C 8E 84 23 F5 15 6F 6E 43 F4 56 0E 62|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37341; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|1F A1 54 D5 FD 6B 92 22 20 5A 72 55 C7 7B 52 5C 82 2F 8F 80 50 39 AB B5 78 88 EB 5C EA 18 B8 CB|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37340; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|1F A1 54 D5 FD 6B 92 22 20 5A 72 55 C7 7B 52 5C 82 2F 8F 80 50 39 AB B5 78 88 EB 5C EA 18 B8 CB|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37339; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|0E EF BF F8 89 33 16 46 C1 1A 7D A6 0F 38 9E CB 98 38 28 34 B8 3C 73 7D B8 8A DD 05 F7 C4 1A 51|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37338; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|0E EF BF F8 89 33 16 46 C1 1A 7D A6 0F 38 9E CB 98 38 28 34 B8 3C 73 7D B8 8A DD 05 F7 C4 1A 51|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37337; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|2D 3D 77 CC 54 83 C4 82 6E 71 93 EA 5A 79 AF D9 43 5B CE 72 3E 49 79 FC C0 CF B6 07 DB 1D 4C 95|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37336; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|2D 3D 77 CC 54 83 C4 82 6E 71 93 EA 5A 79 AF D9 43 5B CE 72 3E 49 79 FC C0 CF B6 07 DB 1D 4C 95|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37335; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|23 B3 C5 E5 68 E1 2D 09 38 6F 07 5A 3C 08 6C 71 40 39 9E 18 EE 6D 3E 4D 5E 69 39 D1 03 FB B6 7B|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37334; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|23 B3 C5 E5 68 E1 2D 09 38 6F 07 5A 3C 08 6C 71 40 39 9E 18 EE 6D 3E 4D 5E 69 39 D1 03 FB B6 7B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37333; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_server,established; file_data; content:"|49 49 2A 00 84 17 00 00 80 10 60 64 18 19 04 E2 08 04 01 C0 00 C0 48 01 E8 F7 7C 00 00 20 80 08|"; metadata:service smtp; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37332; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_client,established; file_data; content:"|49 49 2A 00 84 17 00 00 80 10 60 64 18 19 04 E2 08 04 01 C0 00 C0 48 01 E8 F7 7C 00 00 20 80 08|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37331; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|65 3D CC C4 E2 AD 07 42 3E EB 1A EE 87 77 B9 3E 95 72 FC E5 B9 19 9D D2 55 68 1E D8 3F C3 C4 0D|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37330; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|80 38 9B CD 97 FB A5 C8 B8 00 0C 06 6E 00 00 10 0C 03 00 00 1F EF F8 8C 56 2D 17 8A BF DF D1 10|"; metadata:service smtp; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37329; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|65 3D CC C4 E2 AD 07 42 3E EB 1A EE 87 77 B9 3E 95 72 FC E5 B9 19 9D D2 55 68 1E D8 3F C3 C4 0D|"; metadata:service smtp; reference:cve,2012-5679; reference:url,www.adobe.com/support/security/bulletins/apsb12-28.html; classtype:attempted-user; sid:37328; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI metafile integer overflow attempt"; flow:to_server,established; file_data; content:"|D7 CD C6 9A 00 00|"; depth:6; content:"|00 00 00 00|"; within:4; distance:10; content:"|09 00|"; within:2; distance:4; content:"|0B 02|"; within:2; distance:18; byte_test:4,>,0x7FFFC002,-6,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,25302; reference:cve,2007-3034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-046; classtype:attempted-user; sid:37879; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows GDI metafile integer overflow attempt"; flow:to_server,established; file_data; content:"|01 00 09 00 00 03|"; depth:6; content:"|13 02 32 00 96 00 03|"; byte_test:4,>,0x7FFFC002,-11,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,25302; reference:cve,2007-3034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-046; classtype:attempted-user; sid:37878; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI metafile integer overflow attempt"; flow:to_client,established; file_data; content:"|D7 CD C6 9A 00 00|"; depth:6; content:"|00 00 00 00|"; within:4; distance:10; content:"|09 00|"; within:2; distance:4; content:"|0B 02|"; within:2; distance:18; byte_test:4,>,0x7FFFC002,-6,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25302; reference:cve,2007-3034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-046; classtype:attempted-user; sid:37877; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows GDI metafile integer overflow attempt"; flow:to_client,established; file_data; content:"|01 00 09 00 00 03|"; depth:6; content:"|13 02 32 00 96 00 03|"; byte_test:4,>,0x7FFFC002,-11,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,25302; reference:cve,2007-3034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-046; classtype:attempted-user; sid:37876; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_server,established; file_data; content:"fill"; nocase; content:"url|28|https:"; distance:0; nocase; pcre:"/fill\s+url\x28https\x3a[^\x29]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:38744; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_server,established; file_data; content:"<image"; nocase; content:"xlink:href"; distance:0; nocase; pcre:"/xlink\x3ahref\s*=\s*[\x22\x27](h|&\x23(x0*68|0*104)\x3b)(t|&\x23(x0*74|0*116)\x3b){2}(p|&\x23(x0*70|0*112)\x3b)(s|&\x23(x0*73|0*115)\x3b)[^\x22\x27]*?&(quot|\x230*34|\x23x0*22)\x3b/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:38743; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_server,established; file_data; content:"fill"; nocase; content:"https:"; distance:0; nocase; pcre:"/fill\s+\x27(url\x28)?https\x3a[^\x27]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:38871; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_server,established; file_data; content:"stroke"; nocase; content:"url|28|https:"; distance:0; nocase; pcre:"/stroke\s+url\x28https\x3a[^\x29]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:38948; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_server,established; file_data; content:"stroke"; nocase; content:"https:"; distance:0; nocase; pcre:"/stroke\s+\x27(url\x28)?https\x3a[^\x27]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:38947; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_server,established; file_data; content:"image"; nocase; content:"|28|https:"; distance:0; nocase; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x28\x27]*?\x28https\x3a[^\x29]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:38946; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_server,established; file_data; content:"image"; nocase; content:"https:"; distance:0; nocase; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x28\x27]*?\x27(url\x28)?https\x3a[^\x27]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:38945; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_client,established; file_data; content:"viewbox"; fast_pattern:only; content:"stroke"; nocase; content:"url|28|https:"; distance:0; nocase; pcre:"/stroke\s+url\x28https\x3a[^\x29]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:39006; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_client,established; file_data; content:"viewbox"; fast_pattern:only; content:"stroke"; nocase; content:"https:"; distance:0; nocase; pcre:"/stroke\s+\x27(url\x28)?https\x3a[^\x27]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:39005; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_client,established; file_data; content:"viewbox"; fast_pattern:only; content:"image"; nocase; content:"|28|https:"; distance:0; nocase; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x28\x27]*?\x28https\x3a[^\x29]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:39004; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_client,established; file_data; content:"viewbox"; fast_pattern:only; content:"image"; nocase; content:"https:"; distance:0; nocase; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x28\x27]*?\x27(url\x28)?https\x3a[^\x27]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:39003; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_client,established; file_data; content:"viewbox"; fast_pattern:only; content:"fill"; nocase; content:"url|28|https:"; distance:0; nocase; pcre:"/fill\s+url\x28https\x3a[^\x29]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:39002; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_client,established; file_data; content:"viewbox"; fast_pattern:only; content:"fill"; nocase; content:"https:"; distance:0; nocase; pcre:"/fill\s+\x27(url\x28)?https\x3a[^\x27]*?\x22/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:39001; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt"; flow:to_client,established; file_data; content:"<image"; nocase; content:"xlink:href"; distance:0; nocase; pcre:"/xlink\x3ahref\s*=\s*[\x22\x27](h|&\x23(x0*68|0*104)\x3b)(t|&\x23(x0*74|0*116)\x3b){2}(p|&\x23(x0*70|0*112)\x3b)(s|&\x23(x0*73|0*115)\x3b)[^\x22\x27]*?&(quot|\x230*34|\x23x0*22)\x3b/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,89848; reference:cve,2016-3714; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?t=29588; classtype:attempted-user; sid:39000; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick and GraphicsMagick OpenBlob command injection attempt"; flow:to_server,established; file_data; content:"viewbox "; fast_pattern:only; content:"stroke "; nocase; content:"|7C|"; distance:0; pcre:"/stroke\s+[^\x28\x27\x22]*?[\x28\x27\x22](url\x28)?\x7c/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:cve,2016-5118; classtype:attempted-user; sid:39097; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick and GraphicsMagick OpenBlob command injection attempt"; flow:to_server,established; file_data; content:"viewbox "; fast_pattern:only; content:"image "; nocase; content:"|7C|"; distance:0; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x28\x27\x22]*?[\x28\x27\x22](url\x28)?\x7c/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:cve,2016-5118; classtype:attempted-user; sid:39096; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick and GraphicsMagick OpenBlob command injection attempt"; flow:to_server,established; file_data; content:"viewbox "; fast_pattern:only; content:"fill "; nocase; content:"|7C|"; distance:0; pcre:"/fill\s+[^\x28\x27\x22]*?[\x28\x27\x22](url\x28)?\x7c/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:cve,2016-5118; classtype:attempted-user; sid:39095; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick and GraphicsMagick OpenBlob command injection attempt"; flow:to_server,established; file_data; content:"<image"; nocase; content:"xlink:href"; distance:0; nocase; content:"|7C|"; distance:0; pcre:"/xlink\x3ahref\s*=\s*[\x22\x27]\x7c/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:cve,2016-5118; classtype:attempted-user; sid:39094; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick and GraphicsMagick OpenBlob command injection attempt"; flow:to_client,established; file_data; content:"viewbox "; fast_pattern:only; content:"stroke "; nocase; content:"|7C|"; distance:0; pcre:"/stroke\s+[^\x28\x27\x22]*?[\x28\x27\x22](url\x28)?\x7c/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5118; classtype:attempted-user; sid:39093; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick and GraphicsMagick OpenBlob command injection attempt"; flow:to_client,established; file_data; content:"viewbox "; fast_pattern:only; content:"image "; nocase; content:"|7C|"; distance:0; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x28\x27\x22]*?[\x28\x27\x22](url\x28)?\x7c/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5118; classtype:attempted-user; sid:39092; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick and GraphicsMagick OpenBlob command injection attempt"; flow:to_client,established; file_data; content:"viewbox "; fast_pattern:only; content:"fill "; nocase; content:"|7C|"; distance:0; pcre:"/fill\s+[^\x28\x27\x22]*?[\x28\x27\x22](url\x28)?\x7c/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5118; classtype:attempted-user; sid:39091; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick and GraphicsMagick OpenBlob command injection attempt"; flow:to_client,established; file_data; content:"<image"; nocase; content:"xlink:href"; distance:0; nocase; content:"|7C|"; distance:0; pcre:"/xlink\x3ahref\s*=\s*[\x22\x27]\x7c/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5118; classtype:attempted-user; sid:39090; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; depth:2; offset:20; byte_test:2,>,250,0,relative; content:"Exif|00 00|MM|00 2A 00 00 00 08|"; within:14; distance:2; content:"|01 31 00 02|"; within:300; fast_pattern; byte_jump:4,4,relative,from_beginning,post_offset 30; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39115; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; depth:2; offset:20; byte_test:2,>,250,0,relative,little; content:"Exif|00 00|II|2A 00 08 00 00 00|"; within:14; distance:2; content:"|31 01 02 00|"; within:300; fast_pattern; byte_jump:4,4,relative,little,from_beginning,post_offset 30; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39114; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; depth:2; offset:20; byte_test:2,>,250,0,relative; content:"Exif|00 00|MM|00 2A 00 00 00 08|"; within:14; distance:2; content:"|01 32 00 02|"; within:300; fast_pattern; byte_jump:4,4,relative,from_beginning,post_offset 30; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39113; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; depth:2; offset:20; byte_test:2,>,250,0,relative,little; content:"Exif|00 00|II|2A 00 08 00 00 00|"; within:14; distance:2; content:"|32 01 02 00|"; within:300; fast_pattern; byte_jump:4,4,relative,little,from_beginning,post_offset 30; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39112; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; depth:2; offset:20; byte_test:2,>,250,0,relative; content:"Exif|00 00|MM|00 2A 00 00 00 08|"; within:14; distance:2; content:"|01 31 00 02|"; within:300; fast_pattern; byte_jump:4,4,relative,from_beginning,post_offset 30; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39147; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; depth:2; offset:20; byte_test:2,>,250,0,relative,little; content:"Exif|00 00|II|2A 00 08 00 00 00|"; within:14; distance:2; content:"|31 01 02 00|"; within:300; fast_pattern; byte_jump:4,4,relative,little,from_beginning,post_offset 30; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39146; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; byte_test:2,>,250,0,relative; content:"Exif|00 00|MM|00 2A 00 00 00 08|"; within:14; distance:2; content:"|01 31 00 02|"; within:300; fast_pattern; byte_jump:4,4,relative,from_beginning,post_offset 12; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39145; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; byte_test:2,>,250,0,relative,little; content:"Exif|00 00|II|2A 00 08 00 00 00|"; within:14; distance:2; content:"|31 01 02 00|"; within:300; fast_pattern; byte_jump:4,4,relative,little,from_beginning,post_offset 12; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39144; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; depth:2; offset:20; byte_test:2,>,250,0,relative; content:"Exif|00 00|MM|00 2A 00 00 00 08|"; within:14; distance:2; content:"|01 32 00 02|"; within:300; fast_pattern; byte_jump:4,4,relative,from_beginning,post_offset 30; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39143; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; depth:2; offset:20; byte_test:2,>,250,0,relative,little; content:"Exif|00 00|II|2A 00 08 00 00 00|"; within:14; distance:2; content:"|32 01 02 00|"; within:300; fast_pattern; byte_jump:4,4,relative,little,from_beginning,post_offset 30; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39142; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; byte_test:2,>,250,0,relative; content:"Exif|00 00|MM|00 2A 00 00 00 08|"; within:14; distance:2; content:"|01 32 00 02|"; within:300; fast_pattern; byte_jump:4,4,relative,from_beginning,post_offset 12; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39141; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; byte_test:2,>,250,0,relative,little; content:"Exif|00 00|II|2A 00 08 00 00 00|"; within:14; distance:2; content:"|32 01 02 00|"; within:300; fast_pattern; byte_jump:4,4,relative,little,from_beginning,post_offset 12; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39140; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; byte_test:2,>,250,0,relative; content:"Exif|00 00|MM|00 2A 00 00 00 08|"; within:14; distance:2; content:"|01 31 00 02|"; within:300; fast_pattern; byte_jump:4,4,relative,from_beginning,post_offset 12; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39139; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; byte_test:2,>,250,0,relative,little; content:"Exif|00 00|II|2A 00 08 00 00 00|"; within:14; distance:2; content:"|31 01 02 00|"; within:300; fast_pattern; byte_jump:4,4,relative,little,from_beginning,post_offset 12; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39138; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; byte_test:2,>,250,0,relative; content:"Exif|00 00|MM|00 2A 00 00 00 08|"; within:14; distance:2; content:"|01 32 00 02|"; within:300; fast_pattern; byte_jump:4,4,relative,from_beginning,post_offset 12; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39137; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; byte_test:2,>,250,0,relative,little; content:"Exif|00 00|II|2A 00 08 00 00 00|"; within:14; distance:2; content:"|32 01 02 00|"; within:300; fast_pattern; byte_jump:4,4,relative,little,from_beginning,post_offset 12; isdataat:250,relative; content:!"|00|"; within:250; content:!"|20|"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1076; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39136; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple Core Graphics BMP img_decode_read memory corruption attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; content:"|28 00 00 00|"; within:4; distance:12; byte_test:1,!&,0x80,7,relative; byte_test:4,>,0xFF00,4,relative,little; byte_extract:4,4,biHeight,relative,little; byte_test:4,<,biHeight,2,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4637; reference:url,support.apple.com/en-us/HT206903; reference:url,www.talosintelligence.com/reports/TALOS-2016-0186/; classtype:attempted-user; sid:39684; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple Core Graphics BMP img_decode_read memory corruption attempt"; flow:to_client,established; file_data; content:"BM"; depth:2; content:"|28 00 00 00|"; within:4; distance:12; byte_test:1,!&,0x80,7,relative; byte_test:4,>,0xFF00,4,relative,little; byte_extract:4,4,biHeight,relative,little; byte_test:4,<,biHeight,2,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4637; reference:url,support.apple.com/en-us/HT206903; reference:url,www.talosintelligence.com/reports/TALOS-2016-0186/; classtype:attempted-user; sid:39683; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|92 86|"; byte_jump:4,6,relative,big,from_beginning; content:"JIS|00 00 00 00 00|"; within:8; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-6292; reference:url,bugs.php.net/bug.php?id=72618; classtype:attempted-user; sid:40248; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|86 92|"; byte_jump:4,6,relative,little,from_beginning; content:"JIS|00 00 00 00 00|"; within:8; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-6292; reference:url,bugs.php.net/bug.php?id=72618; classtype:attempted-user; sid:40247; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|92 86|"; byte_jump:4,6,relative,big,from_beginning; content:"JIS|00 00 00 00 00|"; within:8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6292; reference:url,bugs.php.net/bug.php?id=72618; classtype:attempted-user; sid:40246; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|86 92|"; byte_jump:4,6,relative,little,from_beginning; content:"JIS|00 00 00 00 00|"; within:8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6292; reference:url,bugs.php.net/bug.php?id=72618; classtype:attempted-user; sid:40245; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS (msg:"FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|92 86|"; http_client_body; byte_extract:4,6,offset,relative,big; content:"|0D 0A 0D 0A|"; http_client_body; content:"JIS|00 00 00 00 00|"; within:8; distance:offset; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2016-6292; reference:url,bugs.php.net/bug.php?id=72618; classtype:attempted-user; sid:40244; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS (msg:"FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.jpeg; content:"|86 92|"; http_client_body; byte_extract:4,6,offset,relative,little; content:"|0D 0A 0D 0A|"; http_client_body; content:"JIS|00 00 00 00 00|"; within:8; distance:offset; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2016-6292; reference:url,bugs.php.net/bug.php?id=72618; classtype:attempted-user; sid:40243; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|92 7C 00 04|"; byte_test:4,>,30000000,8,relative,big; metadata:service smtp; reference:cve,2016-6291; reference:url,bugs.php.net/bug.php?id=72603; classtype:attempted-user; sid:40297; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|7C 92 04 00|"; byte_test:4,>,30000000,8,relative,little; metadata:service smtp; reference:cve,2016-6291; reference:url,bugs.php.net/bug.php?id=72603; classtype:attempted-user; sid:40296; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|92 7C 00 04|"; byte_test:4,>,30000000,8,relative,big; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-6291; reference:url,bugs.php.net/bug.php?id=72603; classtype:attempted-user; sid:40295; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|7C 92 04 00|"; byte_test:4,>,30000000,8,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-6291; reference:url,bugs.php.net/bug.php?id=72603; classtype:attempted-user; sid:40294; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt"; flow:to_server,established; file_data; isdataat:!14; content:"|FF D8 FF E0 00 10|"; depth:6; isdataat:1,relative; content:!"|4A 46|"; within:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7212; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-130; classtype:attempted-user; sid:40646; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt"; flow:to_client,established; file_data; isdataat:!14; content:"|FF D8 FF E0 00 10|"; depth:6; isdataat:1,relative; content:!"|4A 46|"; within:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7212; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-130; classtype:attempted-user; sid:40645; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE ImageMagick LibTIFF invalid SamplesPerPixel buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|06 01 03 00 01 00 00 00 02 00|"; fast_pattern:only; content:"|1C 01 03 00 01 00 00 00 01 00|"; content:"|15 01 03 00 01 00 00 00|"; byte_test:2,<,3,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8707; reference:url,www.talosintelligence.com/reports/TALOS-2016-0216; classtype:attempted-user; sid:40915; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick LibTIFF invalid SamplesPerPixel buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|06 01 03 00 01 00 00 00 02 00|"; fast_pattern:only; content:"|1C 01 03 00 01 00 00 00 01 00|"; content:"|15 01 03 00 01 00 00 00|"; byte_test:2,<,3,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8707; reference:url,www.talosintelligence.com/reports/TALOS-2016-0216; classtype:attempted-user; sid:40914; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,25] (msg:"FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt"; flow:to_server,established; file_data; content:"/OutputICCProfile"; nocase; content:"%pipe%"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service smtp; reference:url,seclists.org/fulldisclosure/2016/Oct/77; classtype:attempted-user; sid:41121; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt"; flow:to_client,established; file_data; content:"/OutputICCProfile"; nocase; content:"%pipe%"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,seclists.org/fulldisclosure/2016/Oct/77; classtype:attempted-user; sid:41120; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"MM|00 2A|"; depth:4; content:"|01 01 00 03 00 00 00 01|"; content:"|01 06 00 03|"; within:100; distance:-50; byte_test:1,&,0x80,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2966; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41184; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|06 01 03 00|"; within:100; distance:-50; byte_test:1,&,0x80,3,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2966; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41183; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"MM|00 2A|"; depth:4; content:"|01 01 00 03 00 00 00 01|"; content:"|01 06 00 03|"; within:100; distance:-50; byte_test:1,&,0x80,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2966; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41182; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|06 01 03 00|"; within:100; distance:-50; byte_test:1,&,0x80,3,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2966; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41181; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF ED|"; content:"Photoshop 3.0|00|8BIM|03 ED 00 00|"; within:23; distance:2; byte_test:4,>,0x100000,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2964; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41149; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF ED|"; content:"Photoshop 3.0|00|8BIM|03 ED|"; within:21; distance:2; content:!"|00|"; within:1; byte_test:1,!&,1,0,relative; byte_jump:1,0,relative; byte_test:4,>,0x100000,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2964; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41148; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF ED|"; content:"Photoshop 3.0|00|8BIM|03 ED|"; within:21; distance:2; byte_test:1,&,1,0,relative; byte_jump:1,0,relative,post_offset 1; byte_test:4,>,0x100000,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2964; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41147; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF ED|"; content:"Photoshop 3.0|00|8BIM|03 ED 00 00|"; within:23; distance:2; byte_test:4,>,0x100000,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2964; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41146; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF ED|"; content:"Photoshop 3.0|00|8BIM|03 ED|"; within:21; distance:2; content:!"|00|"; within:1; byte_test:1,!&,1,0,relative; byte_jump:1,0,relative; byte_test:4,>,0x100000,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2964; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41145; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF ED|"; content:"Photoshop 3.0|00|8BIM|03 ED|"; within:21; distance:2; byte_test:1,&,1,0,relative; byte_jump:1,0,relative,post_offset 1; byte_test:4,>,0x100000,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2964; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41144; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.jpeg|file.xps; file_data; content:"|FF E0|"; content:"JFIF"; within:4; distance:2; content:"|FF E2|"; distance:0; content:"ICC_PROFILE|00|"; within:12; distance:2; content:!"|00|"; within:1; content:"|00|"; within:1; distance:1; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16383; reference:cve,2017-2959; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-admin; sid:41203; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.jpeg|file.xps; file_data; content:"|FF E0|"; content:"JFIF"; within:4; distance:2; content:"|FF E2|"; distance:0; content:"ICC_PROFILE|00|"; within:12; distance:2; content:!"|00|"; within:1; content:"|00|"; within:1; distance:1; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16383; reference:cve,2017-2959; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-admin; sid:41202; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt"; flow:to_server,established; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|31 01 02 00|"; within:300; distance:-50; byte_test:1,&,0x80,3,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2965; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41201; rev:5;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt"; flow:to_client,established; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|31 01 02 00|"; within:300; distance:-50; byte_test:1,&,0x80,3,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2965; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41200; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt"; flow:to_server,established; file_data; content:"MM|00 2A|"; depth:4; content:"|01 01 00 03 00 00 00 01|"; content:"|01 31 00 02|"; within:300; distance:-50; byte_test:1,&,0x80,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2965; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41199; rev:5;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt"; flow:to_client,established; file_data; content:"MM|00 2A|"; depth:4; content:"|01 01 00 03 00 00 00 01|"; content:"|01 31 00 02|"; within:300; distance:-50; byte_test:1,&,0x80,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2965; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41198; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|80 90 60 70 40 50 10 20 30 AF FD A0 00 80 10 10 00 00 00 1B FC 00 00 00 00 10 00 00 00 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-2971; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,www.talosintelligence.com/reports/TALOS-2016-0259/; classtype:attempted-user; sid:41305; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|04 05 01 02 03 0A FF DA 00 08 01 01 00 00 00 01 BF C0 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1C 1C 1F 63 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-2971; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,www.talosintelligence.com/reports/TALOS-2016-0259/; classtype:attempted-user; sid:41304; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt"; flow:to_server,established; file_data; content:"4050102030affda0008010100000001bfc00000000800000"; fast_pattern:only; metadata:service smtp; reference:cve,2017-2971; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,www.talosintelligence.com/reports/TALOS-2016-0259/; classtype:attempted-user; sid:41303; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt"; flow:to_server,established; file_data; content:"00801010000000001feAA|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-2971; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,www.talosintelligence.com/reports/TALOS-2016-0259/; classtype:attempted-user; sid:41302; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt"; flow:to_client,established; file_data; content:"|04 05 01 02 03 0A FF DA 00 08 01 01 00 00 00 01 BF C0 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1C 1C 1F 63 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2971; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,www.talosintelligence.com/reports/TALOS-2016-0259/; classtype:attempted-user; sid:41301; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt"; flow:to_client,established; file_data; content:"809060704050102030affda0008010100000001bfc0000000010000000000000"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2971; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,www.talosintelligence.com/reports/TALOS-2016-0259/; classtype:attempted-user; sid:41300; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt"; flow:to_client,established; file_data; content:"4050102030affda0008010100000001bfc00000000800000"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2971; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,www.talosintelligence.com/reports/TALOS-2016-0259/; classtype:attempted-user; sid:41299; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt"; flow:to_client,established; file_data; content:"00801010000000001feAA|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2971; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,www.talosintelligence.com/reports/TALOS-2016-0259/; classtype:attempted-user; sid:41298; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; content:"Exif|00 00|II"; within:8; distance:2; byte_jump:4,2,relative,little; content:"|69 87 04 00 01 00 00 00|"; distance:0; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,jumpval,relative; content:"Exif|00 00|"; within:200; distance:-200; byte_test:2,>,50,jumpval,relative,little; content:"|01 02|"; within:150; distance:jumpval; byte_test:2,>,12,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2960; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-admin; sid:41341; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; content:"Exif|00 00|II"; within:8; distance:2; byte_jump:4,2,relative,little; content:"|69 87 04 00 01 00 00 00|"; distance:0; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,jumpval,relative; content:"Exif|00 00|"; within:200; distance:-200; byte_test:2,>,50,jumpval,relative,little; content:"|01 02|"; within:150; distance:jumpval; byte_test:2,>,12,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2960; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-admin; sid:41340; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; content:"Exif|00 00|MM"; within:8; distance:2; byte_jump:4,2,relative; content:"|87 69 00 04 00 00 00 01|"; distance:0; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,jumpval,relative; content:"Exif|00 00|"; within:200; distance:-200; byte_test:2,>,50,jumpval,relative; content:"|02 01|"; within:150; distance:jumpval; byte_test:2,>,12,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2960; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-admin; sid:41339; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF E1|"; content:"Exif|00 00|MM"; within:8; distance:2; byte_jump:4,2,relative; content:"|87 69 00 04 00 00 00 01|"; distance:0; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,jumpval,relative; content:"Exif|00 00|"; within:200; distance:-200; byte_test:2,>,50,jumpval,relative; content:"|02 01|"; within:150; distance:jumpval; byte_test:2,>,12,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2960; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-admin; sid:41338; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"MM|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|00 07 87 73|"; within:300; distance:-50; byte_extract:4,0,count,relative; byte_jump:4,0,relative,post_offset -8; byte_test:4,>,count,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2963; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41398; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"MM|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|00 07 87 73|"; within:300; distance:-50; byte_extract:4,0,count,relative; byte_jump:4,0,relative,post_offset -8; byte_test:4,>,count,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2963; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41397; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|73 87 07 00|"; within:300; distance:-50; byte_extract:4,0,count,relative,little; byte_jump:4,0,relative,little,post_offset -8; byte_test:4,>,count,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2963; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41396; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|73 87 07 00|"; within:300; distance:-50; byte_extract:4,0,count,relative,little; byte_jump:4,0,relative,little,post_offset -8; byte_test:4,>,count,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2963; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41395; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"MM|2A 00|"; depth:4; content:"|01 01 04 00 01 00 00 00|"; content:"|00 07 87 73|"; within:300; distance:-50; byte_extract:4,0,count,relative; byte_jump:4,0,relative,post_offset -8; byte_test:4,>,count,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2963; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41394; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"MM|2A 00|"; depth:4; content:"|01 01 04 00 01 00 00 00|"; content:"|00 07 87 73|"; within:300; distance:-50; byte_extract:4,0,count,relative; byte_jump:4,0,relative,post_offset -8; byte_test:4,>,count,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2963; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41393; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 04 00 01 00 00 00|"; content:"|73 87 07 00|"; within:300; distance:-50; byte_extract:4,0,count,relative,little; byte_jump:4,0,relative,little,post_offset -8; byte_test:4,>,count,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2963; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41392; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF ICC tag heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 04 00 01 00 00 00|"; content:"|73 87 07 00|"; within:300; distance:-50; byte_extract:4,0,count,relative,little; byte_jump:4,0,relative,little,post_offset -8; byte_test:4,>,count,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2963; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41391; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt"; flow:to_server,established; file_data; content:"url|28|"; fast_pattern:only; pcre:"/(stroke|fill) +(\x22|\x27)url\x28(http|https|ftp)\x3A/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3717; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726; classtype:attempted-user; sid:41809; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt"; flow:to_client,established; file_data; content:"url|28|"; fast_pattern:only; pcre:"/(stroke|fill) +(\x22|\x27)url\x28(http|https|ftp)\x3A/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3717; reference:url,www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726; classtype:attempted-user; sid:41808; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE GDI+ malformed EMF comment heap access violation attempt"; flow:to_server, established; file_data; content:"|01 00 00 00|"; depth:4; content:" EMF"; within:4; distance:36; content:"|46|"; distance:0; content:!"|00 00 00|"; within:3; content:"EMF+"; within:4; distance:11; content:"|46 00 00 00|"; byte_test:4,>,7500,0,relative,little; content:"EMF+"; within:4; distance:8; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0060; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-013; classtype:attempted-user; sid:41971; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE GDI+ malformed EMF comment heap access violation attempt"; flow:to_client, established; file_data; content:"|01 00 00 00|"; depth:4; content:" EMF"; within:4; distance:36; content:"|46|"; distance:0; content:!"|00 00 00|"; within:3; content:"EMF+"; within:4; distance:11; content:"|46 00 00 00|"; byte_test:4,>,7500,0,relative,little; content:"EMF+"; within:4; distance:8; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0060; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-013; classtype:attempted-user; sid:41970; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE GDI+ malformed EMF description out of bounds read attempt"; flow:to_server, established; file_data; content:"|01 00 00 00|"; depth:4; content:"|20|EMF"; depth:44; fast_pattern; content:"|00 00|"; within:2; distance:14; content:!"|00 00 00 00|"; within:4; content:"|00 00 00 00|"; within:4; distance:4; metadata:service smtp; reference:cve,2017-0062; reference:cve,2018-12849; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-34.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-013; classtype:attempted-admin; sid:41947; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft GDI+ malformed EMF description out of bounds read attempt"; flow:to_client, established; file_data; content:"|01 00 00 00|"; depth:4; content:"|20|EMF"; depth:44; fast_pattern; content:"|00 00|"; within:2; distance:14; content:!"|00 00 00 00|"; within:4; content:"|00 00 00 00|"; within:4; distance:4; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-0062; reference:cve,2018-12849; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-34.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-013; classtype:attempted-admin; sid:41946; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE libBPG restore_tqb_pixel out of bounds write attempt"; flow:to_server,established; file_data; content:"|42 50 47 FB 30 30 15 15 00 03 AD 47 30 03 30 30 30 44 09 C1 3B 3B 3B 3B 30 00 00 01 26 09 AE 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8710; reference:url,www.talosintelligence.com/reports/TALOS-2016-0223/; classtype:attempted-user; sid:41311; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE libBPG restore_tqb_pixel out of bounds write attempt"; flow:to_client,established; file_data; content:"|42 50 47 FB 30 30 15 15 00 03 AD 47 30 03 30 30 30 44 09 C1 3B 3B 3B 3B 30 00 00 01 26 09 AE 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8710; reference:url,www.talosintelligence.com/reports/TALOS-2016-0223/; classtype:attempted-user; sid:41310; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE LibTIFF FAX IFD entry parsing type confusion attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|48 01|"; within:100; distance:-50; content:"|01 00 00 00|"; within:4; distance:2; content:!"|03 01|"; metadata:service smtp; reference:cve,2016-8331; reference:url,www.talosintelligence.com/reports/TALOS-2016-0190/; classtype:attempted-user; sid:40538; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE LibTIFF FAX IFD entry parsing type confusion attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|48 01|"; within:100; distance:-50; content:"|01 00 00 00|"; within:4; distance:2; content:!"|03 01|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-8331; reference:url,www.talosintelligence.com/reports/TALOS-2016-0190/; classtype:attempted-user; sid:40537; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE LibTIFF FAX IFD entry parsing type confusion attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|47 01|"; within:100; distance:-50; content:"|01 00 00 00|"; within:4; distance:2; content:!"|03 01|"; metadata:service smtp; reference:cve,2016-8331; reference:url,www.talosintelligence.com/reports/TALOS-2016-0190/; classtype:attempted-user; sid:40536; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE LibTIFF FAX IFD entry parsing type confusion attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|47 01|"; within:100; distance:-50; content:"|01 00 00 00|"; within:4; distance:2; content:!"|03 01|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-8331; reference:url,www.talosintelligence.com/reports/TALOS-2016-0190/; classtype:attempted-user; sid:40535; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE LibTIFF FAX IFD entry parsing type confusion attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|46 01|"; within:100; distance:-50; content:"|01 00 00 00|"; within:4; distance:2; content:!"|03 01|"; metadata:service smtp; reference:cve,2016-8331; reference:url,www.talosintelligence.com/reports/TALOS-2016-0190/; classtype:attempted-user; sid:40534; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE LibTIFF FAX IFD entry parsing type confusion attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|01 01 03 00 01 00 00 00|"; content:"|46 01|"; within:100; distance:-50; content:"|01 00 00 00|"; within:4; distance:2; content:!"|03 01|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-8331; reference:url,www.talosintelligence.com/reports/TALOS-2016-0190/; classtype:attempted-user; sid:40533; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE LibTIFF tiff2pdf JPEG compression tables heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|03 01 03 00 01 00 00 00 07 00 00 00|"; content:"|5B 01 02 00|"; within:500; distance:-250; byte_jump:4,4,relative,little,from_beginning; isdataat:2,relative; content:!"|FF D8|"; within:2; metadata:service smtp; reference:cve,2016-5652; reference:url,www.talosintelligence.com/reports/TALOS-2016-0187/; classtype:attempted-user; sid:40526; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE LibTIFF tiff2pdf JPEG compression tables heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"II|2A 00|"; depth:4; content:"|03 01 03 00 01 00 00 00 07 00 00 00|"; content:"|5B 01 02 00|"; within:500; distance:-250; byte_jump:4,4,relative,little,from_beginning; isdataat:2,relative; content:!"|FF D8|"; within:2; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-5652; reference:url,www.talosintelligence.com/reports/TALOS-2016-0187/; classtype:attempted-user; sid:40525; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE OpenJPEG JPEG2000 MCC record parsing heap memory corruption attempt"; flow:to_server,established; file_data; content:"jp2c|FF 4F FF 51|"; content:"|FF 75|"; within:500; content:"|00|"; within:1; distance:2; byte_jump:2,-3,relative,post_offset -2; content:"|FF 75|"; within:2; content:"|00|"; within:1; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8332; reference:url,www.talosintelligence.com/reports/TALOS-2016-0193/; classtype:attempted-user; sid:40315; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE OpenJPEG JPEG2000 MCC record parsing heap memory corruption attempt"; flow:to_client,established; file_data; content:"jp2c|FF 4F FF 51|"; content:"|FF 75|"; within:500; content:"|00|"; within:1; distance:2; byte_jump:2,-3,relative,post_offset -2; content:"|FF 75|"; within:2; content:"|00|"; within:1; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8332; reference:url,www.talosintelligence.com/reports/TALOS-2016-0193/; classtype:attempted-user; sid:40314; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE FreeImage library XPM handling out of bounds write attempt"; flow:to_server,established; file_data; content:" XPM "; depth:25; fast_pattern; content:"char"; pcre:"/\x2f\x2a\s+XPM\s+\x2a\x2f[^\x7b]*?\x7b\s*\x22\s*(\d+\s+){3}\d{4}/"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-5684; reference:url,www.talosintelligence.com/reports/TALOS-2016-0189; classtype:attempted-user; sid:39884; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE FreeImage library XPM handling out of bounds write attempt"; flow:to_client,established; file_data; content:" XPM "; depth:25; fast_pattern; content:"char"; pcre:"/\x2f\x2a\s+XPM\s+\x2a\x2f[^\x7b]*?\x7b\s*\x22\s*(\d+\s+){3}\d{4}/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5684; reference:url,www.talosintelligence.com/reports/TALOS-2016-0189; classtype:attempted-user; sid:39883; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle OIT CYMK TIFF parsing heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 06 00 03 00 00 00 01 00 05 00 00|"; fast_pattern:only; content:"|01 15 00 03 00 00 00 01|"; byte_test:2,<,4,0,relative; metadata:service smtp; reference:cve,2016-3582; reference:url,www.talosintelligence.com/reports/TALOS-2016-0104; classtype:attempted-user; sid:39676; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle OIT CYMK TIFF parsing heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|06 01 03 00 01 00 00 00 05 00 00 00|"; fast_pattern:only; content:"|15 01 03 00 01 00 00 00|"; byte_test:2,<,4,0,relative,little; metadata:service smtp; reference:cve,2016-3582; reference:url,www.talosintelligence.com/reports/TALOS-2016-0104; classtype:attempted-user; sid:39675; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle OIT CYMK TIFF parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 06 00 03 00 00 00 01 00 05 00 00|"; fast_pattern:only; content:"|01 15 00 03 00 00 00 01|"; byte_test:2,<,4,0,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3582; reference:url,www.talosintelligence.com/reports/TALOS-2016-0104; classtype:attempted-user; sid:39674; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle OIT CYMK TIFF parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|06 01 03 00 01 00 00 00 05 00 00 00|"; fast_pattern:only; content:"|15 01 03 00 01 00 00 00|"; byte_test:2,<,4,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3582; reference:url,www.talosintelligence.com/reports/TALOS-2016-0104; classtype:attempted-user; sid:39673; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple OSX EXR image invalid box2i attribute heap buffer overflow attempt"; flow:to_server,established; file_data; content:"v/1|01|"; depth:4; content:"box2i|00|"; content:!"|10 00 00 00|"; within:4; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4629; reference:url,www.talosintelligence.com/reports/TALOS-2016-0180; classtype:attempted-user; sid:39635; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple OSX EXR image invalid box2i attribute heap buffer overflow attempt"; flow:to_client,established; file_data; content:"v/1|01|"; depth:4; content:"box2i|00|"; content:!"|10 00 00 00|"; within:4; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4629; reference:url,www.talosintelligence.com/reports/TALOS-2016-0180; classtype:attempted-user; sid:39634; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 00 00 04 00 00 00 01|"; byte_extract:4,0,imgWidth,relative,big; content:"|01 42 00 04 00 00 00 01|"; byte_test:4,>,imgWidth,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39632; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|00 01 04 00 01 00 00 00|"; byte_extract:4,0,imgWidth,relative,little; content:"|42 01 04 00 01 00 00 00|"; byte_test:4,>,imgWidth,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39631; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 01 00 04 00 00 00 01|"; byte_extract:4,0,imgLength,relative,big; content:"|01 43 00 04 00 00 00 01|"; byte_test:4,>,imgLength,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39630; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|01 01 04 00 01 00 00 00|"; byte_extract:4,0,imgLength,relative,little; content:"|43 01 04 00 01 00 00 00|"; byte_test:4,>,imgLength,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39629; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 00 00 04 00 00 00 01|"; byte_extract:4,0,imgWidth,relative,big; content:"|01 42 00 03 00 00 00 01|"; byte_test:2,>,imgWidth,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39628; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|00 01 04 00 01 00 00 00|"; byte_extract:4,0,imgWidth,relative,little; content:"|42 01 03 00 01 00 00 00|"; byte_test:2,>,imgWidth,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39627; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 01 00 04 00 00 00 01|"; byte_extract:4,0,imgLength,relative,big; content:"|01 43 00 03 00 00 00 01|"; byte_test:2,>,imgLength,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39626; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|01 01 04 00 01 00 00 00|"; byte_extract:4,0,imgLength,relative,little; content:"|43 01 03 00 01 00 00 00|"; byte_test:2,>,imgLength,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39625; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 00 00 04 00 00 00 01|"; byte_extract:4,0,imgWidth,relative,big; content:"|01 42 00 04 00 00 00 01|"; byte_test:4,>,imgWidth,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39624; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|00 01 04 00 01 00 00 00|"; byte_extract:4,0,imgWidth,relative,little; content:"|42 01 04 00 01 00 00 00|"; byte_test:4,>,imgWidth,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39623; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 01 00 04 00 00 00 01|"; byte_extract:4,0,imgLength,relative,big; content:"|01 43 00 04 00 00 00 01|"; byte_test:4,>,imgLength,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205/; classtype:attempted-user; sid:39622; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|01 01 04 00 01 00 00 00|"; byte_extract:4,0,imgLength,relative,little; content:"|43 01 04 00 01 00 00 00|"; byte_test:4,>,imgLength,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39621; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 00 00 04 00 00 00 01|"; byte_extract:4,0,imgWidth,relative,big; content:"|01 42 00 03 00 00 00 01|"; byte_test:2,>,imgWidth,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39620; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|00 01 04 00 01 00 00 00|"; byte_extract:4,0,imgWidth,relative,little; content:"|42 01 03 00 01 00 00 00|"; byte_test:2,>,imgWidth,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39619; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 01 00 04 00 00 00 01|"; byte_extract:4,0,imgLength,relative,big; content:"|01 43 00 03 00 00 00 01|"; byte_test:2,>,imgLength,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39618; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|01 01 04 00 01 00 00 00|"; byte_extract:4,0,imgLength,relative,little; content:"|43 01 03 00 01 00 00 00|"; byte_test:2,>,imgLength,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39617; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 00 00 03 00 00 00 01|"; byte_extract:2,0,imgWidth,relative,big; content:"|01 42 00 04 00 00 00 01|"; byte_test:4,>,imgWidth,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39616; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|00 01 03 00 01 00 00 00|"; byte_extract:2,0,imgWidth,relative,little; content:"|42 01 04 00 01 00 00 00|"; byte_test:4,>,imgWidth,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:cve,2017-2870; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; reference:url,www.talosintelligence.com/reports/TALOS-2017-0377; classtype:attempted-user; sid:39615; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 01 00 03 00 00 00 01|"; byte_extract:2,0,imgLength,relative,big; content:"|01 43 00 04 00 00 00 01|"; byte_test:4,>,imgLength,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39614; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|01 01 03 00 01 00 00 00|"; byte_extract:2,0,imgLength,relative,little; content:"|43 01 04 00 01 00 00 00|"; byte_test:4,>,imgLength,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39613; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 00 00 03 00 00 00 01|"; byte_extract:2,0,imgWidth,relative,big; content:"|01 42 00 03 00 00 00 01|"; byte_test:2,>,imgWidth,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39612; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|00 01 03 00 01 00 00 00|"; byte_extract:2,0,imgWidth,relative,little; content:"|42 01 03 00 01 00 00 00|"; byte_test:2,>,imgWidth,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39611; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 01 00 03 00 00 00 01|"; byte_extract:2,0,imgLength,relative,big; content:"|01 43 00 03 00 00 00 01|"; byte_test:2,>,imgLength,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39610; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|01 01 03 00 01 00 00 00|"; byte_extract:2,0,imgLength,relative,little; content:"|43 01 03 00 01 00 00 00|"; byte_test:2,>,imgLength,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39609; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 00 00 03 00 00 00 01|"; byte_extract:2,0,imgWidth,relative,big; content:"|01 42 00 04 00 00 00 01|"; byte_test:4,>,imgWidth,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39608; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|00 01 03 00 01 00 00 00|"; byte_extract:2,0,imgWidth,relative,little; content:"|42 01 04 00 01 00 00 00|"; byte_test:4,>,imgWidth,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:cve,2017-2870; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; reference:url,www.talosintelligence.com/reports/TALOS-2017-0377; classtype:attempted-user; sid:39607; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 01 00 03 00 00 00 01|"; byte_extract:2,0,imgLength,relative,big; content:"|01 43 00 04 00 00 00 01|"; byte_test:4,>,imgLength,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39606; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|01 01 03 00 01 00 00 00|"; byte_extract:2,0,imgLength,relative,little; content:"|43 01 04 00 01 00 00 00|"; byte_test:4,>,imgLength,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39605; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 00 00 03 00 00 00 01|"; byte_extract:2,0,imgWidth,relative,big; content:"|01 42 00 03 00 00 00 01|"; byte_test:2,>,imgWidth,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39604; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|00 01 03 00 01 00 00 00|"; byte_extract:2,0,imgWidth,relative,little; content:"|42 01 03 00 01 00 00 00|"; byte_test:2,>,imgWidth,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39603; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 01 00 03 00 00 00 01|"; byte_extract:2,0,imgLength,relative,big; content:"|01 43 00 03 00 00 00 01|"; byte_test:2,>,imgLength,0,relative,big; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39602; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|01 01 03 00 01 00 00 00|"; byte_extract:2,0,imgLength,relative,little; content:"|43 01 03 00 01 00 00 00|"; byte_test:2,>,imgLength,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4631; reference:cve,2016-5875; reference:url,www.talosintelligence.com/reports/TALOS-2016-0171; reference:url,www.talosintelligence.com/reports/TALOS-2016-0205; classtype:attempted-user; sid:39601; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple OSX EXR image tile size heap buffer overflow attempt"; flow:to_server,established; file_data; content:"v/1|01|"; depth:4; content:"compression|00 01 00 00 00 07|"; fast_pattern:only; content:"tiledesc|00|"; byte_test:1,&,0x80,7,relative; metadata:service smtp; reference:cve,2016-4630; reference:url,www.talosintelligence.com/reports/TALOS-2016-0181; classtype:attempted-user; sid:39600; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple OSX EXR image tile size heap buffer overflow attempt"; flow:to_client,established; file_data; content:"v/1|01|"; depth:4; content:"compression|00 01 00 00 00 07|"; fast_pattern:only; content:"tiledesc|00|"; byte_test:1,&,0x80,7,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4630; reference:url,www.talosintelligence.com/reports/TALOS-2016-0181; classtype:attempted-user; sid:39599; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle OIT BMP file parsing heap buffer overflow attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; byte_test:4,>,16000,16,relative,little; content:!"|04 00|"; within:2; distance:26; content:"|02 00 00 00|"; within:4; distance:28; metadata:service smtp; reference:cve,2016-3596; reference:url,www.talosintelligence.com/reports/TALOS-2016-0163; classtype:attempted-user; sid:39596; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Oracle OIT BMP file parsing heap buffer overflow attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; byte_test:4,>,16000,16,relative,little; content:!"|08 00|"; within:2; distance:26; content:"|01 00 00 00|"; within:4; distance:28; metadata:service smtp; reference:cve,2016-3596; reference:url,www.talosintelligence.com/reports/TALOS-2016-0163; classtype:attempted-user; sid:39595; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle OIT BMP file parsing heap buffer overflow attempt"; flow:to_client,established; file_data; content:"BM"; depth:2; byte_test:4,>,16000,16,relative,little; content:!"|04 00|"; within:2; distance:26; content:"|02 00 00 00|"; within:4; distance:28; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3596; reference:url,www.talosintelligence.com/reports/TALOS-2016-0163; classtype:attempted-user; sid:39594; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Oracle OIT BMP file parsing heap buffer overflow attempt"; flow:to_client,established; file_data; content:"BM"; depth:2; byte_test:4,>,16000,16,relative,little; content:!"|08 00|"; within:2; distance:26; content:"|01 00 00 00|"; within:4; distance:28; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3596; reference:url,www.talosintelligence.com/reports/TALOS-2016-0163; classtype:attempted-user; sid:39593; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIF memory corruption attempt"; flow:to_server,established; file_data; content:"|02 84 BC 8F A9 CB 8D 00 0C 8C AE CA 10 A0 4D 53 77 8C 3D 1B A5 00 58 37 8D 8C 99 81 2C D9 C0 CF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3050; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42219; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed GIF memory corruption attempt"; flow:to_client,established; file_data; content:"|02 84 BC 8F A9 CB 8D 00 0C 8C AE CA 10 A0 4D 53 77 8C 3D 1B A5 00 58 37 8D 8C 99 81 2C D9 C0 CF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3050; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42218; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader overly large segment size out of bounds read attempt"; flow:to_server,established; file_data; content:"|A0 02 00 04 00 00 00 01 00 00 01 21 A0 03 00 04 00 00 00 01 00 00 01 04 00 00 00 00 FF DB 00 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3051; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42325; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader overly large segment size out of bounds read attempt"; flow:to_client,established; file_data; content:"|A0 02 00 04 00 00 00 01 00 00 01 21 A0 03 00 04 00 00 00 01 00 00 01 04 00 00 00 00 FF DB 00 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3051; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42324; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|00 2C|"; byte_test:1,<,0xFF,10,relative; byte_jump:1,10,relative; content:!"|00|"; within:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2790; classtype:denial-of-service; sid:42464; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt"; flow:to_server,established; flowbits:isset,file.gif; file_data; content:"|00 2C|"; byte_test:1,<,0xFF,10,relative; byte_jump:1,10,relative; content:!"|00|"; within:1; metadata:service smtp; reference:cve,2015-2790; classtype:denial-of-service; sid:42463; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt"; flow:to_server,established; file_data; content:"|4D 4D 2A 00|"; depth:4; byte_jump:4,0,relative,from_beginning; content:"|01 17|"; byte_test:4,>,2,2,relative; byte_test:4,<,200,6,relative; metadata:service smtp; reference:cve,2017-3049; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42847; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt"; flow:to_client,established; file_data; content:"|4D 4D 2A 00|"; depth:4; byte_jump:4,0,relative,from_beginning; content:"|01 17|"; byte_test:4,>,2,2,relative; byte_test:4,<,200,6,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3049; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42846; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt"; flow:to_server,established; file_data; content:"|49 49 2A 00|"; depth:4; byte_jump:4,0,relative,little,from_beginning; content:"|17 01|"; byte_test:4,>,2,2,relative,little; byte_test:4,<,200,6,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3049; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42845; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt"; flow:to_client,established; file_data; content:"|49 49 2A 00|"; depth:4; byte_jump:4,0,relative,little,from_beginning; content:"|17 01|"; byte_test:4,>,2,2,relative,little; byte_test:4,<,200,6,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3049; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42844; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro SampleFormat heap overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"MM|2A 00|"; depth:4; content:"|01 53 00 03|"; distance:0; byte_test:4,>,2,0,relative,big; byte_jump:4,4,relative,big,from_beginning; byte_test:2,>,1,0,relative,big; metadata:service smtp; reference:cve,2017-3048; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42940; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro SampleFormat heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"MM|2A 00|"; depth:4; content:"|01 53 00 03|"; distance:0; byte_test:4,>,2,0,relative,big; byte_jump:4,4,relative,big,from_beginning; byte_test:2,>,1,0,relative,big; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3048; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42939; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro SampleFormat heap overflow attempt"; flow:to_server,established; flowbits:isset,file.xps|file.tiff.little; file_data; content:"|53 01 03 00|"; byte_test:4,>,2,0,relative,little; byte_jump:4,4,relative,little,from_beginning; byte_test:2,>,1,0,relative,little; metadata:service smtp; reference:cve,2017-16381; reference:cve,2017-3048; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:42938; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro SampleFormat heap overflow attempt"; flow:to_client,established; flowbits:isset,file.xps|file.tiff.little; file_data; content:"|53 01 03 00|"; byte_test:4,>,2,0,relative,little; byte_jump:4,4,relative,little,from_beginning; byte_test:2,>,1,0,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16381; reference:cve,2017-3048; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:42937; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE multiple products PNG processing buffer overflow attempt"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; depth:16; pcre:"/\x89PNG\x0D\x0A\x1A\x0A\x00\x00\x00\x0DIHDR([^\x00]|\x00[^\x00]|.{4}[^\x00]|.{4}\x00[^\x00]|.{8}[\x11-\xff])/s"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,34240; reference:cve,2009-1097; reference:cve,2017-3077; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-17.html; classtype:attempted-user; sid:43399; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"|40 09|"; byte_test:4,>,0xF0000000,19,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-2249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-071; classtype:attempted-admin; sid:43362; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt"; flow:to_server,established; flowbits:isset,file.wmf; file_data; content:"|41 0B|"; byte_test:4,>,0xF0000000,23,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-2249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-071; classtype:attempted-admin; sid:43361; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt"; flow:to_server,established; flowbits:isset,file.wmf; file_data; content:"|40 09|"; byte_test:4,>,0xF0000000,19,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-2249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-071; classtype:attempted-admin; sid:43360; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"|41 0B|"; byte_test:4,>,0xF0000000,23,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-2249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-071; classtype:attempted-admin; sid:43359; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE ImageMagick SyncExifProfile out-of-bounds memory read attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8|"; depth:2; content:"Exif"; within:4; distance:20; content:"II"; within:2; distance:2; byte_jump:4,2,relative,little,post_offset -4; byte_test:2,>,12,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7799; reference:url,github.com/ImageMagick/ImageMagick/issues/280; classtype:attempted-user; sid:43098; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick SyncExifProfile out-of-bounds memory read attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8|"; depth:2; content:"Exif"; within:4; distance:20; content:"II"; within:2; distance:2; byte_jump:4,2,relative,little,post_offset -4; byte_test:2,>,12,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7799; reference:url,github.com/ImageMagick/ImageMagick/issues/280; classtype:attempted-user; sid:43097; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE ImageMagick SyncExifProfile out-of-bounds memory read attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8|"; depth:2; content:"Exif"; within:4; distance:20; content:"MM"; within:2; distance:2; byte_jump:4,2,relative,post_offset -4; byte_test:2,>,12,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7799; reference:url,github.com/ImageMagick/ImageMagick/issues/280; classtype:attempted-user; sid:43096; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE ImageMagick SyncExifProfile out-of-bounds memory read attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8|"; depth:2; content:"Exif"; within:4; distance:20; content:"MM"; within:2; distance:2; byte_jump:4,2,relative,post_offset -4; byte_test:2,>,12,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7799; reference:url,github.com/ImageMagick/ImageMagick/issues/280; classtype:attempted-user; sid:43095; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple Quicktime malformed FPX file memory corruption attempt"; flow:to_server,established; file_data; content:"|D8 00 00 00 03 00 00 21 E0 00 00 00 00 00 00 24 28 01 00 00 01 00 00 24 5C 01 00 00 02 00 00 21|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1768; classtype:attempted-admin; sid:43052; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple Quicktime malformed FPX file memory corruption attempt"; flow:to_client,established; file_data; content:"|D8 00 00 00 03 00 00 21 E0 00 00 00 00 00 00 24 28 01 00 00 01 00 00 24 5C 01 00 00 02 00 00 21|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1768; classtype:attempted-admin; sid:43051; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt"; flow:to_server,established; file_data; content:"GIF89"; depth:5; content:"|21 00|"; within:1024; content:"|2C 00 00 00 00 00 00 00 00|"; within:1024; byte_test:1,>=,0x85,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8730; reference:url,www.talosintelligence.com/reports/TALOS-2016-0244/; classtype:attempted-user; sid:42141; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt"; flow:to_client,established; file_data; content:"GIF89"; depth:5; content:"|21 00|"; within:1024; content:"|2C 00 00 00 00 00 00 00 00|"; within:1024; byte_test:1,>=,0x85,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8730; reference:url,www.talosintelligence.com/reports/TALOS-2016-0244/; classtype:attempted-user; sid:42140; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt"; flow:to_server,established; file_data; content:"MM|00 2A|"; depth:4; content:"|01 00 00 03 00 00 00 01|"; content:"|01 01 00 01 00 00 00 00 00 00 00 00|"; within:100; distance:-50; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2804; reference:url,www.talosintelligence.com/reports/TALOS-2017-0298/; classtype:attempted-user; sid:42091; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt"; flow:to_server,established; file_data; content:"II|2A 00|"; depth:4; content:"|00 01 03 00 01 00 00 00|"; content:"|01 01 01 00 00 00 00 00 00 00 00 00|"; within:100; distance:-50; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2804; reference:url,www.talosintelligence.com/reports/TALOS-2017-0298/; classtype:attempted-user; sid:42090; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt"; flow:to_client,established; file_data; content:"MM|00 2A|"; depth:4; content:"|01 00 00 03 00 00 00 01|"; content:"|01 01 00 01 00 00 00 00 00 00 00 00|"; within:100; distance:-50; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2804; reference:url,www.talosintelligence.com/reports/TALOS-2017-0298/; classtype:attempted-user; sid:42089; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt"; flow:to_client,established; file_data; content:"II|2A 00|"; depth:4; content:"|00 01 03 00 01 00 00 00|"; content:"|01 01 01 00 00 00 00 00 00 00 00 00|"; within:100; distance:-50; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2804; reference:url,www.talosintelligence.com/reports/TALOS-2017-0298/; classtype:attempted-user; sid:42088; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Corel Photo Paint invalid NewSubFileType memory corruption attempt"; flow:to_server,established; file_data; content:"II|2A 00|"; depth:4; byte_jump:4,0,relative,post_offset 2,from_beginning,little; content:"|FE 00 04 00|"; within:100; byte_test:1,>,0x7F,3,relative; byte_test:1,>,0x7F,7,relative; metadata:service smtp; reference:cve,2017-2803; reference:url,www.talosintelligence.com/reports/TALOS-2017-0297/; classtype:attempted-user; sid:42087; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Corel Photo Paint invalid NewSubFileType memory corruption attempt"; flow:to_server,established; file_data; content:"MM|00 2A|"; depth:4; byte_jump:4,0,relative,post_offset 2,from_beginning; content:"|00 FE 00 04|"; within:100; byte_test:1,>,0x7F,0,relative; byte_test:1,>,0x7F,4,relative; metadata:service smtp; reference:cve,2017-2803; reference:url,www.talosintelligence.com/reports/TALOS-2017-0297/; classtype:attempted-user; sid:42086; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Corel Photo Paint invalid NewSubFileType memory corruption attempt"; flow:to_client,established; file_data; content:"II|2A 00|"; depth:4; byte_jump:4,0,relative,post_offset 2,from_beginning,little; content:"|FE 00 04 00|"; within:100; byte_test:1,>,0x7F,3,relative; byte_test:1,>,0x7F,7,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2803; reference:url,www.talosintelligence.com/reports/TALOS-2017-0297/; classtype:attempted-user; sid:42085; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Corel Photo Paint invalid NewSubFileType memory corruption attempt"; flow:to_client,established; file_data; content:"MM|00 2A|"; depth:4; byte_jump:4,0,relative,post_offset 2,from_beginning; content:"|00 FE 00 04|"; within:100; byte_test:1,>,0x7F,0,relative; byte_test:1,>,0x7F,4,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2803; reference:url,www.talosintelligence.com/reports/TALOS-2017-0297/; classtype:attempted-user; sid:42084; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Professional malformed PCX memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pcx; file_data; content:"|0A 05 01 08|"; depth:4; byte_extract:2,2,ymin,relative,little; byte_test:2,<,ymin,2,relative,little; metadata:service smtp; reference:cve,2017-3116; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43874; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Professional malformed PCX memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pcx; file_data; content:"|0A 05 01 08|"; depth:4; byte_extract:2,2,ymin,relative,little; byte_test:2,<,ymin,2,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3116; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43873; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Professional malformed PCX memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pcx; file_data; content:"|0A 05 01 08|"; depth:4; byte_extract:2,0,xmin,relative,little; byte_test:2,<,xmin,2,relative,little; metadata:service smtp; reference:cve,2017-3124; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43872; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Professional malformed PCX memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pcx; file_data; content:"|0A 05 01 08|"; depth:4; byte_extract:2,0,xmin,relative,little; byte_test:2,<,xmin,2,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3124; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43871; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Reader EMF EMR_MOVETOEX memory corruption attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|00 00 1B 00 00 00|"; byte_test:4,>,0xFFFFFF,0,relative,little; content:"|00 00|"; within:2; distance:6; content:"|00 00|"; within:2; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3123; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43866; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Reader EMF EMR_MOVETOEX memory corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|00 00 1B 00 00 00|"; byte_test:4,>,0xFFFFFF,0,relative,little; content:"|00 00|"; within:2; distance:6; content:"|00 00|"; within:2; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3123; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43865; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt"; flow:to_server,established; file_data; content:"|FF 4F FF 51|"; depth:4; byte_test:4,>,0x3b9aca00,24,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11226; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43911; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt"; flow:to_server,established; file_data; content:"|FF 4F FF 51|"; depth:4; byte_test:4,>,0x3b9aca00,20,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11226; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43910; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt"; flow:to_client,established; file_data; content:"|FF 4F FF 51|"; depth:4; byte_test:4,>,0x3b9aca00,24,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11226; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43909; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt"; flow:to_client,established; file_data; content:"|FF 4F FF 51|"; depth:4; byte_test:4,>,0x3b9aca00,20,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11226; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43908; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|40 00 00 00 18 00 00 00|"; byte_test:4,>,0xFFFFFF,4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11214; reference:cve,2018-15986; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-41.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43903; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|40 00 00 00 18 00 00 00|"; byte_test:4,>,0xFFFFFF,4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11214; reference:cve,2018-15986; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-41.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43902; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt"; flow:to_server,established; flowbits:isset,file.tiff.big; file_data; content:"|01 1C 00 03 00 00 00 01|"; content:!"|00 01 00 00|"; within:4; metadata:service smtp; reference:cve,2017-11234; reference:cve,2017-16396; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44026; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 1C 00 03 00 00 00 01|"; content:!"|00 01 00 00|"; within:4; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11234; reference:cve,2017-16396; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44025; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt"; flow:to_server,established; flowbits:isset,file.tiff.little; file_data; content:"|1C 01 03 00 01 00 00 00|"; content:!"|01 00 00 00|"; within:4; metadata:service smtp; reference:cve,2017-11234; reference:cve,2018-15927; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44024; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|1C 01 03 00 01 00 00 00|"; content:!"|01 00 00 00|"; within:4; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11234; reference:cve,2018-15927; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44023; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE malformed png missing IHDR"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:!"|00 00 00 0D|IHDR"; within:9; metadata:service smtp; classtype:attempted-user; sid:44020; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE malformed png missing IHDR"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:!"|00 00 00 0D|IHDR"; within:9; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:44019; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt"; flow:to_server,established; file_data; content:"MM|00 2A|"; depth:4; byte_jump:4,4,from_beginning; content:"|01 40 00 03|"; distance:0; byte_extract:4,0,count,relative,multiplier 2; byte_jump:4,0,relative,from_beginning; isdataat:!count,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11255; reference:cve,2017-16413; reference:cve,2019-7037; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:44062; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt"; flow:to_client,established; file_data; content:"MM|00 2A|"; depth:4; byte_jump:4,4,from_beginning; content:"|01 40 00 03|"; distance:0; byte_extract:4,0,count,relative,multiplier 2; byte_jump:4,0,relative,from_beginning; isdataat:!count,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11255; reference:cve,2017-16413; reference:cve,2019-7037; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:44061; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt"; flow:to_server,established,only_stream; file_data; content:"II|2A 00|"; depth:4; byte_jump:4,4,little,from_beginning; content:"|40 01 03 00|"; distance:0; byte_extract:4,0,count,relative,multiplier 2,little; byte_jump:4,0,relative,little,from_beginning; isdataat:!count,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11255; reference:cve,2017-16413; reference:cve,2018-12859; reference:cve,2018-15954; reference:cve,2018-15955; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44060; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt"; flow:to_client,established,only_stream; file_data; content:"II|2A 00|"; depth:4; byte_jump:4,4,little,from_beginning; content:"|40 01 03 00|"; distance:0; byte_extract:4,0,count,relative,multiplier 2,little; byte_jump:4,0,relative,little,from_beginning; isdataat:!count,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11255; reference:cve,2017-16413; reference:cve,2018-12859; reference:cve,2018-15954; reference:cve,2018-15955; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44059; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows metafile SetPaletteEntries heap overflow attempt"; flow:to_server,established; flowbits:isset,file.wmf; file_data; content:"|00 09 00|"; content:"|FF FF FF|"; distance:12; content:"|00|"; within:1; distance:2; pcre:"/[\x00\x01]\x00\x09\x00.*?\xff\xff\xff[\xff\xf7][\x36\x37]\x00/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15356; reference:cve,2005-2124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-053; classtype:attempted-user; sid:44128; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt"; flow:to_server,established; content:"Content-Disposition: attachment|3B| filename="; content:".png"; within:25; nocase; file_data; content:!"|89|PNG|0D 0A 1A 0A|"; depth:8; metadata:service smtp; reference:cve,2012-2940; classtype:denial-of-service; sid:44286; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Free Opener malformed JPEG file buffer overflow attempt"; flow:to_server,established; content:"Content-Disposition: attachment|3B| filename="; content:".jpg"; within:25; fast_pattern; nocase; file_data; content:!"|FF D8 FF|"; depth:3; metadata:service smtp; reference:url,www.softpedia.com/get/File-managers/Free-Opener.shtml; classtype:attempted-user; sid:44355; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt"; flow:to_server,established; file_data; content:"|00 9A 00 9F 00 A4 00 A9 00 AE 00 B2 00 B7 00 BC 00 C1 00 C6 00 CB 00 D0 00 D5 00 DB 00 E0 00 E5|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30597; reference:bugtraq,30598; reference:cve,2008-3018; reference:cve,2008-3021; classtype:attempted-user; sid:44456; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 9A 00 9F 00 A4 00 A9 00 AE 00 B2 00 B7 00 BC 00 C1 00 C6 00 CB 00 D0 00 D5 00 DB 00 E0 00 E5|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30597; reference:bugtraq,30598; reference:cve,2008-3018; reference:cve,2008-3021; classtype:attempted-user; sid:44455; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt"; flow:to_server,established; file_data; content:"|4C 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 0B 01 00 00 6B 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11248; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44551; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt"; flow:to_client,established; file_data; content:"|4C 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 0B 01 00 00 6B 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11248; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44550; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed CommentExtension attempt"; flow:to_server,established; file_data; content:"|F5 57 13 0F 9E 9C 3C 05 8F 0D EC 45 49 71 E1 3C 67 82 B2 22 4E DA 34 52 49 56 61 56 98 DD C5 78 C2 D4 82 3C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16410; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44862; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed CommentExtension attempt"; flow:to_client,established; file_data; content:"|F5 57 13 0F 9E 9C 3C 05 8F 0D EC 45 49 71 E1 3C 67 82 B2 22 4E DA 34 52 49 56 61 56 98 DD C5 78 C2 D4 82 3C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16410; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44861; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat XPS unicode glyph pointer out of bounds"; flow:to_server,established; content:"|ED ED 72 B7 87 C9 5F 5D AD 97 B7 EB FD B9 CD DF 9F D0 7B 4B CE F6 B0 1F 1C 59 F5 ED BA EF FF 0F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16399; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44885; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat XPS unicode glyph pointer out of bounds"; flow:to_client,established; content:"|ED ED 72 B7 87 C9 5F 5D AD 97 B7 EB FD B9 CD DF 9F D0 7B 4B CE F6 B0 1F 1C 59 F5 ED BA EF FF 0F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16399; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44884; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF EMR_STRETCHDIBITS memory corruption attempt"; flow:to_server,established; flowbits:isset, file.emf; file_data; content:"|51 00 00 00 88 02 00 00 78 1E 00 00 CC 10 00 00 07 20 00 00 5B 12 00 00 78 1E 00 00 CC 10 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16406; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44881; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF EMR_STRETCHDIBITS memory corruption attempt"; flow:to_client,established; flowbits:isset, file.emf; file_data; content:"|51 00 00 00 88 02 00 00 78 1E 00 00 CC 10 00 00 07 20 00 00 5B 12 00 00 78 1E 00 00 CC 10 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16406; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44880; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF EmfPlusFont memory corruption attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|06 00 00 00 00 00 E1 41 00 00 C8 3F 00 00 48 40 00 00 96 40 00 00 2F 41 00 00 C8 3F 02 10 C0 DB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16416; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44970; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF EmfPlusFont memory corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|06 00 00 00 00 00 E1 41 00 00 C8 3F 00 00 48 40 00 00 96 40 00 00 2F 41 00 00 C8 3F 02 10 C0 DB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16416; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44969; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values memory corruption attempt"; flow:to_server,established; file_data; content:"|2F 00 00 27 10 00 00 0B AD 00 00 27 10 00 00 16 EE 00 00 27 10 00 00 04 74 00 00 00 00 00 00 27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16382; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44960; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values memory corruption attempt"; flow:to_client,established; file_data; content:"|2F 00 00 27 10 00 00 0B AD 00 00 27 10 00 00 16 EE 00 00 27 10 00 00 04 74 00 00 00 00 00 00 27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16382; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44959; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds write attempt"; flow:to_server,established; flowbits:isset, file.emf; file_data; content:"|FF 7F 00 00 9C 8F A9 CB 8D 00 0C 8C AE CA 10 A0 4D 53 77 8C 3D 1B A5 00 58 37 8D 8C 99 81 2C D9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16406; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44930; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds write attempt"; flow:to_client,established; flowbits:isset, file.emf; file_data; content:"|FF 7F 00 00 9C 8F A9 CB 8D 00 0C 8C AE CA 10 A0 4D 53 77 8C 3D 1B A5 00 58 37 8D 8C 99 81 2C D9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16406; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44929; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro invalid APP13 marker size attempt"; flow:to_server,established; file_data; flowbits:isset,file.jpeg; content:"|FF ED|"; byte_test:2,<,28,0,relative; content:"Photoshop 3.0|00|8BIM"; within:18; distance:2; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16386; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44913; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro invalid APP13 marker size attempt"; flow:to_client,established; file_data; flowbits:isset,file.jpeg; content:"|FF ED|"; byte_test:2,<,28,0,relative; content:"Photoshop 3.0|00|8BIM"; within:18; distance:2; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16386; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44912; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple Quicktime malformed FPX file memory corruption attempt"; flow:to_client,established; file_data; content:"|80 75 A8 1B 4A 24 C2 01 04 00 00 00 41 41 41 41 04 00 00 00 00 00 E0 40 13 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 13 00 00 00 02 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1767; classtype:attempted-admin; sid:45186; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple Quicktime malformed FPX file memory corruption attempt"; flow:to_server,established; file_data; content:"|80 75 A8 1B 4A 24 C2 01 04 00 00 00 41 41 41 41 04 00 00 00 00 00 E0 40 13 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 13 00 00 00 02 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1767; classtype:attempted-admin; sid:45185; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Qt library BMP image parser heap overflow exploit attempt"; flow:to_client,established; content:"|80 80 FF FF FF 3C 93 FF 3C 93 FF 3C 93 FF 3C 93 FF 3C 93 FF 3C 93 FF 3C 93 FF 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2004-0691; classtype:attempted-user; sid:45306; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Qt library BMP image parser heap overflow exploit attempt"; flow:to_server,established; content:"|80 80 FF FF FF 3C 93 FF 3C 93 FF 3C 93 FF 3C 93 FF 3C 93 FF 3C 93 FF 3C 93 FF 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2004-0691; classtype:attempted-user; sid:45305; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt"; flow:to_server,established; file_data; content:"|04 00 00 00 7C 60 00 00 1C 02 00 00 00 00 00 00 00 00 00 08 00 08 10 00 10 19 00 19 21 00 21 29|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-4881; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-admin; sid:45685; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt"; flow:to_client,established; file_data; content:"|04 00 00 00 7C 60 00 00 1C 02 00 00 00 00 00 00 00 00 00 08 00 08 10 00 10 19 00 19 21 00 21 29|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4881; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-admin; sid:45684; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG tag data buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"Exif"; nocase; content:"|01 31 00 02|"; within:4; distance:60; fast_pattern; byte_test:4,>,0xFFFF,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4909; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45815; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG tag data buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"Exif"; nocase; content:"|01 31 00 02|"; within:4; distance:60; fast_pattern; byte_test:4,>,0xFFFF,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4909; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45814; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values attempt"; flow:to_server,established; file_data; content:"|00 00 0B AD 00 00 27 10 00 00 16 EE 00 00 27 10 00 26 E8 F0 00 00 27 10 00 00 00 00 00 00 27 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4905; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45792; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values attempt"; flow:to_client,established; file_data; content:"|00 00 0B AD 00 00 27 10 00 00 16 EE 00 00 27 10 00 26 E8 F0 00 00 27 10 00 00 00 00 00 00 27 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4905; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45791; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.xps; file_data; content:"|01 31 00 02|"; fast_pattern; byte_extract:4,0,SftLen,relative,big; byte_extract:4,0,SftOffset,relative,big; content:"MM|00 2A|"; within:500; distance:-500; isdataat:SftOffset,relative; content:!"|00|"; within:SftLen; distance:SftOffset; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4903; reference:url,helpx.adobe.com/security/products/reader/apsb18-02.html; classtype:attempted-user; sid:45789; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.tiff.big; file_data; content:"|01 31 00 02|"; fast_pattern; byte_extract:4,0,SftLen,relative,big; byte_extract:4,0,SftOffset,relative,big; content:"MM|00 2A|"; depth:4; isdataat:SftOffset; content:!"|00|"; within:SftLen; distance:SftOffset; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4903; reference:url,helpx.adobe.com/security/products/reader/apsb18-02.html; classtype:attempted-user; sid:45788; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Gifsicle gifread double-free attempt"; flow:to_server,established,only_stream; file_data; content:"GIF"; depth:3; byte_test:1,!&,0x80,7,relative; content:"|21 CE|"; within:2; distance:10; content:"|00|"; distance:0; isdataat:1,relative; isdataat:!500,relative; content:!"|2C|"; metadata:service smtp; reference:cve,2017-18120; classtype:denial-of-service; sid:46078; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Gifsicle gifread double-free attempt"; flow:to_client,established,only_stream; file_data; content:"GIF"; depth:3; byte_test:1,!&,0x80,7,relative; content:"|21 CE|"; within:2; distance:10; content:"|00|"; distance:0; isdataat:1,relative; isdataat:!500,relative; content:!"|2C|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-18120; classtype:attempted-user; sid:46077; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|A4 05 00 03 FF|"; metadata:service smtp; reference:cve,2018-4973; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-admin; sid:46726; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|A4 05 00 03 FF|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4973; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-admin; sid:46725; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; content:"EMF+|08 40|"; content:"|03|"; within:1; distance:1; content:"|02 10 C0 DB|"; within:4; distance:8; byte_test:4,<,500,0,relative,little; byte_test:4,>,10000000,8,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4978; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46720; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; content:"EMF+|08 40|"; content:"|03|"; within:1; distance:1; content:"|02 10 C0 DB|"; within:4; distance:8; byte_test:4,<,500,0,relative,little; byte_test:4,>,10000000,4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4978; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46719; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; content:"EMF+|08 40|"; content:"|03|"; within:1; distance:1; content:"|02 10 C0 DB|"; within:4; distance:8; byte_test:4,<,500,0,relative,little; byte_test:4,>,10000000,8,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4978; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46718; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; content:"EMF+|08 40|"; content:"|03|"; within:1; distance:1; content:"|02 10 C0 DB|"; within:4; distance:8; byte_test:4,<,500,0,relative,little; byte_test:4,>,10000000,4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4978; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46717; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|28 00 00 00 25 01 00 00 61 E9 00 00 01 00 20 00 00 00 00 00 14 BC 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4963; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-recon; sid:46702; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|28 00 00 00 25 01 00 00 61 E9 00 00 01 00 20 00 00 00 00 00 14 BC 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4963; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-recon; sid:46701; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"EMF+|18 40|"; fast_pattern; content:"|00 00 00 00 00 00 00 00 02 00 00 00|"; within:12; distance:10; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4976; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46693; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"EMF+|18 40|"; fast_pattern; content:"|00 00 00 00 00 00 00 00 02 00 00 00|"; within:12; distance:10; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4976; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46692; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|A5 3A 41 12 60 22 4B 59 0D CC C0 72 6D 43 EE 81 99 4C 05 18 1C 0A 14 02 4C E4 81 29 19 98 8C A3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4955; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46689; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|A5 3A 41 12 60 22 4B 59 0D CC C0 72 6D 43 EE 81 99 4C 05 18 1C 0A 14 02 4C E4 81 29 19 98 8C A3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4955; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46688; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; byte_extract:4,84,height,relative,little; byte_test:4,>,height,132,relative,little; metadata:service smtp; reference:cve,2018-15940; reference:cve,2018-15941; reference:cve,2018-4948; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:46674; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; byte_extract:4,84,height,relative,little; byte_test:4,>,height,128,relative,little; metadata:service smtp; reference:cve,2018-15940; reference:cve,2018-15941; reference:cve,2018-4948; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:46673; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; byte_extract:4,80,width,relative,little; byte_test:4,>,width,132,relative,little; metadata:service smtp; reference:cve,2018-15940; reference:cve,2018-15941; reference:cve,2018-4948; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:46672; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; byte_extract:4,80,width,relative,little; byte_test:4,>,width,128,relative,little; metadata:service smtp; reference:cve,2018-15940; reference:cve,2018-15941; reference:cve,2018-4948; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:46671; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; byte_extract:4,84,height,relative,little; byte_test:4,>,height,132,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-15940; reference:cve,2018-15941; reference:cve,2018-4948; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:46670; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; byte_extract:4,84,height,relative,little; byte_test:4,>,height,128,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-15940; reference:cve,2018-15941; reference:cve,2018-4948; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:46669; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; byte_extract:4,80,width,relative,little; byte_test:4,>,width,132,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-15940; reference:cve,2018-15941; reference:cve,2018-4948; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:46668; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; byte_extract:4,80,width,relative,little; byte_test:4,>,width,128,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-15940; reference:cve,2018-15941; reference:cve,2018-4948; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:46667; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"EMF+|2B 40|"; content:"|0C 00 00 00|"; within:6; distance:2; content:"|2A 40|"; content:"|24 00 00 00|"; within:6; distance:2; content:"|02 10 C0 DB 04 00 00 00 00 00 00 00|"; content:"|00 00 00 00 80 68 B2 48|"; byte_test:1,!&,8,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4970; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46876; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; content:"EMF+|2B 40|"; content:"|0C 00 00 00|"; within:6; distance:2; content:"|2A 40|"; content:"|24 00 00 00|"; within:6; distance:2; content:"|02 10 C0 DB 04 00 00 00 00 00 00 00|"; content:"|00 00 00 00 80 68 B2 48|"; byte_test:1,!&,8,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4970; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46875; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt"; flow:to_server,established; file_data; content:"|51 00 00 00 D8 03 00 00 D9 03 00 00 E3 02 00 00 F4 03 00 00 F8 02 00 00 D9 03 00 00 E3 02 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-4951; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-admin; sid:47060; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt"; flow:to_client,established; file_data; content:"|51 00 00 00 D8 03 00 00 D9 03 00 00 E3 02 00 00 F4 03 00 00 F8 02 00 00 D9 03 00 00 E3 02 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4951; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-admin; sid:47059; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt"; flow:to_server,established,only_stream; file_data; content:"|01 DA|"; depth:2; isdataat:2,relative; content:!"|00|"; within:1; content:!"|01|"; within:1; content:!"|01|"; within:1; distance:1; content:!"|02|"; within:1; distance:1; metadata:service smtp; reference:cve,2018-15953; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-recon; sid:48135; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt"; flow:to_client,established,only_stream; file_data; content:"|01 DA|"; depth:2; isdataat:2,relative; content:!"|00|"; within:1; content:!"|01|"; within:1; content:!"|01|"; within:1; distance:1; content:!"|02|"; within:1; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-15953; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-recon; sid:48134; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 marker memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF E2|"; byte_test:2,<,16,0,relative; content:"ICC_PROFILE|00 01 01|"; within:16; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12855; reference:cve,2018-12856; reference:cve,2018-19703; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48044; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 marker memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF E2|"; byte_test:2,<,16,0,relative; content:"ICC_PROFILE|00 01 01|"; within:16; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12855; reference:cve,2018-12856; reference:cve,2018-19703; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48043; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed BMP out of bounds read attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; content:"|00 00 00 00|"; within:4; distance:4; content:"|28 00 00 00|"; within:4; distance:4; content:"|01 00 00 00|"; within:12; distance:12; byte_extract:4,0,ImageSize,relative,little; isdataat:!ImageSize; metadata:service smtp; reference:cve,2018-5051; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48040; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed BMP out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.bmp; file_data; content:"BM"; depth:2; content:"|00 00 00 00|"; within:4; distance:4; content:"|28 00 00 00|"; within:4; distance:4; content:"|01 00 00 00|"; within:12; distance:12; byte_extract:4,0,ImageSize,relative,little; isdataat:!ImageSize; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5051; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48039; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_server,established; file_data; content:"|24 00 00 00 18 00 00 00 00 00 80 3F 00 00 00 00 00 00 00 00 00 00 80 3F 00 F0 8C 44 00 C0 85 44|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12879; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48032; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_client,established; file_data; content:"|24 00 00 00 18 00 00 00 00 00 80 3F 00 00 00 00 00 00 00 00 00 00 80 3F 00 F0 8C 44 00 C0 85 44|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12879; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48031; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader malformed JavaScript input out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"getAnnots()"; content:".contents"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15922; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48017; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader malformed JavaScript input out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"getAnnots()"; content:".contents"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15922; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48016; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro U3D TIFF XResolution out of bounds read attempt"; flow:to_server,established; file_data; content:"MM|00 2A|"; depth:4; content:"|01 1A 00 05 00 00 00 01|"; distance:0; byte_extract:4,0,offset,relative; isdataat:!offset; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-15956; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48014; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro U3D TIFF XResolution out of bounds read attempt"; flow:to_client,established; file_data; content:"MM|00 2A|"; depth:4; content:"|01 1A 00 05 00 00 00 01|"; distance:0; byte_extract:4,0,offset,relative; isdataat:!offset; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15956; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48013; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro U3D TIFF XResolution out of bounds read attempt"; flow:to_server,established; file_data; content:"II|2A 00|"; depth:4; content:"|1A 01 05 00 01 00 00 00|"; distance:0; byte_extract:4,0,offset,relative,little; isdataat:!offset; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-15956; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48012; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro U3D TIFF XResolution out of bounds read attempt"; flow:to_client,established; file_data; content:"II|2A 00|"; depth:4; content:"|1A 01 05 00 01 00 00 00|"; distance:0; byte_extract:4,0,offset,relative,little; isdataat:!offset; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15956; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48011; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro integer overflow attempt"; flow:to_server,established; file_data; content:"|50 00 00 00 B0 03 00 00 00 00 00 80 FF FF FF FF 0C 11 F8 C9 00 00 00 80 24 11 F8 C9 FF FF FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12881; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48010; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro integer overflow attempt"; flow:to_client,established; file_data; content:"|50 00 00 00 B0 03 00 00 00 00 00 80 FF FF FF FF 0C 11 F8 C9 00 00 00 80 24 11 F8 C9 FF FF FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12881; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48009; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro Universal 3D engine untrusted pointer dereference attempt"; flow:to_server,established; file_data; content:"|05 E2 B3 9B 31 30 FC 38 05 10 60 00 41 85 0E 98 00 03 48 89 FA B4 97 01 08 78 9D 19 C0 E0 D3 5E|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15937; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48003; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro Universal 3D engine untrusted pointer dereference attempt"; flow:to_client,established; file_data; content:"|05 E2 B3 9B 31 30 FC 38 05 10 60 00 41 85 0E 98 00 03 48 89 FA B4 97 01 08 78 9D 19 C0 E0 D3 5E|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15937; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48002; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF pointer out of bounds read attempt"; flow:to_server,established; file_data; content:"|A2 00 F0 D7 99 00 F3 E0 B0 00 F4 E2 B6 00 F5 E4 B9 00 F5 E4 BB 00 F5 E5 BD 00 FA F2 DD 00 FA F3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15943; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47998; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF pointer out of bounds read attempt"; flow:to_client,established; file_data; content:"|A2 00 F0 D7 99 00 F3 E0 B0 00 F4 E2 B6 00 F5 E4 B9 00 F5 E4 BB 00 F5 E5 BD 00 FA F2 DD 00 FA F3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15943; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47997; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF pointer out of bounds write attempt"; flow:to_server,established; file_data; content:"|01 2F 01 91 05 93 01 2A 02 8C 01 0C 02 93 02 8C 00 07 2F 91 93 23 8C 08 0C 00 03 93 00 04 05 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15944; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47996; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF pointer out of bounds write attempt"; flow:to_client,established; file_data; content:"|01 2F 01 91 05 93 01 2A 02 8C 01 0C 02 93 02 8C 00 07 2F 91 93 23 8C 08 0C 00 03 93 00 04 05 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15944; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47995; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF engine type confusion attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|73 B4 8F 54 09 41 F8 85 30 67 F3 BC 10 4A 28 6E C3 20 01 A0 8C 8A DF 9E 2E 12 40 FC 2C AC 72 4B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12876; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47992; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF engine type confusion attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|73 B4 8F 54 09 41 F8 85 30 67 F3 BC 10 4A 28 6E C3 20 01 A0 8C 8A DF 9E 2E 12 40 FC 2C AC 72 4B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12876; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47991; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|61 38 34 0B 77 38 34 0B 01 00 00 80 00 00 00 7F C5 38 34 0B D0 38 34 0B 00 00 00 80 FF FF 7F FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12844; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47982; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|61 38 34 0B 77 38 34 0B 01 00 00 80 00 00 00 7F C5 38 34 0B D0 38 34 0B 00 00 00 80 FF FF 7F FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12844; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47981; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|92 B3 D3 F4 78 98 B9 D9 5D 7D 9E BE 42 63 83 A4 27 48 68 89 0D 2D 39 59 65 E9 09 2A 4A CE DA FA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12843; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47980; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|92 B3 D3 F4 78 98 B9 D9 5D 7D 9E BE 42 63 83 A4 27 48 68 89 0D 2D 39 59 65 E9 09 2A 4A CE DA FA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12843; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47979; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|AA 57 00 80 BC EC 5E BE 00 90 FF FF 00 80 00 80 F1 E9 B7 69 00 00 40 72 00 80 52 07 FF 7F 96 AA|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12845; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47972; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|AA 57 00 80 BC EC 5E BE 00 90 FF FF 00 80 00 80 F1 E9 B7 69 00 00 40 72 00 80 52 07 FF 7F 96 AA|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12845; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47971; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIF tag entry out of bounds read attempt"; flow:to_server,established; file_data; content:"|4D 4D 2A 00|"; depth:4; byte_jump:4,0,relative,from_beginning; content:"|01 0A 00 03|"; distance:0; content:!"|00 00 00 01|"; within:4; byte_test:2,>,2,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12867; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47956; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIF tag entry out of bounds read attempt"; flow:to_client,established; file_data; content:"|4D 4D 2A 00|"; depth:4; byte_jump:4,0,relative,from_beginning; content:"|01 0A 00 03|"; distance:0; content:!"|00 00 00 01|"; within:4; byte_test:2,>,2,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12867; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47955; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIF tag entry out of bounds read attempt"; flow:to_client,established; file_data; content:"|49 49 2A 00|"; depth:4; byte_jump:4,0,relative,little,from_beginning; content:"|0A 01 03 00|"; distance:0; content:!"|01 00 00 00|"; within:4; byte_test:2,>,2,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12867; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47954; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIF tag entry out of bounds read attempt"; flow:to_server,established; file_data; content:"|49 49 2A 00|"; depth:4; byte_jump:4,0,relative,little,from_beginning; content:"|0A 01 03 00|"; distance:0; content:!"|01 00 00 00|"; within:4; byte_test:2,>,2,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12867; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47953; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; content:"|00 20 00 00 00 00 60 40 14 AE DF C0 00 00 00 00 A4 70 7D BF 00 00 60 C0 14 AE DF C0 00 01 01 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15926; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47950; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; content:"|00 20 00 00 00 00 60 40 14 AE DF C0 00 00 00 00 A4 70 7D BF 00 00 60 C0 14 AE DF C0 00 01 01 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15926; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47949; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Distiller PostScript stack overflow attempt"; flow:to_server,established; file_data; content:"/ModificationDate"; fast_pattern; content:"(D:"; within:15; isdataat:32,relative; content:!"/"; within:32; metadata:service smtp; reference:cve,2018-12838; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47944; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Distiller PostScript stack overflow attempt"; flow:to_client,established; file_data; content:"/ModificationDate"; fast_pattern; content:"(D:"; within:15; isdataat:32,relative; content:!"/"; within:32; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12838; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47943; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat XPS heap overflow attempt"; flow:to_server,established; file_data; content:"|FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 01 2C FF FF 00 00 FF EE 00 0E 41 64 6F 62 65 00 64 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12837; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47942; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat XPS heap overflow attempt"; flow:to_client,established; file_data; content:"|FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 01 2C FF FF 00 00 FF EE 00 0E 41 64 6F 62 65 00 64 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12837; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47941; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF+ GIF parsing out of bounds read attempt"; flow:to_server,established; file_data; content:"|B4 00 F4 00 00 07 FF 80 07 12 44 14 85 86 14 0B 0B 15 8B 0D 8D 11 05 05 44 36 07 94 94 3C 97 98|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-12834; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-recon; sid:47940; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF+ GIF parsing out of bounds read attempt"; flow:to_client,established; file_data; content:"|B4 00 F4 00 00 07 FF 80 07 12 44 14 85 86 14 0B 0B 15 8B 0D 8D 11 05 05 44 36 07 94 94 3C 97 98|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12834; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-recon; sid:47939; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro Universal 3D Engine untrusted pointer dereference attempt"; flow:to_server,established; file_data; content:"|5E 62 8D 5C 9D C5 F2 58 83 18 A7 C3 AB 25 F5 B8 67 80 8A DC 0B 00 C0 23 2B 06 00 40 6E CC 70 61|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15931; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47933; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro Universal 3D Engine untrusted pointer dereference attempt"; flow:to_client,established; file_data; content:"|5E 62 8D 5C 9D C5 F2 58 83 18 A7 C3 AB 25 F5 B8 67 80 8A DC 0B 00 C0 23 2B 06 00 40 6E CC 70 61|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15931; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47932; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|10 00 02 01 03 FA 01 03 03 02 03 03 03 02 06 09 75 01 02 03 04 11 05 12 06 21 07 07 07 07 07 07|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12785; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47912; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|10 00 02 01 03 FA 01 03 03 02 03 03 03 02 06 09 75 01 02 03 04 11 05 12 06 21 07 07 07 07 07 07|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12785; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47911; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|51 00 00 00|"; fast_pattern; byte_test:1,>,0x7F,39,relative; metadata:service smtp; reference:cve,2018-12787; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47910; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|51 00 00 00|"; fast_pattern; byte_test:1,>,0x7F,39,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12787; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47909; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|51 00 00 00|"; fast_pattern; byte_test:1,>,0x7F,43,relative; metadata:service smtp; reference:cve,2018-12787; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47908; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|51 00 00 00|"; fast_pattern; byte_test:1,>,0x7F,43,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12787; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47907; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"EMF+|2B 40|"; content:"|0C 00 00 00|"; within:6; distance:2; content:"|15 40|"; within:250; content:!"|00 00|"; within:2; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12795; reference:cve,2018-16014; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-41.html; classtype:attempted-user; sid:47892; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"EMF+|2B 40|"; content:"|0C 00 00 00|"; within:6; distance:2; content:"|15 40|"; content:!"|00 00|"; within:2; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12795; reference:cve,2018-16014; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-41.html; classtype:attempted-user; sid:47891; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|72 00 00 00|"; byte_test:1,!&,128,23,relative; content:"|00 00|"; within:2; distance:30; content:"|00 00|"; within:2; distance:6; byte_test:1,&,128,3,relative; content:!"|00 00|"; within:2; distance:58; metadata:service smtp; reference:cve,2018-12788; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47875; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|72 00 00 00|"; byte_test:1,!&,128,23,relative; content:"|00 00|"; within:2; distance:30; content:"|00 00|"; within:2; distance:6; byte_test:1,&,128,3,relative; content:!"|00 00|"; within:2; distance:58; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12788; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47874; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file object out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.emf; content:"|05 00 00 00 4C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FD 58 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12848; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-34.html; classtype:attempted-user; sid:47857; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file object out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|05 00 00 00 4C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FD 58 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12848; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-34.html; classtype:attempted-user; sid:47856; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro SGI RGB run-length encoding out of bounds read attempt"; flow:to_client,established; file_data; content:"|00 06 00 82 05 03 06 00 9A 02 03 06 08 09 08 06 04 01 00 01 04 07 0A 0E 11 12 14 12 12 14 18 1C|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5054; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47839; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro SGI RGB run-length encoding out of bounds read attempt"; flow:to_server,established; file_data; content:"|00 06 00 82 05 03 06 00 9A 02 03 06 08 09 08 06 04 01 00 01 04 07 0A 0E 11 12 14 12 12 14 18 1C|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-5054; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47838; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat EmfPlusDrawImagePoints out of bounds read attempt"; flow:to_server,established; file_data; content:"|1B 40 03 40 34 00 00 00 28 00 00 00 FF FF FF FF 02 00 00 00 00 00 00 BF 00 00 00 BF 00 00 90 41|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5035; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47828; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat EmfPlusDrawImagePoints out of bounds read attempt"; flow:to_client,established; file_data; content:"|1B 40 03 40 34 00 00 00 28 00 00 00 FF FF FF FF 02 00 00 00 00 00 00 BF 00 00 00 BF 00 00 90 41|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5035; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47827; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Windows malformed TIFF remote code execution attempt"; flow:to_server,established; file_data; flowbits:isset,file.tiff; content:"|00 16 01 03 00 01 00 00 00 E8 03 00 00 1C 01 03 00 01 00 00 00 02 00 00 00 17 01 04 00 03 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8475; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8475; classtype:attempted-user; sid:47765; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Windows malformed TIFF remote code execution attempt"; flow:to_client,established; file_data; flowbits:isset,file.tiff; content:"|00 16 01 03 00 01 00 00 00 E8 03 00 00 1C 01 03 00 01 00 00 00 02 00 00 00 17 01 04 00 03 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8475; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8475; classtype:attempted-user; sid:47764; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt"; flow:to_server,established; file_data; content:"|A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 8C C8 FF CB DA EE F5 FF FF FF 9B C1 FF F8 F8 F8 F8 F8 F8 F8|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5069; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47397; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt"; flow:to_client,established; file_data; content:"|A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 8C C8 FF CB DA EE F5 FF FF FF 9B C1 FF F8 F8 F8 F8 F8 F8 F8|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5069; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47396; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro use after free attempt"; flow:to_server,established; file_data; content:"draggable = true|3B 0A|    htmlvar00"; fast_pattern:only; metadata:service smtp; reference:cve,2018-12791; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47383; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro use after free attempt"; flow:to_client,established; file_data; content:"draggable = true|3B 0A|    htmlvar00"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12791; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47382; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt"; flow:to_server,established; file_data; content:"8BPS|00 01|"; depth:6; content:!"|00 02|"; within:2; distance:18; content:!"|00 08|"; within:2; distance:18; content:!"|00 00 00 00|"; within:4; distance:20; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-15938; reference:cve,2018-5042; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47368; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt"; flow:to_client,established; file_data; content:"8BPS|00 01|"; depth:6; content:!"|00 02|"; within:2; distance:18; content:!"|00 08|"; within:2; distance:18; content:!"|00 00 00 00|"; within:4; distance:20; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15938; reference:cve,2018-5042; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47367; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader malformed TIFF out of bounds read attempt"; flow:to_server,established; file_data; content:"|4D 4D 00 0A|"; depth:4; byte_extract:4,0,IFDoffset,relative; isdataat:IFDoffset,relative; byte_jump:4,-4,relative,from_beginning; byte_extract:2,0,numentries,multiplier 12,relative; content:"|01 06 00 03|"; within:numentries; fast_pattern; content:!"|00 00 00 01|"; within:4; metadata:service smtp; reference:cve,2018-5053; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47362; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader malformed TIFF out of bounds read attempt"; flow:to_client,established; file_data; content:"|4D 4D 00 0A|"; depth:4; byte_extract:4,0,IFDoffset,relative; isdataat:IFDoffset,relative; byte_jump:4,-4,relative,from_beginning; byte_extract:2,0,numentries,multiplier 12,relative; content:"|01 06 00 03|"; within:numentries; fast_pattern; content:!"|00 00 00 01|"; within:4; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5053; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47361; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader malformed TIFF out of bounds read attempt"; flow:to_server,established; file_data; content:"|49 49 2A 00|"; depth:4; byte_extract:4,0,IFDoffset,relative,little; isdataat:IFDoffset,relative; byte_jump:4,-4,relative,little,from_beginning; byte_extract:2,0,numentries,multiplier 12,little,relative; content:"|06 01 03 00|"; within:numentries; fast_pattern; content:!"|01 00 00 00|"; within:4; metadata:service smtp; reference:cve,2018-5053; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47360; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader malformed TIFF out of bounds read attempt"; flow:to_client,established; file_data; content:"|49 49 2A 00|"; depth:4; byte_extract:4,0,IFDoffset,relative,little; isdataat:IFDoffset,relative; byte_jump:4,-4,relative,little,from_beginning; byte_extract:2,0,numentries,multiplier 12,little,relative; content:"|06 01 03 00|"; within:numentries; fast_pattern; content:!"|01 00 00 00|"; within:4; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5053; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47359; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt"; flow:to_client,established; file_data; content:"|0A 05 01 08 00 00 00 00 3F 01 C7 00 96 00 96 00 00 00 00 08 08 08 10 10 10 18 18 18 20 20 20 28|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5039; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47357; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt"; flow:to_server,established; file_data; content:"|0A 05 01 08 00 00 00 00 3F 01 C7 00 96 00 96 00 00 00 00 08 08 08 10 10 10 18 18 18 20 20 20 28|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-5039; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47356; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG heap overflow attempt"; flow:to_server,established; file_data; content:"|E2 BC 85 6C 56 26 C4 4F 21 36 48 CC 48 62 43 DC 2F B1 4D 62 D1 D3 01 C0 C9 4A E6 B9 2C 46 3C C4|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-5058; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47353; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG heap overflow attempt"; flow:to_client,established; file_data; content:"|E2 BC 85 6C 56 26 C4 4F 21 36 48 CC 48 62 43 DC 2F B1 4D 62 D1 D3 01 C0 C9 4A E6 B9 2C 46 3C C4|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5058; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47352; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG heap overflow attempt"; flow:to_server,established; file_data; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; depth:10; content:"|01 0E 00 02|"; distance:0; content:!"|00|"; within:1; metadata:service smtp; reference:cve,2018-5058; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47351; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed JPEG heap overflow attempt"; flow:to_client,established; file_data; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; depth:10; content:"|01 0E 00 02|"; distance:0; content:!"|00|"; within:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5058; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47350; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt"; flow:to_server,established; file_data; content:"|EE 23 7B 91 07 13 9D 8F EA 81 73 E9 8A 63 96 7C B9 F9 8E BB A1 BA 62 24 30 C3 BF AC 67 E5 EA 29|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-5033; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47344; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt"; flow:to_client,established; file_data; content:"|EE 23 7B 91 07 13 9D 8F EA 81 73 E9 8A 63 96 7C B9 F9 8E BB A1 BA 62 24 30 C3 BF AC 67 E5 EA 29|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5033; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47343; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt"; flow:to_server,established; file_data; content:"|4D 4D 00 0A|"; depth:4; byte_extract:4,0,IFDoffset,relative; isdataat:IFDoffset,relative; byte_jump:4,-4,relative,from_beginning; byte_extract:2,0,numentries,multiplier 12,relative; content:"|01 01 00 03 00 00 00 01 00 01|"; within:numentries; metadata:service smtp; reference:cve,2018-12864; reference:cve,2018-5044; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47331; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt"; flow:to_server,established; file_data; content:"|49 49 2A 00|"; depth:4; byte_extract:4,0,IFDoffset,relative,little; isdataat:IFDoffset,relative; byte_jump:4,-4,relative,little,from_beginning; byte_extract:2,0,numentries,multiplier 12,little,relative; content:"|01 01 03 00 01 00 00 00 01 00|"; within:numentries; metadata:service smtp; reference:cve,2018-12864; reference:cve,2018-5044; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47330; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt"; flow:to_client,established; file_data; content:"|4D 4D 00 0A|"; depth:4; byte_extract:4,0,IFDoffset,relative; isdataat:IFDoffset,relative; byte_jump:4,-4,relative,from_beginning; byte_extract:2,0,numentries,multiplier 12,relative; content:"|01 01 00 03 00 00 00 01 00 01|"; within:numentries; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12864; reference:cve,2018-5044; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47329; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt"; flow:to_client,established; file_data; content:"|49 49 2A 00|"; depth:4; byte_extract:4,0,IFDoffset,relative,little; isdataat:IFDoffset,relative; byte_jump:4,-4,relative,little,from_beginning; byte_extract:2,0,numentries,multiplier 12,little,relative; content:"|01 01 03 00 01 00 00 00 01 00|"; within:numentries; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12864; reference:cve,2018-5044; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47328; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt"; flow:to_server,established; file_data; content:"|04 0A 00 0A FF 0D 00 04 FF 04 0B 00 09 FF 0C 00 05 FF 04 0C 00 08 FF 0C 00 05 FF 04 0D 00 08 FF|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-5046; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47315; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt"; flow:to_client,established; file_data; content:"|04 0A 00 0A FF 0D 00 04 FF 04 0B 00 09 FF 0C 00 05 FF 04 0C 00 08 FF 0C 00 05 FF 04 0D 00 08 FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5046; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47314; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt"; flow:to_server,established; file_data; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; content:"|FF ED|"; distance:0; byte_extract:2,0,app13_size,relative; content:"8BIM|04 25|"; within:app13_size; content:!"|00|"; within:1; distance:2; metadata:service smtp; reference:cve,2018-5029; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47313; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt"; flow:to_client,established; file_data; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; content:"|FF ED|"; distance:0; byte_extract:2,0,app13_size,relative; content:"8BIM|04 25|"; within:app13_size; fast_pattern; content:!"|00|"; within:1; distance:2; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5029; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47312; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt"; flow:to_server,established; flowbits:isset,file.gif; file_data; content:"|00 2C 00 00 00 00 20 00 20 00 80 02 71 9C 8F A9 CB 8D 00 0C 8C AE|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5050; reference:url,reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47248; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|00 2C 00 00 00 00 20 00 20 00 80 02 71 9C 8F A9 CB 8D 00 0C 8C AE|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5050; reference:url,reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47247; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EmfPlusDrawImagePoints heap overflow attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|00 00 80 B3 FF FF 69 43 00 00 80 B3 00 00 80 B3 FF FF 85 42 21 00 00 00 08 00 00 00 62 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5032; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47211; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro EMF file EmfPlusDrawImagePoints heap overflow attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|00 00 80 B3 FF FF 69 43 00 00 80 B3 00 00 80 B3 FF FF 85 42 21 00 00 00 08 00 00 00 62 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5032; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47210; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Apple Quicktime malformed FPX file memory corruption attempt"; flow:to_server,established; file_data; content:"|ED 9F 5E D5 83 3A 22 9A 57 24 8E 32 AB B9 93 A1 E3 FC 2A 1B 26 FC C5 8F 33 CC 5D BC 06 03 B0 FC|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1767; classtype:attempted-admin; sid:47174; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Apple Quicktime malformed FPX file memory corruption attempt"; flow:to_client,established; file_data; content:"|ED 9F 5E D5 83 3A 22 9A 57 24 8E 32 AB B9 93 A1 E3 FC 2A 1B 26 FC C5 8F 33 CC 5D BC 06 03 B0 FC|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1767; classtype:attempted-admin; sid:47173; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|00 00 00 00 18 72 65 73 20 00 00 00 10 72 65 73 64 24 49 80 00 24 49 80 00 04 04 82 97 D0 25 48|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-12790; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47158; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|00 00 00 00 18 72 65 73 20 00 00 00 10 72 65 73 64 24 49 80 00 24 49 80 00 04 04 82 97 D0 25 48|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12790; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47157; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro malformed CEL heap overflow attempt"; flow:to_server,established; file_data; content:"|20 01 00 00 0F 00 04 0A 00 0A FF 0D 00 ED FF 04 0B 00 09 FF 0C 00 05 FF 04 0C 00 08 FF 0C 00 05|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-5052; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47130; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro malformed CEL heap overflow attempt"; flow:to_client,established; file_data; content:"|20 01 00 00 0F 00 04 0A 00 0A FF 0D 00 ED FF 04 0B 00 09 FF 0C 00 05 FF 04 0C 00 08 FF 0C 00 05|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5052; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47129; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro JPEG Huffman table memory corruption attempt"; flow:to_server,established; file_data; content:"|A7 B7 C7 FF DA 00 0C 03 01 00 02 11 03 11 00 3F 00 E4 92 49 25 A4 E2 A9 24 92 49 4A 49 24 92 52|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5060; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48220; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro JPEG Huffman table memory corruption attempt"; flow:to_client,established; file_data; content:"|A7 B7 C7 FF DA 00 0C 03 01 00 02 11 03 11 00 3F 00 E4 92 49 25 A4 E2 A9 24 92 49 4A 49 24 92 52|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5060; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48219; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Graphics component WMF code execution attempt"; flow:to_server,established; file_data; content:"|42 C6 D2 F2 13 96 A2 AE CE DA FB 7E 8A 96 B6 D7 5B 7B 9C BC 2B 4C 57 78 98 07 13 34 54 4B 6C EF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8553; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8553; classtype:attempted-user; sid:48375; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Graphics component WMF code execution attempt"; flow:to_client,established; file_data; content:"|42 C6 D2 F2 13 96 A2 AE CE DA FB 7E 8A 96 B6 D7 5B 7B 9C BC 2B 4C 57 78 98 07 13 34 54 4B 6C EF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8553; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8553; classtype:attempted-user; sid:48374; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-IMAGE Imagemagick XBM tranformation information leak attempt"; flow:to_server,established; file_data; content:"_width"; content:"_height"; content:"_bits"; pcre:"/0x[8-F][0-F]{7}/iP"; metadata:policy max-detect-ips drop, service http; reference:cve,2018-16323; classtype:attempted-recon; sid:48937; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 0B|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48936; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 0A|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48935; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 09|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48934; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 03|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48933; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 02|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48932; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 01|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48931; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 00|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48930; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 0B|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48929; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 0A|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48928; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 09|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48927; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 03|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48926; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 02|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48925; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 01|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48924; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_server,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 00|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service smtp; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48923; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 0B|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48922; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 0A|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48921; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 09|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48920; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 03|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48919; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 02|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48918; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 01|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48917; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|01 00|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48916; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 0B|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48915; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 0A|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48914; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 09|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48913; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 03|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48912; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 02|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48911; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 01|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48910; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt"; flow:to_client,established,only_stream; flowbits:isset,file.tga; file_data; content:"|00 00|"; depth:2; offset:1; content:"|00 00|"; depth:2; offset:14; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5045; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48909; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.tiff.big; content:"|FF FF FF FF|"; fast_pattern; byte_test:2,>=,0xfe,-8,relative,big; byte_test:2,<=,0x214,-8,relative,big; byte_test:2,>=,1,-6,relative,big; byte_test:2,<=,0xc,-6,relative,big; metadata:service smtp; reference:cve,2017-2966; reference:url,helpx.adobe.com/security/products/reader/apsb17-01.html; classtype:attempted-user; sid:49125; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.tiff.big; content:"|FF FF FF FF|"; fast_pattern; byte_test:2,>=,0xfe,-8,relative,big; byte_test:2,<=,0x214,-8,relative,big; byte_test:2,>=,1,-6,relative,big; byte_test:2,<=,0xc,-6,relative,big; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2966; reference:url,helpx.adobe.com/security/products/reader/apsb17-01.html; classtype:attempted-user; sid:49124; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.tiff.little; content:"|00 FF FF FF FF|"; fast_pattern; byte_test:2,>=,0xfe,-8,relative,little; byte_test:2,<=,0x214,-8,relative,little; byte_test:2,>=,1,-6,relative,little; byte_test:2,<=,0xc,-6,relative,little; metadata:service smtp; reference:cve,2017-2966; reference:url,helpx.adobe.com/security/products/reader/apsb17-01.html; classtype:attempted-user; sid:49123; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.tiff.little; content:"|00 FF FF FF FF|"; fast_pattern; byte_test:2,>=,0xfe,-8,relative,little; byte_test:2,<=,0x214,-8,relative,little; byte_test:2,>=,1,-6,relative,little; byte_test:2,<=,0xc,-6,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2966; reference:url,helpx.adobe.com/security/products/reader/apsb17-01.html; classtype:attempted-user; sid:49122; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE SketchUp BMP RLE8 parsing buffer overflow attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; content:"|28 00 00 00|"; within:4; distance:12; byte_extract:4,0,bm_width,relative,little; content:"|08 00 01 00 00 00|"; within:6; distance:6; byte_jump:4,10,little,from_beginning; byte_test:1,>,bm_width,0,relative; metadata:service smtp; reference:cve,2013-3663; classtype:attempted-user; sid:49576; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE SketchUp BMP RLE8 parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"BM"; depth:2; content:"|28 00 00 00|"; within:4; distance:12; byte_extract:4,0,bm_width,relative,little; content:"|08 00 01 00 00 00|"; within:6; distance:6; byte_jump:4,10,little,from_beginning; byte_test:1,>,bm_width,0,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3663; classtype:attempted-user; sid:49575; rev:1;)
--- a/docker/etc/rules/file-java.rules
+++ b/docker/etc/rules/file-java.rules
@@ -0,0 +1,236 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------------
+# FILE-JAVA RULES
+#-----------------
+
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java trusted method chaining attempt"; flow:to_client,established; file_data; content:"|50 4B 03 04|"; depth:4; content:"vuln/Link"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-0840; classtype:attempted-user; sid:20529; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java attempt to write in system32"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/io/FileInputStream"; nocase; content:"|5C|system32|5C|"; metadata:service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:21056; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Zip file directory record overflow attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"PK|05 06|"; byte_test:2,=,0,6,relative,little; byte_test:4,=,46,8,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,52013; reference:cve,2012-0501; classtype:attempted-user; sid:23560; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java runtime RMIConnectionImpl deserialization execution attempt"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"|18 00 00 00|PayloadClassLoader.class"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-0094; classtype:attempted-user; sid:21387; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java HsbParser.getSoundBank stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|01 00 2C 28|Ljava|2F|net|2F|URL|3B 29|Ljavax|2F|sound|2F|midi|2F|Soundbank"; content:"|01 00 0C|getSoundbank"; content:"file|3A 2F 2F|"; byte_test:2,>,312,-9,relative,big; content:"|01|"; within:1; distance:-10; pcre:"/^.{2}file|3A 2F 2F|[\x21-\x7E]{305}/R"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36881; reference:cve,2009-3867; classtype:attempted-user; sid:17776; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Runtime Environment Type1 Font parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|1F 8B 08 08 D4 73 61 49 00 03 65 2E 70 61 63 6B 00 ED CE 3B 4B 03 41 10 00 E0 D9 7B C7 3B 15 63 63 2D 16 8A 8F D3 68 17 11 22 E4 34 21 31 82 31|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34240; reference:cve,2009-1099; classtype:attempted-user; sid:17624; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java runtime JPEGImageReader overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|73 65 74 53 6F 75 72 63 65 53 75 62 73 61 6D 70 6C 69 6E 67 01 00 07|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36881; reference:cve,2009-3864; reference:cve,2009-3865; reference:cve,2009-3866; reference:cve,2009-3867; reference:cve,2009-3868; reference:cve,2009-3869; reference:cve,2009-3871; reference:cve,2009-3872; reference:cve,2009-3873; reference:cve,2009-3874; reference:cve,2009-3875; reference:cve,2009-3876; reference:cve,2009-3877; classtype:attempted-user; sid:20055; rev:10;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Applet Rhino script engine remote code execution attempt"; flow:to_client,established; file_data; flowbits:isset,file.jar; content:"AgentLauncher.class"; fast_pattern:only; content:"RhinoExploit.class"; nocase; content:"agent.exe"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-3544; classtype:attempted-user; sid:20831; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Rhino script engine remote code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Exploit.class"; fast_pattern; content:"StreamConnector.class"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3544; classtype:attempted-user; sid:23008; rev:8;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"cve2012xxxx/Gondzz"; fast_pattern:only; content:"xiaomaol"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24022; rev:9;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"cve2012xxxx/Gondvv"; content:"java/security/ProtectionDomain"; content:"java/security/ProtectionDomain"; content:"java/security/AccessControlContext"; content:"xiaomaol"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24024; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"cve2012xxxx/Gondvv"; content:"java/security/AccessControlContext"; content:"xiaomaol"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24025; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"Expression"; pcre:"/Expression\x28\s*?GetClass\x28\x22sun.awt.SunToolkit\x22\x29\s*?,\s*?\x22getField\x22/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24038; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"cve2012xxxx/Gondzz"; fast_pattern:only; content:"xiaomaol"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24023; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|D3 2D 69 D2 25 D3 76 9A A6 4D 9B A6 49 DA A4 CD D2 C9 D2 E9 B4 4D 9C 73 05 78 C3 6F DE E4 AF 9A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24056; rev:6;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|D3 2D 69 D2 25 D3 76 9A A6 4D 9B A6 49 DA A4 CD D2 C9 D2 E9 B4 4D 9C 73 05 78 C3 6F DE E4 AF 9A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24055; rev:5;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|6B 78 9E B5 D6 F6 FF F1 FF FC 6F FF FB 97 2F 5F EC 5F FE EF 83 2F 42 C1 97 E3 6E 8B FF 67 FD F3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24057; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|6B 78 9E B5 D6 F6 FF F1 FF FC 6F FF FB 97 2F 5F EC 5F FE EF 83 2F 42 C1 97 E3 6E 8B FF 67 FD F3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24058; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java getSoundBank overflow Attempt malicious jar file"; flow:to_client,established; file_data; content:"|50 4B 03 04 14 00 08 00 08 00 48 5A 8E 3B 00 00 00 00 00 00 00 00 00 00 00 00 09 00 04 00 4D 45 54 41 2D 49 4E 46 2F FE CA 00 00 03 00 50 4B 07 08 00 00 00 00 02 00 00 00 00 00 00 00 50 4B 03 04 14 00 08 00 08 00 48 5A 8E 3B 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 4D 45 54 41 2D 49 4E 46 2F|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36881; reference:cve,2009-3867; classtype:attempted-user; sid:20858; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|76 E3 66 C2 8B 9E E3 1F E1 1C 7B FC D4 AF F6 1C 4D 38 E2 F1 07 F8 53 FC 11 E2 9D 6D 08 04 A3 F5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24066; rev:6;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|76 E3 66 C2 8B 9E E3 1F E1 1C 7B FC D4 AF F6 1C 4D 38 E2 F1 07 F8 53 FC 11 E2 9D 6D 08 04 A3 F5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24065; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"com/sun/beans/finder/MethodFinder"; fast_pattern:only; content:"sun.awt.SunToolkit|07 00 73 0C 00 74 00 75 01 00 08|getField"; content:"java/security/AccessControlContext"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24064; rev:6;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|71 CE 4E 75 4D BD 4B 75 9C 44 B4 63 27 77 A7 84 92 2D DF 59 4E 73 E2 F4 DE AB D3 BB D3 BB F2 17|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24084; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|71 CE 4E 75 4D BD 4B 75 9C 44 B4 63 27 77 A7 84 92 2D DF 59 4E 73 E2 F4 DE AB D3 BB D3 BB F2 17|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24085; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|65 38 5C 78 65 61 5C 78 39 39 5C 78 31 39 5C 74 5C 78 61 35 33 5C 78 66 64 5B 5C 78 64 39 5C 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24126; rev:5;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|65 38 5C 78 65 61 5C 78 39 39 5C 78 31 39 5C 74 5C 78 61 35 33 5C 78 66 64 5B 5C 78 64 39 5C 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24125; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JNLP parameter argument injection attempt"; flow:to_client,established; file_data; content:"<jnlp"; nocase; content:"property"; distance:0; nocase; content:"-Djava"; fast_pattern:only; content:"|2D|Djava.security.policy"; nocase; pcre:"/<jnlp.*?\x3C\s*?property[^\x3E]*?name[^\x3E]*?value\s*?[^\x3E]*?\-Djava\.security\.policy/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2005-0418; classtype:attempted-user; sid:20820; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Javascript document.domain attempt"; flow:to_client,established; file_data; content:"document.domain|28|"; nocase; metadata:ruleset community, service http; reference:bugtraq,5346; reference:cve,2002-0815; classtype:attempted-user; sid:1840; rev:15;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-JAVA Oracle Java Runtime Environment .hotspot_compiler file load exploit attempt"; flow:to_server,established; content:"|2F|.hotspot_compiler"; nocase; http_uri; metadata:service http; reference:url,secunia.com/advisories/45173; classtype:attempted-user; sid:19604; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-JAVA Oracle Java Runtime Environment .hotspotrc file load exploit attempt"; flow:to_server,established; content:"|2F|.hotspotrc"; nocase; http_uri; metadata:service http; reference:url,secunia.com/advisories/45173; classtype:attempted-user; sid:19603; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java GIF LZW minimum code size overflow attempt"; flow:to_client,established; file_data; content:"|F3 E1 04 30 2E 7B 0A 25 A4 58 D1 E2 45 8C 19 35 6E E4 D8 D1 E3 47 90 21 45 8E 24 59 D2 E4 49 8F|"; fast_pattern:only; metadata:service http; reference:bugtraq,34240; reference:cve,2009-1098; classtype:attempted-user; sid:20239; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java browser plugin docbase overflow attempt"; flow:to_client,established; file_data; content:"launchjnlp"; fast_pattern; nocase; content:"docbase"; within:100; nocase; isdataat:80,relative; pcre:"/^([\x22\x27]\s*value)?\s*=\s*\x27[^\x27]{70}/Rsmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,44023; reference:cve,2010-3552; classtype:attempted-user; sid:20444; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-JAVA Oracle Java Web Start BasicServiceImpl security policy bypass attempt"; flow:to_server,established; content:"java.security.policy"; fast_pattern:only; http_uri; pcre:"/jnlp\x22\x09\x22-J-Djava\.security\.policy/Ui"; metadata:service http; reference:bugtraq,43999; reference:cve,2010-3563; classtype:attempted-user; sid:20430; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle JavaScript file upload keystroke hijack attempt"; flow:to_client,established; file_data; content:"onKeyPress"; fast_pattern:only; pcre:"/<INPUT[^>]+type\s*=\s*[\x22\x27]?file[\x22\x27]?[^>]+OnKey(Down|Up|Press)\s*=[^>]*>.*<INPUT[^>]+type\s*=\s*[\x22\x27]?text[\x22\x27]?[^>]+OnKey(Down|Up|Press)[^>]+>/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,18308; reference:cve,2006-2900; classtype:misc-activity; sid:21501; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"AccessControlContext"; fast_pattern:only; pcre:"/AccessControlContext\s*?(?P<var>\w*)\s*?=\s*?new\s*?AccessControlContext.*?SetField\x28Statement\.class,\s*?(?P<quotes1>\x22|\x27)acc(?P=quotes1),\s*?localStatement,\s*?(?P=var)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24036; rev:6;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"ProtectionDomain"; content:"new Permissions|28 29|"; content:"new AllPermission|28 29|"; content:"new Expression|28|"; content:"GetClass|28 22|sun.awt.SunToolkit|22 29|, |22|getField|22|"; content:"setSecurityManager"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24020; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"ProtectionDomain"; content:"new Permissions|28 29|"; content:"new AllPermission|28 29|"; content:"new Expression|28|"; content:"GetClass|28 22|sun.awt.SunToolkit|22 29|, |22|getField|22|"; content:"setSecurityManager"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24021; rev:9;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"Expression"; pcre:"/Expression\x28\s*?GetClass\x28\x22sun.awt.SunToolkit\x22\x29\s*?,\s*?\x22getField\x22/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24037; rev:5;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"AccessControlContext"; fast_pattern:only; pcre:"/AccessControlContext\s*?(?P<var>\w*)\s*?=\s*?new\s*?AccessControlContext.*?SetField\x28Statement\.class,\s*?(?P<quotes1>\x22|\x27)acc(?P=quotes1),\s*?localStatement,\s*?(?P=var)/smi"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24028; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"|51 DB 6A 4F B5 16 EF 52 DB D4 AA 15 43 BB 89 C6 AB D5 06 B5 97 D6 AA D5 D6 A3 F5 D6 DE AD F5 96|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24027; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java XGetSamplePtrFromSnd memory corruption attempt"; flow:to_client,established; flowbits:isset,file.rmf; file_data; content:"|1B 37 D6 E1 89 5F AB 9C 2E 1B 0D 49 A0 7B 89 8E C1 DE DE 86 17 22 12 1C 6F CC F1 CB AD EF 90 18|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46394; reference:cve,2010-4462; classtype:attempted-user; sid:24510; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JNLP parameter argument injection attempt"; flow:to_server,established; file_data; content:"<jnlp"; nocase; content:"property"; distance:0; nocase; content:"-Djava"; fast_pattern:only; content:"|2D|Djava.java2d.noddraw"; nocase; pcre:"/<jnlp.*?\x3C\s*?property[^\x3E]*?name[^\x3E]*?value\s*?[^\x3E]*?\-Djava\.java2d\.noddraw/smi"; metadata:service smtp; reference:cve,2005-0418; classtype:attempted-user; sid:24499; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JNLP parameter argument injection attempt"; flow:to_server,established; file_data; content:"<jnlp"; nocase; content:"property"; distance:0; nocase; content:"-Djava"; fast_pattern:only; content:"|2D|Djava.security.policy"; nocase; pcre:"/<jnlp.*?\x3C\s*?property[^\x3E]*?name[^\x3E]*?value\s*?[^\x3E]*?\-Djava\.security\.policy/smi"; metadata:service smtp; reference:cve,2005-0418; classtype:attempted-user; sid:24498; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; file_data; content:"4e34523454tS345e334545c345u5356r67i6t6y4354834M9"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:24770; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Web Start JNLP j2se key value buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jnlp; file_data; content:"<j2se "; content:"initial|2D|heap|2D|"; distance:0; isdataat:1024,relative; pcre:"/size\s*?\x3d\s*?[\x22\x27][^\s\x22\x27\x3e]{1024}/smiR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30148; reference:cve,2008-3111; classtype:attempted-user; sid:24904; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Web Start JNLP j2se key value buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jnlp; file_data; content:"<j2se "; content:"java|2D|vm|2D|"; distance:0; isdataat:1024,relative; pcre:"/args\s*?\x3d\s*?[\x22\x27][^\s\x22\x27\x3e]{1024}/smiR"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30148; reference:cve,2008-3111; classtype:attempted-user; sid:24906; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Web Start JNLP j2se key value buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jnlp; file_data; content:"<j2se "; content:"initial|2D|heap|2D|"; distance:0; isdataat:1024,relative; pcre:"/size\s*?\x3d\s*?[\x22\x27][^\s\x22\x27\x3e]{1024}/smiR"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,30148; reference:cve,2008-3111; classtype:attempted-user; sid:24905; rev:6;)
+# alert tcp any any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Runtime true type font idef opcode heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar|file.class|file.ttf; file_data; content:"|00 01 00 00|"; depth:4; content:"|89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0499; classtype:attempted-user; sid:24915; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Applet remote code execution attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"Exploit.class"; fast_pattern:only; content:"Payload.class"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2011-3544; reference:cve,2012-5076; classtype:attempted-user; sid:24993; rev:9;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"msf/x/PayloadX$StreamConnector.class"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53960; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:25121; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Rhino script engine remote code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"NewsBase.classPK"; fast_pattern; content:"NewsViewer.classPK"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3544; classtype:attempted-user; sid:25392; rev:7;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"B.classPK"; fast_pattern; content:"drop"; content:".exePK"; within:6; distance:5; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25473; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java malicious class download attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"exploit"; nocase; content:".classPK"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53960; reference:bugtraq,57246; reference:cve,2012-1723; reference:cve,2013-0422; classtype:attempted-user; sid:25833; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"B.classPK"; content:"PK"; distance:-800; pcre:"/^\x01\x02.{0,50}[a-zA-Z]{10}\x2fPK.{0,50}[a-zA-Z]{10}\x2f[a-zA-Z]{7}\.classPK/sR"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,57246; reference:cve,2013-0422; reference:cve,2013-0431; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25832; rev:7;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; fast_pattern:only; content:"JmxMBeanServerBuilder"; content:"invokeWithArguments"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25831; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; fast_pattern:only; content:"JmxMBeanServerBuilder"; content:"invokeWithArguments"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25834; rev:6;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib ConvolveOp integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/image/Kernel|3B 29|V|01 00 06|filter|01 00|"; fast_pattern:only; content:"|00 1A 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58296; reference:cve,2013-0809; classtype:attempted-user; sid:26197; rev:6;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib LookupOp integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/RenderingHints|3B 29|V|01 00 06|filter|01 00|"; fast_pattern:only; content:"|00 18 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58296; reference:cve,2013-0809; classtype:attempted-user; sid:26196; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Gmbal package sandbox breach attempt"; flow:to_server,established; file_data; content:"GenericConstructor"; nocase; content:"sun.invoke.anon"; nocase; content:"ManagedObjectManagerFactory"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; classtype:attempted-user; sid:26186; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib LookupOp integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/RenderingHints|3B 29|V|01 00 06|filter|01 00|"; fast_pattern:only; content:"|00 18 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58296; reference:cve,2013-0809; classtype:attempted-user; sid:26199; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/geom/AffineTransform|3B|I|29|V|01 00 06|filter|01 00|"; fast_pattern:only; content:"|00 18 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58296; reference:cve,2013-0809; classtype:attempted-user; sid:26198; rev:7;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/geom/AffineTransform|3B|I|29|V|01 00 06|filter|01 00|"; fast_pattern:only; content:"|00 18 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58296; reference:cve,2013-0809; classtype:attempted-user; sid:26195; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib ConvolveOp integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/image/Kernel|3B 29|V|01 00 06|filter|01 00|"; fast_pattern:only; content:"|00 1A 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58296; reference:cve,2013-0809; classtype:attempted-user; sid:26200; rev:7;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Gmbal package sandbox breach attempt"; flow:to_client,established; file_data; content:"GenericConstructor"; nocase; content:"sun.invoke.anon"; nocase; content:"ManagedObjectManagerFactory"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; classtype:attempted-user; sid:26185; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Plugin security bypass"; flow:to_client,established; file_data; content:"|3C|script language=javascript"; nocase; content:"forName"; pcre:"/\x3Cscript language\x3Djavascript\x3E.*?forName\x28[\x22\x27]sun\x2E/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,11726; reference:cve,2004-1029; classtype:attempted-user; sid:21462; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java known malicious jar file download - specific structure"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"Foo.class"; content:"trash/A.class"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:26439; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; file_data; content:"disableSecurityManager"; fast_pattern:only; content:"java/lang/reflect/Field"; nocase; content:"getSecurityManager"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26487; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|DD FE 53 3A 55 5B 3E 97 24 FD 19 31 34 97 2F B2 3E BD 4E D7 AD 50 CC 1C F2 C4 A3 43 E0 2C 6F 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26484; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|DD FE 53 3A 55 5B 3E 97 24 FD 19 31 34 97 2F B2 3E BD 4E D7 AD 50 CC 1C F2 C4 A3 43 E0 2C 6F 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26485; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; file_data; content:"disableSecurityManager"; fast_pattern:only; content:"java/lang/reflect/Field"; nocase; content:"getSecurityManager"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26486; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|0A C6 07 80 C3 B8 8D 0D A9 AB 8F B8 45 25 F0 1D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26499; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|0A C6 07 80 C3 B8 8D 0D A9 AB 8F B8 45 25 F0 1D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26500; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; file_data; content:"|70 01 00 10|findStaticSetter|01 00 55 28|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26551; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; file_data; content:"|70 01 00 10|findStaticSetter|01 00 55 28|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26550; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Union1.class"; content:"Union2.class"; content:"SystemClass.class"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26549; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"Union1.class"; content:"Union2.class"; content:"SystemClass.class"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26552; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java font rendering remote code execution attempt"; flow:to_server,established; file_data; content:"single.class|6D 52 5D 53 D3 50 10 3D B7 4D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1491; reference:url,blog.accuvantlabs.com/blog/jdrake/pwn2own-2013-java-7-se-memory-corruption; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26717; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java font rendering remote code execution attempt"; flow:to_client,established; file_data; content:"single.class|6D 52 5D 53 D3 50 10 3D B7 4D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1491; reference:url,blog.accuvantlabs.com/blog/jdrake/pwn2own-2013-java-7-se-memory-corruption; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26716; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java XGetSamplePtrFromSnd memory corruption attempt"; flow:to_server,established; flowbits:isset,file.rmf; file_data; content:"|1B 37 D6 E1 89 5F AB 9C 2E 1B 0D 49 A0 7B 89 8E C1 DE DE 86 17 22 12 1C 6F CC F1 CB AD EF 90 18|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,46394; reference:cve,2010-4462; classtype:attempted-user; sid:24511; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib BytePackedRaster signed integer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"Ljava/awt/image/MultiPixelPackedSampleModel"; fast_pattern:only; content:"Ljava/lang/StringBuilder"; content:"getSecurityManager"; within:25; content:"Ljava/lang/SecurityManager"; within:50; content:"getRuntime"; content:"Ljava/lang/Runtime"; within:25; content:"exec"; within:15; metadata:service smtp; reference:cve,2013-2549; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:27694; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib BytePackedRaster signed integer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Ljava/awt/image/MultiPixelPackedSampleModel"; fast_pattern:only; content:"Ljava/lang/StringBuilder"; content:"getSecurityManager"; within:25; content:"Ljava/lang/SecurityManager"; within:50; content:"getRuntime"; content:"Ljava/lang/Runtime"; within:25; content:"exec"; within:15; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-2549; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:27693; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java ImagingLib buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|F5 A9 5D 36 ED 36 9D 80 85 2A A9 2A A9 FE C6 4B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2463; classtype:attempted-user; sid:27765; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java ImagingLib buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|F5 A9 5D 36 ED 36 9D 80 85 2A A9 2A A9 FE C6 4B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2463; classtype:attempted-user; sid:27764; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java ImagingLib buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|B5 67 D2 36 4F 7F EA EF FD 13 DA 3F C0 A7 0D FD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2463; classtype:attempted-user; sid:27787; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java ImagingLib buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|B5 67 D2 36 4F 7F EA EF FD 13 DA 3F C0 A7 0D FD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2463; classtype:attempted-user; sid:27786; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java ImagingLib buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|69 25 55 8C F5 A5 D7 E4 68 23 69 12 92 8B B4 9B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2463; classtype:attempted-user; sid:28927; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java ImagingLib buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|69 25 55 8C F5 A5 D7 E4 68 23 69 12 92 8B B4 9B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2463; classtype:attempted-user; sid:28926; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java sun.awt.image.ImageRepresentation.setPixels integer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; content:"|10 E6 74 CC 0A 8C BF 24 D5 C0 3C 0E 0B E8 A1 72 79 3E 0F E8 69 90 12 88 E9 6E 59 AA E6 03 6B AE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2420; classtype:attempted-user; sid:29269; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java sun.awt.image.ImageRepresentation.setPixels integer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|10 E6 74 CC 0A 8C BF 24 D5 C0 3C 0E 0B E8 A1 72 79 3E 0F E8 69 90 12 88 E9 6E 59 AA E6 03 6B AE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2420; classtype:attempted-user; sid:29268; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java and JavaFX JPEGImageReader memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|80 F3 91 80 F2 25 98 54 C3 7B E4 24 43 12 2B 0B 09 8F E0 36 A4 7D E2 08 FD 81 9F 5C B6 8D 2B AB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2420; classtype:attempted-user; sid:29219; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java and JavaFX JPEGImageReader memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|80 F3 91 80 F2 25 98 54 C3 7B E4 24 43 12 2B 0B 09 8F E0 36 A4 7D E2 08 FD 81 9F 5C B6 8D 2B AB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2420; classtype:attempted-user; sid:29218; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java sun.awt.image.ImageRepresentation.setPixels integer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; content:"|5A A8 F5 C3 EE D3 D7 82 9F AC 50 72 B3 14 51 9F 84 CE BB 8B E5 3B 7D E0 7A B3 8C FB BE AE 45 9D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2420; classtype:attempted-user; sid:29215; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JPEGImageWriter memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jar; content:"|5A A8 F5 C3 EE D3 D7 82 9F AC 50 72 B3 14 51 9F 84 CE BB 8B E5 3B 7D E0 7A B3 8C FB BE AE 45 9D|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-2429; classtype:attempted-user; sid:29214; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java ShortComponentRaster integer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:".javaPK"; nocase; content:"ColorModel.classPK"; within:100; nocase; content:"SampleModel.classPK"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60656; reference:cve,2013-2472; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:29491; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java ShortComponentRaster integer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:".javaPK"; nocase; content:"ColorModel.classPK"; within:100; nocase; content:"SampleModel.classPK"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60656; reference:cve,2013-2472; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:29490; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Rhino script engine remote code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:".toString"; content:"setSecurityManager"; content:"javax/script/ScriptException"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3544; classtype:attempted-user; sid:29535; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/geom/AffineTransform|3B|I|29|V|01 00 06|filter|01 00|"; fast_pattern:only; content:"|14 03 00|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,58296; reference:cve,2013-0809; classtype:attempted-user; sid:29606; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/geom/AffineTransform|3B|I|29|V|01 00 06|filter|01 00|"; fast_pattern:only; content:"|14 03 00|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,58296; reference:cve,2013-0809; classtype:attempted-user; sid:29605; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java java.util.concurrent.ConcurrentHashMap memory corruption attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"~ACED0005737200266A6176612E75746"; fast_pattern:only; metadata:service smtp; reference:bugtraq,59206; reference:cve,2013-2426; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:29972; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java java.util.concurrent.ConcurrentHashMap memory corruption attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"~ACED0005737200266A6176612E75746"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,59206; reference:cve,2013-2426; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:29971; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java java.util.concurrent.ConcurrentHashMap memory corruption attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"0245365676D656E743B7870FFFFFFFF0"; fast_pattern:only; metadata:service smtp; reference:bugtraq,59206; reference:cve,2013-2426; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:29970; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java java.util.concurrent.ConcurrentHashMap memory corruption attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"0245365676D656E743B7870FFFFFFFF0"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,59206; reference:cve,2013-2426; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:29969; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java font rendering remote code execution attempt"; flow:to_server,established; file_data; content:"class|6D 54 59 57 D3 40 14 FE 42 5B 52 E2|"; fast_pattern:only; metadata:service smtp; reference:cve,2013-1491; reference:url,blog.accuvantlabs.com/blog/jdrake/pwn2own-2013-java-7-se-memory-corruption; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:30218; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java font rendering remote code execution attempt"; flow:to_client,established; file_data; content:"class|6D 54 59 57 D3 40 14 FE 42 5B 52 E2 00 5A|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1491; reference:url,blog.accuvantlabs.com/blog/jdrake/pwn2own-2013-java-7-se-memory-corruption; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:30217; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|70 6F 69 6E 74 2E 63 6C 61 73 73 AD 56 59 57 DB 46 14 FE C4 26 10 4E 02 64|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53960; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:31512; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|70 6F 69 6E 74 2E 63 6C 61 73 73 AD 56 59 57 DB 46 14 FE C4 26 10 4E 02 64|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53960; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:31511; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Web Start arbitrary command execution attempt"; flow:to_client,established; file_data; content:"<jnlp"; fast_pattern:only; content:"<resources>"; pcre:"/\x3cresources\x3e.*?\x2d(XXaltjvm|jar|cp|classpath)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0500; classtype:attempted-user; sid:31946; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|C5 ED 21 7C 80 0F 53 B8 83 8F 86 71 17 79 03 F7 06 B1 34 8C 7E DC 4F 61 04 1F 1B 78 90 C2 10 96 0D 14 52 18 C6 8A 81 4F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,66866; reference:cve,2014-0457; classtype:attempted-user; sid:32235; rev:6;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|C5 ED 21 7C 80 0F 53 B8 83 8F 86 71 17 79 03 F7 06 B1 34 8C 7E DC 4F 61 04 1F 1B 78 90 C2 10 96 0D 14 52 18 C6 8A 81 4F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66866; reference:cve,2014-0457; classtype:attempted-user; sid:32234; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|36 10 22 09 90 87 BD 3B 73 F7 BB F7 7E 73 E7 DE BB 7F FF F3 FB 9F 00 16 F0 3C 85 61 DC 1E C0 87 F8 28 85 3B F8 78 10 77|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,66866; reference:cve,2014-0457; classtype:attempted-user; sid:32233; rev:6;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|36 10 22 09 90 87 BD 3B 73 F7 BB F7 7E 73 E7 DE BB 7F FF F3 FB 9F 00 16 F0 3C 85 61 DC 1E C0 87 F8 28 85 3B F8 78 10 77|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66866; reference:cve,2014-0457; classtype:attempted-user; sid:32232; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class|file.jar; file_data; content:"java/awt/image/SinglePixelPackedSampleModel"; fast_pattern:only; content:"|62 90 1E 43 33 21 E5 8F 5A 02 00 00 5A 02 00 00 17|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60659; reference:cve,2013-2471; reference:cve,2013-2473; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:31541; rev:7;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class|file.jar; file_data; content:"java/awt/image/SinglePixelPackedSampleModel"; fast_pattern:only; content:"|62 90 1E 43 33 21 E5 8F 5A 02 00 00 5A 02 00 00 17|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60659; reference:cve,2013-2471; reference:cve,2013-2473; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:31540; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java sun.tracing.ProviderSkeleton sandbox bypass attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|8D 2C 4B A6 61 92 CF 38 E2 92 6E 58 F3 E4 DD B0 F2 84 53 20 A6 55 4B 13 79 9C 8F D6 0D 8A D9 A2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:31367; rev:6;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java sun.tracing.ProviderSkeleton sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|8D 2C 4B A6 61 92 CF 38 E2 92 6E 58 F3 E4 DD B0 F2 84 53 20 A6 55 4B 13 79 9C 8F D6 0D 8A D9 A2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:31366; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java sun.awt.image.ImagingLib.lookupByteBI memory corruption attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/image/LookupOp"; fast_pattern:only; content:"|01 00 06|filter|01 00 5C 28 4C|"; content:"|3B 00 1A 00 45 00 1C 00 64 00 1D 00 83 00 1F 00 91 00 20 00 9D 00 22 00 A7 00 27 00 AA 00 24 00 AB 00 26 00 AF|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60651; reference:cve,2013-2470; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:29273; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java sun.awt.image.ImagingLib.lookupByteBI memory corruption attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/image/LookupOp"; fast_pattern:only; content:"|72 61 63 65 00 21 00 40 00 42 00 00 00 03 00 01 00 45 00 46 00 00 00 11 00 47 00 46 00 01 00 48|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60651; reference:cve,2013-2470; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:29272; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java sun.awt.image.ImagingLib.lookupByteBI memory corruption attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/image/LookupOp"; fast_pattern:only; content:"|72 61 63 65 00 21 00 40 00 42 00 00 00 03 00 01 00 45 00 46 00 00 00 11 00 47 00 46 00 01 00 48|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60651; reference:cve,2013-2470; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:29271; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java sun.awt.image.ImagingLib.lookupByteBI memory corruption attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/image/LookupOp"; fast_pattern:only; content:"|01 00 06|filter|01 00 5C 28 4C|"; content:"|3B 00 1A 00 45 00 1C 00 64 00 1D 00 83 00 1F 00 91 00 20 00 9D 00 22 00 A7 00 27 00 AA 00 24 00 AB 00 26 00 AF|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60651; reference:cve,2013-2470; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:29270; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster.verify method integer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"MyJApplet.classPK"; content:"DropIt.classPK"; within:60; content:"MyJApplet$MySampleModel.classPK"; within:75; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60659; reference:cve,2013-2471; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:28916; rev:6;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster.verify method integer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"MyJApplet.classPK"; content:"DropIt.classPK"; within:60; content:"MyJApplet$MySampleModel.classPK"; within:75; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60659; reference:cve,2013-2471; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:28915; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"MyColorModel.classPK"; fast_pattern:only; content:"MyColorSpace.classPK"; nocase; content:"MyJApplet.classPK"; nocase; content:"DropIt.classPK"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; reference:url,www.virustotal.com/file/b3ceede0fa73d773b4bbddda2a963e827935c61328966fc314a498080c315230/analysis/; classtype:attempted-user; sid:28277; rev:7;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"MyColorModel.classPK"; fast_pattern:only; content:"MyColorSpace.classPK"; nocase; content:"MyJApplet.classPK"; nocase; content:"DropIt.classPK"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; reference:url,www.virustotal.com/file/b3ceede0fa73d773b4bbddda2a963e827935c61328966fc314a498080c315230/analysis/; classtype:attempted-user; sid:28276; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/image/SinglePixelPackedSampleModel"; fast_pattern:only; content:"poc$MyModel"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60659; reference:cve,2013-2471; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:27751; rev:7;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/image/SinglePixelPackedSampleModel"; fast_pattern:only; content:"poc$MyModel"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60659; reference:cve,2013-2471; reference:cve,2013-2473; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:27750; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"Ljava/awt/image/SinglePixelPackedSampleModel"; fast_pattern:only; content:"Ljava/lang/StringBuilder"; content:"getSecurityManager"; within:25; content:"Ljava/lang/SecurityManager"; within:50; content:"getRuntime"; content:"Ljava/lang/Runtime"; within:25; content:"exec"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60659; reference:cve,2013-2471; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:27692; rev:9;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Ljava/awt/image/SinglePixelPackedSampleModel"; fast_pattern:only; content:"Ljava/lang/StringBuilder"; content:"getSecurityManager"; within:25; content:"Ljava/lang/SecurityManager"; within:50; content:"getRuntime"; content:"Ljava/lang/Runtime"; within:25; content:"exec"; within:15; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60659; reference:cve,2013-2471; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:27691; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"META-INF/MANIFEST.MFPK"; content:"$"; within:1; distance:110; content:".classPK"; within:8; distance:12; pcre:"/META-INF\/MANIFEST\.MFPK.{44}(?P<outerclass>[a-zA-Z]{7})\.classPK.{44}(?P=outerclass)\$[a-zA-Z]{12}\.classPK.{44}(?P=outerclass)\$[a-zA-Z]{12}\.classPK/sm"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27677; rev:8;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"META-INF/MANIFEST.MFPK"; content:"$"; within:1; distance:110; content:".classPK"; within:8; distance:12; pcre:"/META-INF\/MANIFEST\.MFPK.{44}(?P<outerclass>[a-zA-Z]{7})\.classPK.{44}(?P=outerclass)\$[a-zA-Z]{12}\.classPK.{44}(?P=outerclass)\$[a-zA-Z]{12}\.classPK/sm"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27676; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"MyColorModel.classPK"; fast_pattern:only; content:"MyColorSpace.classPK"; nocase; content:"DownloadExec.classPK"; nocase; content:"AccessControlClass.classPK"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; reference:url,www.virustotal.com/file/b3ceede0fa73d773b4bbddda2a963e827935c61328966fc314a498080c315230/analysis/; classtype:attempted-user; sid:27675; rev:8;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"MyColorModel.classPK"; fast_pattern:only; content:"MyColorSpace.classPK"; nocase; content:"DownloadExec.classPK"; nocase; content:"AccessControlClass.classPK"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; reference:url,www.virustotal.com/file/b3ceede0fa73d773b4bbddda2a963e827935c61328966fc314a498080c315230/analysis/; classtype:attempted-user; sid:27674; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"PocColorModel.classPK"; fast_pattern:only; content:"PocColorSpace.classPK"; nocase; content:"poc.classPK"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27673; rev:8;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"PocColorModel.classPK"; fast_pattern:only; content:"PocColorSpace.classPK"; nocase; content:"poc.classPK"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27672; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"MyColorModel.class"; fast_pattern:only; content:"java/awt/image/AffineTransformOp"; content:"getRuntime"; content:"Ljava/lang/Runtime"; within:25; content:"exec"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27622; rev:10;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp storeImageArray memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"MyColorModel.class"; fast_pattern:only; content:"java/awt/image/AffineTransformOp"; content:"getRuntime"; content:"Ljava/lang/Runtime"; within:25; content:"exec"; within:15; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60657; reference:cve,2013-2465; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27621; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Applet ProviderSkeleton sandbox bypass attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"ExploitApp.classPK"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27191; rev:6;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Applet ProviderSkeleton sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"ExploitApp.classPK"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27190; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Applet ProviderSkeleton sandbox bypass attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; fast_pattern:only; content:"sun.org.mozilla.javascript.internal.Context"; nocase; content:"com/sun/tracing/ProviderFactory"; distance:0; nocase; content:"java/lang/reflect/InvocationHandler"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27189; rev:7;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Applet ProviderSkeleton sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; fast_pattern:only; content:"sun.org.mozilla.javascript.internal.Context"; nocase; content:"com/sun/tracing/ProviderFactory"; distance:0; nocase; content:"java/lang/reflect/InvocationHandler"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27188; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Applet disable security manager attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"DisableSecurityManagerAction.class"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27077; rev:6;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Applet disable security manager attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"DisableSecurityManagerAction.class"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27076; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java runtime JMX findclass sandbox breach attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|5B C7 59 FF 46 2B ED 9B 95 65 7B 3D EB B5 AD D8|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57563; reference:cve,2013-0431; classtype:attempted-admin; sid:26588; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java runtime JMX findclass sandbox breach attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"com/sun/jmx/mbeanserver/Introspector"; fast_pattern:only; content:"findClass"; content:"com.sun.jmx.mbeanserver.MBeanInstantiator"; content:"declaredMethods"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57563; reference:cve,2013-0431; classtype:attempted-admin; sid:26587; rev:9;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java malicious class download attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:!"DB2ParserLUW"; content:"exploit"; nocase; content:".classPK"; within:20; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53960; reference:bugtraq,55213; reference:bugtraq,57246; reference:bugtraq,60659; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2471; classtype:attempted-user; sid:25830; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java obfuscated jar file download attempt"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"Obfuscation by Allatori Obfuscator"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:25562; rev:9;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"B.classPK"; content:"PK"; distance:-800; pcre:"/^\x01\x02.{0,50}[a-zA-Z]{10}\x2fPK.{0,50}[a-zA-Z]{10}\x2f[a-zA-Z]{7}\.classPK/sR"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57246; reference:cve,2012-5088; reference:cve,2013-0422; reference:cve,2013-0431; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25472; rev:11;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"exploit/"; nocase; content:".class"; within:20; nocase; pcre:"/exploit\/(Exploit(App)?|Loader)\.class/ims"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53960; reference:cve,2012-1723; reference:cve,2012-4681; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:25123; rev:9;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"poc/"; nocase; content:".class"; within:20; nocase; pcre:"/poc\/(Exploit|myClassLoader|pocMain|runCmd)\.class/ims"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53960; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:25122; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle JavaScript heap exploitation library usage attempt"; flow:to_server,established; file_data; content:"heapLib.ie.prototype.freeOleaut32"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0779; reference:cve,2012-4969; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:attempted-user; sid:25006; rev:8;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"4e34523454tS345e334545c345u5356r67i6t6y4354834M9"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24769; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Runtime true type font idef opcode heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar|file.class|file.ttf; file_data; content:"|00 01 00 00|"; depth:4; content:"|89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0499; classtype:attempted-user; sid:24701; rev:12;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"Trigger.class"; fast_pattern:only; pcre:"/(DisableSandboxAndDrop|ConfusedClass|FieldAccessVerifierExpl)\.class/ims"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:24202; rev:10;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Trigger.class"; fast_pattern:only; pcre:"/(DisableSandboxAndDrop|ConfusedClass|FieldAccessVerifierExpl)\.class/ims"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:24201; rev:9;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"com/sun/beans/finder/MethodFinder"; fast_pattern:only; content:"sun.awt.SunToolkit|07 00 73 0C 00 74 00 75 01 00 08|getField"; content:"java/security/AccessControlContext"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24063; rev:9;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|51 DB 6A 4F B5 16 EF 52 DB D4 AA 15 43 BB 89 C6 AB D5 06 B5 97 D6 AA D5 D6 A3 F5 D6 DE AD F5 96|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; reference:cve,2012-5076; classtype:attempted-admin; sid:24026; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle JavaScript heap exploitation library usage attempt"; flow:to_client,established; file_data; content:"heapLib.ie.prototype.freeOleaut32"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0779; reference:cve,2012-4969; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:attempted-user; sid:23614; rev:12;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|B1 00 02 00 06 00 20 00 23 00 48 00 04 00 3E 00 45 00 48 00 00 00 09 00 16 00 4A 00 01 00 0B 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23277; rev:9;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|07 02 36 0B 43 07 02 39 0B 43 07 02 3C 0B 43 07 02 3F 0B 43 07 02 42 0B 43 07 02 45 0B 43 07 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23276; rev:9;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|00 01 00 0B 00 00 00 3D 00 06 00 02 00 00 00 1C 04 3C 2A B2 00 12 B2 00 18 1B 04 64 B2 00 18 BE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23275; rev:9;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|00 25 B6 00 12 B8 00 2B A7 00 08 4C 2B B6 00 31 B1 00 01 00 00 00 30 00 33 00 36 00 02 00 0A 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23274; rev:9;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; flowbits:isset,file.zip; file_data; content:".classPK"; nocase; pcre:"/(sIda\/sId|urua\/uru)[abcd]\.classPK/ims"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23273; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Zip file directory record overflow attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"PK|05 06|"; content:"|00 00|"; within:2; distance:6; content:"|2E 00 00 00|"; within:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52013; reference:cve,2012-0501; classtype:attempted-user; sid:23243; rev:13;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"AtomicReferenceArray"; nocase; content:"getClassLoader"; distance:0; nocase; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips drop, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21667; rev:11;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"atomic"; content:"AtomicReferenceArray"; within:20; distance:1; content:"getClassLoader"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips drop, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52161; reference:cve,2012-0507; reference:cve,2015-2590; classtype:attempted-user; sid:21666; rev:11;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"|35 37 32 37 32 36 35 36 45 37 34 32 45 36 31 37 34 36 46 36 44 36 39 36|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21665; rev:9;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"|33 36 35 37 30 37 34 36 39 36 46 01 00 2C 36 45 30 31 30 30 30 36 36 31|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21664; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Web Start arbitrary command execution attempt"; flow:to_client,established; file_data; content:"<jnlp"; fast_pattern:only; content:"<resources>"; pcre:"/\x3cresources\x3e.*?\x2d(XXaltjvm|jar|cp|classpath)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0500; classtype:attempted-user; sid:21481; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Applet remote code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Exploit.class"; fast_pattern:only; content:"Payload.class"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-3544; reference:cve,2012-5076; classtype:attempted-user; sid:20622; rev:18;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Runtime AWT setDiffICM stack buffer overflow attempt"; flow:to_client,established; file_data; content:"AppletX"; fast_pattern:only; pcre:"/\x3C\s*applet[^\x3E\n$]*code\s*=\s*[\x27\x22]AppletX[\x22\x27][^\x3E\n$]*archive\s*=\s*[\x22\x27][^\s\x3E\n$]{32}\x2Ejar[\x22\x27]/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36881; reference:cve,2009-3869; classtype:attempted-user; sid:19926; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Soundbank resource name overflow attempt"; flow:to_client,established; file_data; content:"snd|20 00 00|"; byte_test:1,>,0x7F,2,relative; metadata:policy max-detect-ips drop, service http; reference:bugtraq,39070; reference:cve,2010-0839; classtype:attempted-user; sid:19100; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java browser plugin docbase overflow attempt"; flow:to_client,established; file_data; content:"launchjnlp"; fast_pattern; nocase; content:"docbase"; within:100; nocase; isdataat:80,relative; pcre:"/^([\x22\x27]\s*value)?\s*=\s*\x22[^\x22]{70}/Rsmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,44023; reference:cve,2010-3552; classtype:attempted-user; sid:18244; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Web Start JNLP j2se key value buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jnlp; file_data; content:"<j2se "; content:"java|2D|vm|2D|"; distance:0; isdataat:1024,relative; pcre:"/args\s*?\x3d\s*?[\x22\x27][^\s\x22\x27\x3e]{1024}/smiR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30148; reference:cve,2008-3111; classtype:attempted-user; sid:17631; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Runtime Environment Type1 Font parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.psfont; file_data; content:"|CF F9 2A 69 CE 32 21 93 B1 0D 9E 89 77 CD DD 58 3A C0 0C 33 A1 9F A4 4C E9 D0 66 FB CD 2D F1 B8 3E F8 FF 09 7D 7E 94 CA 6C 78 5C 7E FF 42 D1 B8|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34240; reference:cve,2009-1099; classtype:attempted-user; sid:17623; rev:16;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Web Start malicious parameter value"; flow:to_client,established; file_data; content:"<jnlp "; nocase; content:"<resources>"; distance:0; nocase; content:" -classpath"; distance:0; fast_pattern; nocase; pcre:"/<property[^>]*?value\s*=\s*(?P<q1>\x22|\x27).*? -classpath.*?(?P=q1)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,11726; reference:cve,2004-1029; classtype:attempted-user; sid:17586; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Runtime Environment JAR File Processing Stack Buffer Overflow"; flow:to_client,established; file_data; content:"|1D 79 05 13 28 88 55 51 C2 A4 84 29 05 12 0C 19|"; content:"|F1 2B C6 40 A1 3D C6 60 81 A8 5D 28 34 30 44 06|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32608; reference:cve,2008-5354; classtype:attempted-user; sid:17563; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Runtime Environment Pack200 Decompression Integer Overflow attempt"; flow:to_client,established; content:"Content-Encoding|3A|"; nocase; http_header; content:"pack200-gzip"; within:20; nocase; http_header; file_data; content:"|CA FE D0 0D|"; content:"|C5 FC FC FC FC 00 D6|"; within:50; fast_pattern; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32608; reference:cve,2008-5352; classtype:misc-attack; sid:17562; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Runtime Environment Pack200 Decompression Integer Overflow"; flow:to_client,established; content:"Content-Encoding: pack200-gz"; nocase; content:"|9A 10 3A C7 39 E2 E6 DE BE F7 71 BA 7C 22 5E D7|"; content:"|49 F4 EF C7 73 9F 9B 9C 8B 32 A7 88 58 FF 13 31|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34240; reference:cve,2009-1095; classtype:attempted-user; sid:17522; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Runtime AWT setDiffICM stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 0B 28|II[B[B[B|29|V|01 00 0A|setDiffICM|01 00|S|28|II"; content:"|0A|,|10 0A 11 01 90 BB 00 17|Y|10 10 08 08 BC|"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36881; reference:cve,2009-3869; classtype:attempted-user; sid:16288; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Web Start xml encoding buffer overflow attempt"; flow:to_client,established; file_data; content:"<?xml"; nocase; content:"encoding"; distance:0; nocase; pcre:"/^<\x3Fxml[^>]+?encoding\s*=\s*(\x22[^\x22]{28}|\x27[^\x27]{28})/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28083; reference:cve,2008-1188; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-66-233323-1; classtype:attempted-admin; sid:15081; rev:14;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Web Start JNLP attribute buffer overflow attempt"; flow:to_client,established; file_data; content:"<j2se"; nocase; pcre:"/\x3cj2se[^\x3e]*(initial|max)-heap-size\s*\x3d\s*(\x22|\x27)[^\x22\x27]{50}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30148; reference:cve,2008-3111; classtype:attempted-user; sid:13950; rev:14;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"com/sun/naming/internal/VersionHelper"; content:"loadClass"; within:50; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2014-0422; classtype:policy-violation; sid:35469; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"com/sun/naming/internal/ResourceManager"; content:"getFactory"; within:50; metadata:service http; reference:cve,2014-0422; classtype:policy-violation; sid:35468; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"com/sun/naming/internal/ResourceManager"; content:"getFactories"; within:50; metadata:service http; reference:cve,2014-0422; classtype:policy-violation; sid:35467; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java System.arraycopy race condition attempt"; flow:to_client,established; file_data; content:"|33 00 21 00 35 00 28 00 00 00 09 00 04 00 19 42 07 00 2A 03 00 02 00 2B 00 00 00 02 00 2C 00 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0456; classtype:attempted-user; sid:36240; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java System.arraycopy race condition attempt"; flow:to_server,established; file_data; content:"|33 00 21 00 35 00 28 00 00 00 09 00 04 00 19 42 07 00 2A 03 00 02 00 2B 00 00 00 02 00 2C 00 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0456; classtype:attempted-user; sid:36239; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt"; flow:to_server,established; file_data; content:"|44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02|"; fast_pattern:only; metadata:service smtp; reference:url,oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-dos; sid:36525; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt"; flow:to_client,established; file_data; content:"|44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02 44 40 00 02|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-dos; sid:36524; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|87 07 32 79 2B 0E 02 62 0A 46 C6 50 F5 B4 F0 8F FB 22 CE 68 1A 47 AD 18 2C 2F 4A 13 5F BE 56 46|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,66866; reference:cve,2014-0457; classtype:attempted-user; sid:37665; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|87 07 32 79 2B 0E 02 62 0A 46 C6 50 F5 B4 F0 8F FB 22 CE 68 1A 47 AD 18 2C 2F 4A 13 5F BE 56 46|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66866; reference:cve,2014-0457; classtype:attempted-user; sid:37664; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java sun.awt.image.ImagingLib.lookupByteBI memory corruption attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/awt/image/LookupOp"; fast_pattern:only; content:"|01 00 06|filter|01 00|"; content:"|02 00 11 02 00 07 BC 0A 59 03 12 03 4F 59 04 12|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60651; reference:cve,2013-2470; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:37821; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java sun.awt.image.ImagingLib.lookupByteBI memory corruption attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/image/LookupOp"; fast_pattern:only; content:"|01 00 06|filter|01 00|"; content:"|02 00 11 02 00 07 BC 0A 59 03 12 03 4F 59 04 12|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60651; reference:cve,2013-2470; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:37820; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java sun.awt.image.ImagingLib.lookupByteBI memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"More_work.class"; fast_pattern:only; content:"META-INF/MANIFEST.MF"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60651; reference:cve,2013-2470; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:37819; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java sun.awt.image.ImagingLib.lookupByteBI memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"More_work.class"; fast_pattern:only; content:"META-INF/MANIFEST.MF"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60651; reference:cve,2013-2470; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:37818; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|4D CC CB 4C 4B 2D 2E D1 0D 4B 2D 2A CE CC CF B3 52 30 D4 33 E0 E5 72 2E 4A 4D 2C 49 4D D1 75 AA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,60659; reference:cve,2013-2471; reference:cve,2013-2473; reference:cve,2014-4262; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; reference:url,www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html; classtype:attempted-user; sid:37805; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|4D CC CB 4C 4B 2D 2E D1 0D 4B 2D 2A CE CC CF B3 52 30 D4 33 E0 E5 72 2E 4A 4D 2C 49 4D D1 75 AA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60659; reference:cve,2013-2471; reference:cve,2013-2473; reference:cve,2014-4262; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; reference:url,www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html; classtype:attempted-user; sid:37804; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"Ljava/awt/image/WritableRaster|3B|"; fast_pattern:only; content:"setSecurityManager"; content:"java/awt/image/Raster"; distance:0; content:"createWritableRaster"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,60659; reference:cve,2013-2471; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:37803; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"Ljava/awt/image/WritableRaster|3B|"; fast_pattern:only; content:"setSecurityManager"; content:"java/awt/image/Raster"; distance:0; content:"createWritableRaster"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60659; reference:cve,2013-2471; reference:url,www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html; classtype:attempted-user; sid:37802; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java Class Loader namespace sandbox bypass attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"loadClass"; content:"findStatic"; content:"java/lang/invoke/MethodHandles$Lookup"; content:"getContext"; content:"invokeExact"; metadata:policy security-ips drop, service smtp; reference:bugtraq,63131; reference:cve,2013-5838; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html; classtype:attempted-user; sid:38339; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java Class Loader namespace sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"loadClass"; content:"findStatic"; content:"java/lang/invoke/MethodHandles$Lookup"; content:"getContext"; content:"invokeExact"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,63131; reference:cve,2013-5838; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html; classtype:attempted-user; sid:38338; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java RangeStatisticImpl sandbox breach attempt"; flow:to_server,established; file_data; content:"StatisticImpl"; fast_pattern:only; content:"invoke"; nocase; pcre:"/(AverageRange|Boundary|BoundedRange|Count|Range|String|Time)StatisticImpl/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,56054; reference:cve,2012-5076; classtype:attempted-user; sid:39355; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java RangeStatisticImpl sandbox breach attempt"; flow:to_client,established; file_data; content:"StatisticImpl"; fast_pattern:only; content:"invoke"; nocase; pcre:"/(AverageRange|Boundary|BoundedRange|Count|Range|String|Time)StatisticImpl/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56054; reference:cve,2012-5076; classtype:attempted-user; sid:39354; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java strlen denial of service attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"|2E 2E 07 00 19 0C 00 1A 00 1B 01 00 0C 42 43 54 65 73 74 41 70 70 6C 65 74 01 00 12 6A 61 76 61|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:url,www.oracle.com/technetwork/java/index.html; classtype:denial-of-service; sid:45259; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java strlen denial of service attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|2E 2E 07 00 19 0C 00 1A 00 1B 01 00 0C 42 43 54 65 73 74 41 70 70 6C 65 74 01 00 12 6A 61 76 61|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.oracle.com/technetwork/java/index.html; classtype:denial-of-service; sid:45258; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA IBM Java invokeWithPrivilege method call attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"com/ibm/rmi/util/ProxyUtil"; fast_pattern:only; content:"invokeWithPrivilege"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-4820; classtype:attempted-user; sid:45351; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA IBM Java invokeWithClassLoaders method call attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"com/ibm/rmi/util/ProxyUtil"; fast_pattern:only; content:"invokeWithClassLoaders"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-4820; classtype:attempted-user; sid:45350; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA IBM Java invokeWithPrivilege method call attempt"; flow:to_server,established; flowbits:isset,file.class; content:"com/ibm/rmi/util/ProxyUtil"; fast_pattern:only; content:"invokeWithPrivilege"; metadata:service smtp; reference:cve,2012-4820; classtype:attempted-user; sid:45349; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"FILE-JAVA IBM Java invokeWithClassLoaders method call attempt"; flow:to_server,established; flowbits:isset,file.class; content:"com/ibm/rmi/util/ProxyUtil"; fast_pattern:only; content:"invokeWithClassLoaders"; metadata:service smtp; reference:cve,2012-4820; classtype:attempted-user; sid:45348; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java strlen denial of service attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"|B2 00 02 12 03 B6 00 04 CA 00 00 00 01 00 0A 00 00 00 0A 00 02 00 00 00 0C 00 08 00 0D 00 01 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:url,www.oracle.com/technetwork/java/index.html; classtype:denial-of-service; sid:45347; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java strlen denial of service attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|B2 00 02 12 03 B6 00 04 CA 00 00 00 01 00 0A 00 00 00 0A 00 02 00 00 00 0C 00 08 00 0D 00 01 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.oracle.com/technetwork/java/index.html; classtype:denial-of-service; sid:45346; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java JPEGImageWriter memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jar; content:"|11 01 90 A4 00 20 19 04 01 BB 00 16 59 2D 01 01 B7 00 17 BB 00 1B 59 B8|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-2429; classtype:attempted-user; sid:49117; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java JPEGImageWriter memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jar; content:"|11 01 90 A4 00 20 19 04 01 BB 00 16 59 2D 01 01 B7 00 17 BB 00 1B 59 B8|"; fast_pattern:only; metadata:service smtp; reference:cve,2013-2429; classtype:attempted-user; sid:49116; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java ImagingLib buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"|F5 CD D8 30 4C 75 13 CF 30 F3 3B FC E0 F3 0E F5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-2463; classtype:attempted-user; sid:49256; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java ImagingLib buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|F5 CD D8 30 4C 75 13 CF 30 F3 3B FC E0 F3 0E F5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2463; classtype:attempted-user; sid:49255; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/security/ProtectionDomain"; fast_pattern:only; content:"file|3A 2F 2F 2F|"; content:"java/security/AccessControlContext"; content:"getField"; content:"execute|01 00 08|getValue"; content:"java/awt/Graphics"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:49846; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java/security/ProtectionDomain"; fast_pattern:only; content:"file|3A 2F 2F 2F|"; content:"java/security/AccessControlContext"; content:"getField"; content:"execute|01 00 08|getValue"; content:"java/awt/Graphics"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-4681; classtype:attempted-admin; sid:49845; rev:1;)
--- a/docker/etc/rules/file-multimedia.rules
+++ b/docker/etc/rules/file-multimedia.rules
@@ -0,0 +1,416 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------------------
+# FILE-MULTIMEDIA RULES
+#-----------------------
+
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes Playlist Overflow Attempt"; flow:to_client,established; flowbits:isset,file.pls; file_data; content:"[playlist]"; depth:10; nocase; isdataat:1000; content:"File"; distance:0; pcre:"/^\d+\x3Dhttps?\x3a\x2f\x2f[^\n\r]{1000}/Ri"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2005-0043; classtype:attempted-user; sid:26724; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple iTunes playlist overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u|file.pls; file_data; content:"http"; offset:7; nocase; content:"://"; within:4; isdataat:550,relative; content:!"|0D|"; within:1000; content:!"|0A|"; within:1000; metadata:policy max-detect-ips drop, service smtp; reference:cve,2005-0043; classtype:attempted-user; sid:26667; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime Movie file clipping region handling heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"clip"; content:"crgn"; within:4; distance:4; byte_jump:4,-8,relative,big; content:!"|7F FF 7F FF|"; within:4; distance:-8; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35167; reference:cve,2009-0954; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:26564; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"|00 11 02 FF 0C 00|"; depth:6; offset:522; pcre:"/\x00[\x70-\x77]\x00[\x00-\x09]/R"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:26472; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Cool Player Plus M3U buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"|8A 1D F3 77|"; offset:220; metadata:service smtp; reference:url,1337day.com/exploit/20242; classtype:attempted-user; sid:26318; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Cool Player Plus M3U buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"|8A 1D F3 77|"; offset:220; metadata:service ftp-data, service http, service imap, service pop3; reference:url,1337day.com/exploit/20242; classtype:attempted-user; sid:26317; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"C|3A 5C|"; depth:3; isdataat:1024,relative; content:!"|0D 0A|"; within:1024; content:!".mp3|0D 0A|"; within:1024; metadata:service smtp; reference:bugtraq,50859; reference:cve,2011-5170; classtype:attempted-admin; sid:26243; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"C|3A 5C|"; depth:3; isdataat:1024,relative; content:!"|0D 0A|"; within:1024; content:!".mp3|0D 0A|"; within:1024; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50859; reference:cve,2011-5170; classtype:attempted-admin; sid:26242; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime Obji Atom parsing stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"obji"; byte_test:4,<,20,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,28583; reference:cve,2008-1022; classtype:attempted-user; sid:26109; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xspf; file_data; content:"<trackList>"; nocase; content:"<track>"; within:200; nocase; content:"<identifier>-"; within:1000; nocase; content:"</track>"; within:1000; nocase; content:"</trackList>"; within:200; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-4558; classtype:attempted-user; sid:25797; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow MPEG heap overflow attempt"; flow:to_server,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01 B3|AAAAAA|BA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0077; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-011; classtype:attempted-user; sid:25796; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow MPEG heap overflow attempt"; flow:to_client,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01 B3|AAAAAA|BA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0077; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-011; classtype:attempted-user; sid:25795; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft GDI EMF malformed file buffer overflow attempt"; flow:to_client,established; file_data; content:" EMF"; depth:4; offset:40; content:"|46 00 00 00|"; byte_extract:4,4,size,relative,little; content:"EMF+"; within:4; content:"|00 00 C0 FF|"; within:size; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3012; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-052; classtype:attempted-user; sid:25502; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Mozilla products Ogg Vorbis decoding memory corruption attempt"; flow:to_server,established; flowbits:isset,file.ogg; file_data; content:"|0A 42 64 86 A8 CA 34 3C 04 87 07 97 00 11 71 15|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,51753; reference:cve,2012-0444; classtype:attempted-user; sid:25298; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA AVI file chunk length integer overflow attempt"; flow:to_server,established; flowbits:isset,file.avi.video; file_data; content:"AVI LIST"; depth:8; offset:8; content:"hdrlavih"; within:8; distance:4; content:"INFO"; distance:0; byte_extract:4,4,chunk_size,relative,little; isdataat:!chunk_size; metadata:service smtp; reference:cve,2011-3834; reference:url,forums.winamp.com/showthread.php?t=332010; classtype:attempted-user; sid:24955; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime text track descriptors heap buffer overflow attempt"; flow:to_server,established; file_data; content:"{QTtext}"; depth:8; pcre:"/\x7b[^\x3a\x7d]+?\x3a[^\x7d]{1023}/"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0664; classtype:attempted-user; sid:24699; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime&file.swf; file_data; content:"moov"; content:"vide"; distance:0; content:"stsd"; distance:0; content:"avc"; distance:0; content:"|FF E1|"; within:128; byte_test:2,>,256,0,relative; byte_test:2,>,256,21,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-2140; reference:url,adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:24672; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime movie buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.mp4|file.m4v; content:"moov"; nocase; content:"trak"; distance:0; nocase; content:"mdia"; distance:0; nocase; content:"minf"; distance:0; nocase; content:"stbl"; distance:0; nocase; content:"stsd"; distance:0; nocase; content:"avc1"; distance:0; nocase; content:"avcC"; distance:0; nocase; content:"|FF E1|"; within:2; distance:4; byte_test:2,>=,0x8000,0,relative,big; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-4381; reference:url,support.apple.com/kb/TA24355; classtype:attempted-user; sid:24641; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime MOV Atom length buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"hspa"; content:"vrsg"; distance:0; byte_test:2,>,0x7000,14,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0667; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:24550; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC webm memory corruption attempt"; flow:to_server,established; flowbits:isset,file.webm; file_data; content:"|1A 45 DF A3|"; depth:4; content:"webm"; within:4; distance:27; nocase; content:"|15 49 A9 66 01 00 00 00|"; distance:0; byte_test:4,>,1024,0,relative; metadata:service smtp; reference:bugtraq,46060; reference:cve,2011-0531; reference:url,videolan.org/security/sa1102.html; classtype:attempted-user; sid:24283; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime streaming debug error logging buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.smil; file_data; content:"<smil"; fast_pattern:only; content:"src"; nocase; isdataat:449,relative; pcre:"/^\s*\=\s*(?![\x22\x27]?http(|s|1|s1)\x3a\x2f{2})(\x22[^\x22]{449}|\x27[^\x27]{449}|\S{449})/iR"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,41962; reference:cve,2010-1799; classtype:attempted-user; sid:24220; rev:5;)
+# alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Visual Basic 6.0 malformed AVI buffer overflow attempt"; flow:to_client,established; content:"RIFF"; depth:100; content:"AVI "; within:4; distance:4; content:"strf"; byte_test:4,>,1088,0,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:23943; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime VR Track Header Atom heap corruption attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"trak"; content:"tkhd|00 00 00 0F|"; within:8; distance:4; fast_pattern; isdataat:40,relative; pcre:"/trak.{4}tkhd.{40}(?=.{20})(?!\x00\x01\x00\x00.{12}\x00\x01\x00\x00)/s"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33384; reference:cve,2009-0002; reference:url,support.apple.com/kb/HT3403; classtype:attempted-user; sid:23623; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"#EXTINF"; depth:7; pcre:"/^\x23EXTINF.{5}[^\x0d\x0a]{512}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53933; reference:cve,2012-0677; classtype:attempted-user; sid:23588; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"#EXTM3U"; depth:7; pcre:"/^\x23EXTM3U.{5}[^\x0d\x0a]{512}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53933; reference:cve,2012-0677; classtype:attempted-user; sid:23587; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; byte_test:1,>,0xBF,0,relative; byte_test:1,<,0xF0,0,relative; byte_jump:2,1,relative,post_offset -4; content:"|FF FF FF FF|"; within:4; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0659; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:23581; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"|06 AF E1 00 EC 7B D1 11 A5 82 00 C0 4F C2 9C FB|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23576; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"N|B8 98|f|FA 0A|0C|AE B2 1C 0A 98 D7 A4|M"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23575; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media pixel aspect ratio header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"T|E5 1E 1B EA F9 C8|K|82 1A|7kt|E4 C4 B8|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23574; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media content type header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:" |DC 90 D5 BC 07|lC|9C F7 F3 BB FB F1 A4 DC|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23573; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media file name header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"|0E EC|e|E1 ED 19 D7|E|B4 A7|%|CB D1 E2 8E 9B|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23572; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media Timecode header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"|EC 95 95|9g|86|-N|8F DB 98 81|L|E7|l|1E|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23571; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media sample duration header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"P|94 BD C6 7F 86 07|I|83 A3 C7|y!|B7|3|AD|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23570; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile truncated media file processing memory corruption attempt"; flow:to_server,established,only_stream; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST"; within:8; distance:4; content:"hdrlavih8|00 00 00|"; within:12; distance:4; isdataat:!56,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:23569; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile media file processing memory corruption attempt"; flow:to_server,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST"; within:8; distance:4; content:"hdrlavih"; within:8; distance:4; byte_test:4,!=,56,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:23568; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows AVI Header insufficient data corruption attempt"; flow:to_server,established; flowbits:isset,file.avi; file_data; content:"RIFF"; fast_pattern; content:"AVI "; within:4; distance:4; content:"avih"; distance:0; byte_extract:4,0,chunk_size,little,relative; isdataat:!chunk_size,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35967; reference:cve,2009-1545; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-038; classtype:attempted-user; sid:23567; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows AVI DirectShow QuickTime parsing overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"vide"; distance:0; content:"stsd"; distance:0; fast_pattern; byte_test:1,>,31,58,relative,big; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35139; reference:cve,2009-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-028; classtype:attempted-user; sid:23565; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Oracle Java MixerSequencer RMF MIDI structure handling exploit attempt"; flow:established,to_client; flowbits:isset,file.rmf; file_data; content:"IREZ"; depth:4; fast_pattern; content:"MThd"; distance:0; content:"MTrk"; distance:0; content:"|00 B0|"; within:6; distance:4; content:"|00|"; within:1; distance:1; metadata:service http; reference:bugtraq,39077; reference:cve,2010-0842; reference:cve,2011-3545; classtype:attempted-user; sid:23490; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"#EXTINF"; depth:7; pcre:"/^\x23EXTINF.{5}[^\x0d\x0a]{512}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53933; reference:cve,2012-0677; classtype:attempted-user; sid:23272; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA HT-MP3Player file parsing boundary buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.ht3; content:"|E9 EF EF FF FF 6C 40 00|"; depth:8; offset:4108; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,43811; reference:cve,2009-2485; classtype:attempted-user; sid:21805; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"str"; nocase; pcre:"/^[ndfhl]/smiR"; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:21775; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"JUNK"; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:21774; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"LIST"; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:21773; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"hdr1"; nocase; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:21772; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"avih"; nocase; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:21771; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"movi"; nocase; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:21770; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA MicroP mppl stack buffer overflow"; flow:to_client,established; flowbits:isset,file.mppl; file_data; isdataat:1276; content:"|B5 45 01 10|"; depth:1280; metadata:service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:21397; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Magix Musik Maker 16 buffer overflow attempt"; flow:to_client,established; file_data; content:"|5D C6 9F 2E C2 53 02 20 04 80 FA 1F 12 3A FF 1F FF FF FF FF|"; fast_pattern; content:"|33 C0 64 8B 40 30 83 C0 48 83 C0 48 8B 10 83 C2 4C 83 C2 4C 8B 12|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:21393; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA AVI file chunk length integer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"AVI LIST"; depth:8; offset:8; content:"hdrlavih"; within:8; distance:4; content:"INFO"; distance:0; byte_extract:4,4,chunk_size,relative,little; isdataat:!chunk_size; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3834; reference:url,forums.winamp.com/showthread.php?t=332010; classtype:attempted-user; sid:21168; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA MJM Quickplayer s3m buffer overflow"; flow:to_client,established; flowbits:isset,file.s3m; file_data; content:"|42 42 42 42 42 42 42 42 41 41 41 41 41 41 41 41|"; depth:16; isdataat:1091,relative; content:"|6F 15 00 10|"; within:4; distance:1092; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:21107; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA A-PDF Wav to mp3 converter buffer overfow"; flow:to_client,established; flowbits:isset,file.wav; file_data; isdataat:4136; content:"|5C 26 47 00|"; depth:8; offset:4132; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:21093; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp player mp4 memory corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stco"; nocase; content:"|00 00 5A 44 43 42 41 41 41 41 41 41 31 C9 83 E9 B8 D9 EE D9 74 24 F4 5B 81 73 13 90 FA 88 B7 83|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,23723; reference:cve,2007-2498; classtype:attempted-user; sid:21091; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp player mp4 memory corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stco"; nocase; content:"|00 00 5A 44 43 42 41 41 41 41 41 41 31 C9 83 E9 DD D9 EE D9 74 24 F4 5B 81 73 13 D8 19 25 C7 83|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,23723; reference:cve,2007-2498; classtype:attempted-user; sid:21090; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow GraphEdt closed captioning memory corruption"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|52 49 46 46 F8 C1 4E 0E 41 56 49 20 4C 49 53 54 90 7C 01 00 68 64 72 6C 61 76 69 68 38 00 00 00 56 82 00 00 5D FA 4C 01 00 02 00 00 10 08 00 00|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0004; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-004; classtype:attempted-user; sid:21078; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-MULTIMEDIA invalid VLC media player SMB URI download attempt"; flow:to_client,established; flowbits:isset,file.xspf; file_data; content:"|3C|location|3E|"; nocase; pcre:"/smb\x3A\x2F\x2F[^\x2F]*\x2f[^\x2e\x3c]{12,}[\x2f\x3c\s]/Ri"; reference:url,www.exploit-db.com/exploits/10333/; classtype:misc-attack; sid:20673; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player ASX file ref href buffer overflow attempt"; flow:to_server,established; file_data; content:"<ref"; nocase; content:"href"; distance:0; nocase; pcre:"/<ref\s+href\s*=\s*\x22([^\x22]{2}|(\x25[0-9A-Z]{2}){1,2})\x3A\x2F[^\x22]{100}/smi"; metadata:service smtp; reference:bugtraq,21247; reference:cve,2006-6134; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-078; classtype:attempted-user; sid:20653; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp MIDI file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mid; file_data; content:"CTMF"; depth:4; byte_test:2,>,0x400,8,little; metadata:service ftp-data, service http, service imap, service pop3; reference:url,forums.winamp.com/showthread.php?t=332010; classtype:attempted-user; sid:20559; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Un4seen Developments XMPlay crafted ASX file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"#EXTM3U"; nocase; content:"#EXTINF|3A|0|2C|"; distance:0; nocase; content:"|0D 0A|"; distance:0; content:"|3A 5C|"; within:2; distance:1; nocase; isdataat:501,relative; pcre:"/^\S{501}/R"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,21206; reference:cve,2006-6063; classtype:attempted-user; sid:20553; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA MultiMedia Jukebox playlist file handling heap overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u|file.pls; file_data; content:"http|3A 2F 2F|"; isdataat:262,relative; content:!"|0A|"; within:262; content:!" "; within:259; distance:3; metadata:service smtp; reference:bugtraq,46926; reference:cve,2009-2650; classtype:attempted-user; sid:20237; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC webm memory corruption attempt"; flow:to_client,established; flowbits:isset,file.webm; file_data; content:"|1A 45 DF A3|"; depth:4; content:"webm"; within:4; distance:27; nocase; content:"|15 49 A9 66 01 00 00 00|"; distance:0; byte_test:4,>,1024,0,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46060; reference:cve,2011-0531; reference:url,videolan.org/security/sa1102.html; classtype:attempted-user; sid:20227; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA MPlayer SMI file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.smi; file_data; content:"|3C|SAMI|3E|"; content:"Start|3D|"; distance:0; nocase; isdataat:500,relative; content:!"Start|3D|"; within:500; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,49149; classtype:attempted-user; sid:20224; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player libdirectx_plugin.dll AMV parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"RIFF"; depth:4; content:"|00 00 00 02 00 00 00 00 00 10 00 A0 A0 00 00 78 00 00 00 10|"; fast_pattern:only; metadata:service http; reference:cve,2010-3275; classtype:attempted-user; sid:19883; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA MultiMedia Soft Components AdjMmsEng.dll PLS file processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pls; content:"Accept-Ranges: bytes|0D 0A|"; fast_pattern:only; file_data; isdataat:1024; content:!"|0A|"; depth:1024; metadata:service http; reference:bugtraq,33589; reference:cve,2009-0476; reference:cve,2009-4656; reference:cve,2009-5109; classtype:attempted-user; sid:19621; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes PLS file parsing buffer overflow attempt"; flow:to_client,established; content:"|0D 0A 0D 0A|[playlist]"; nocase; content:"File"; distance:0; nocase; pcre:"/^File\d+\s*\x3D\s*[^\x2E\r\n]+\x2E[^\r\n]{32}/mi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,36478; reference:cve,2009-2817; classtype:attempted-user; sid:19560; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN vlc player subtitle buffer overflow attempt"; flow:to_client,established; file_data; content:"[Script Info]"; nocase; content:"[Events]"; distance:0; nocase; content:"Dialogue|3A|"; within:11; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; metadata:service http; reference:bugtraq,27015; reference:cve,2007-6681; classtype:attempted-admin; sid:18744; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes Playlist Overflow Attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"|23|EXTM3U"; depth:7; nocase; isdataat:1000; pcre:"/https?\x3a\x2f\x2f[^\n\r]{1000}/Ri"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2005-0043; classtype:attempted-user; sid:18484; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player Firefox plugin memory corruption attempt"; flow:to_client,established; flowbits:isset,file.wmv; file_data; content:"setTimeout|28 27|location|2E|reload|28 29 27 2C| 1000"; content:"autostart|3D|1 src=|22|invalid|2E|wmv|22|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2745; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-083; classtype:attempted-user; sid:17773; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer AVI parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"strf"; content:"|08 00|"; within:2; distance:18; byte_test:4,>,0x100,16,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13530; reference:cve,2005-2052; classtype:attempted-user; sid:17272; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0D\x0A\x3C]{251}/mi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35500; reference:cve,2009-2484; classtype:attempted-user; sid:16751; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Worldweaver DX Studio Player plug-in command injection attempt"; flow:to_client,established; file_data; content:"<dxstudio"; fast_pattern:only; content:"shell.execute"; nocase; metadata:service http; reference:bugtraq,35273; reference:cve,2009-2011; classtype:attempted-user; sid:16744; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Multiple audio players playlist file handling heap overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u|file.pls; file_data; content:"http|3A 2F 2F|"; isdataat:262,relative; content:!"|0A|"; within:262; content:!" "; within:259; distance:3; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46926; reference:bugtraq,62926; reference:cve,2009-2650; reference:cve,2013-7409; reference:url,exploit-db.com/exploits/36022/; classtype:attempted-user; sid:16739; rev:15;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Xenorate Media Player XPL file handling overflow attempt - 2"; flow:to_client,established; file_data; content:"AAAAAAAA|EB 06 90 90 4B 3F 01 11 90 90 90 90|"; fast_pattern:only; metadata:service http; classtype:attempted-user; sid:16738; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Xenorate Media Player XPL file handling overflow attempt - 1"; flow:to_client,established; file_data; isdataat:92; content:!"|00|"; depth:92; content:"|FD A4 00 10|"; depth:4; offset:92; metadata:service http; classtype:attempted-user; sid:16737; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA PLF playlist name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.plf; content:"Content-Type:"; nocase; http_header; content:"application/octet-stream"; within:50; nocase; http_header; file_data; isdataat:256,relative; content:!"|20|"; depth:256; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,21337; reference:cve,2006-6199; classtype:attempted-user; sid:16692; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes invalid tref box exploit attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"tref"; byte_test:4,>,19,-8,relative; pcre:"/^(\x00{4}|[\x80-\xff])/R"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-0531; reference:url,support.apple.com/kb/HT4105; classtype:attempted-dos; sid:16224; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes DAAP protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"daap|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)daap\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15706; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes PCAST protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"pcast|3A|//"; nocase; pcre:"/(\x22|\x27)pcast\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15705; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes ITMSS protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itmss|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itmss\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15704; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes ITMS protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itms|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itms\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15703; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime SMIL qtnext redirect file execution attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"qt|3A|next"; fast_pattern:only; pcre:"/qt\x3anext\s*\x3d\s*\x22\s*file\x3a\x2f{3}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,29650; reference:cve,2008-1585; classtype:attempted-user; sid:15487; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie record invalid version number exploit attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"mvhd|FF|"; within:5; distance:4; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-0956; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:15480; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt"; flow:to_client,established; flowbits:isset,file.pls; content:"Content-Length"; nocase; http_header; pcre:"/Content-Length\x3a\s*(\d{7}|[5-9]\d{5})/iH"; metadata:service http; reference:bugtraq,30341; classtype:attempted-user; sid:14020; rev:15;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; content:"Content-Length"; nocase; http_header; pcre:"/Content-Length\x3a\s*(\d{7}|[5-9]\d{5})/iH"; metadata:service http; reference:bugtraq,30341; classtype:attempted-user; sid:14019; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"tmci"; byte_test:1,>=,251,24,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15306; reference:cve,2005-2753; classtype:attempted-user; sid:13918; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX malformed mjpeg arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"strf"; content:"MJPG"; distance:0; byte_test:4,>,0x80000000,12,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-033; classtype:attempted-user; sid:13824; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX SAMI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.smi; file_data; content:"<SAMI"; nocase; content:"<STYLE"; distance:0; nocase; content:"text/css"; within:200; nocase; isdataat:600,relative; content:!"</STYLE"; within:600; pcre:"/\x3Cstyle[^\x3E]+?type\s*\x3D\s*(?P<q>(\x22|\x27|))text\x2Fcss(?P=q)[^\x3E]*\x3E.*^\s*\S+\s*\x7b[^\x7d]{500}/smiO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-1444; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-033; classtype:attempted-user; sid:13823; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA 3ivx MP4 file parsing cpy buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4|file.avi; file_data; content:"|A9|cpy"; fast_pattern; content:"data"; within:4; distance:4; byte_test:4,>,512,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; reference:cve,2007-6402; classtype:attempted-user; sid:13320; rev:18;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA 3ivx MP4 file parsing des buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4|file.avi; file_data; content:"|A9|des"; fast_pattern; content:"data"; within:4; distance:4; byte_test:4,>,512,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; reference:cve,2007-6402; classtype:attempted-user; sid:13319; rev:18;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA 3ivx MP4 file parsing cmt buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi|file.mp4; file_data; content:"|A9|cmt"; fast_pattern; content:"data"; within:4; distance:4; byte_test:4,>,512,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; reference:cve,2007-6402; classtype:attempted-user; sid:13318; rev:18;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA 3ivx MP4 file parsing ART buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4|file.avi; file_data; content:"|A9|ART"; fast_pattern; content:"data"; within:4; distance:4; byte_test:4,>,512,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; reference:cve,2007-6402; classtype:attempted-user; sid:13316; rev:18;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Media Player asf streaming audio spread error correction data length integer overflow attempt"; flow:to_client,established; file_data; content:"BFC3CD50-618F-11CF-8BB2-00AA00B4E220"; byte_test:4, >, 65522, 12, relative; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-068; classtype:attempted-user; sid:13160; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Media Player asf streaming format audio error masking integer overflow attempt"; flow:to_client,established; file_data; content:"49F1A440-4ECE-11d0-A3AC-00A0C90348F6"; byte_jump:4, 8, relative; byte_test:2, >, 65527, 14, relative; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-068; classtype:attempted-user; sid:13159; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Media Player asf streaming format interchange data integer overflow attempt"; flow:to_client,established; file_data; content:"35907DE0-E415-11CF-A917-00805F5C442B"; byte_test:2, >, 65476, 52, relative; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-068; classtype:attempted-user; sid:13158; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VLC Media Player udp URI format string attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"|23|EXTM3U"; content:"udp|3A|//"; distance:0; nocase; content:"%"; distance:0; pcre:"/\x23EXTM3U.*?udp\x3A\x2F\x2F[^\r\n]*%/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,21852; reference:cve,2007-0017; reference:url,projects.info-pull.com/moab/MOAB-02-01-2007.html; classtype:attempted-user; sid:9844; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt"; flow:to_client,established; file_data; content:"MThd"; depth:4; content:"|00 00 00 00 00 00|"; within:6; distance:4; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,21612; reference:cve,2006-6601; reference:cve,2007-0562; classtype:denial-of-service; sid:9801; rev:17;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime Movie link scripting security bypass attempt"; flow:to_client,established; file_data; content:"<?xml version"; nocase; content:"<?QuickTime type=|22|application/x-quicktime-media-link"; distance:0; nocase; pcre:"/<embed[^>]*javascript/smi"; metadata:service http; reference:bugtraq,20138; reference:cve,2006-4965; classtype:attempted-user; sid:9429; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie file component name integer overflow attempt"; flow:to_client,established; content:"video/quicktime"; nocase; http_header; pcre:"/^Content-Type\x3A\s*video\x2Fquicktime/smiH"; file_data; content:"hdlr"; nocase; byte_test:1,>,250,24,relative; metadata:service http; reference:bugtraq,15308; reference:cve,2005-2754; reference:url,docs.info.apple.com/article.html?artnum=302772; classtype:attempted-user; sid:4680; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie file component name integer overflow multipacket attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"hdlr"; nocase; byte_test:1,>,250,24,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,15308; reference:cve,2005-2754; reference:url,docs.info.apple.com/article.html?artnum=302772; classtype:attempted-user; sid:4679; rev:15;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer VIDORV30 header length buffer overflow"; flow:to_client,established; file_data; content:".RMF"; nocase; content:"VIDORV30"; distance:0; byte_test:4,>,1000000,-16,relative; metadata:service http; reference:bugtraq,11309; reference:cve,2004-1481; reference:url,www.eeye.com/html/research/advisories/AD20041001.html; classtype:attempted-admin; sid:3470; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt"; flow:to_client,established; file_data; content:".cda"; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; metadata:ruleset community, service http; reference:bugtraq,11730; reference:cve,2004-1119; reference:nessus,15817; classtype:attempted-user; sid:3088; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer arbitrary javascript command attempt"; flow:to_client,established; content:"application/smi"; fast_pattern; nocase; http_header; file_data; content:"file|3A|javascript|3A|"; pcre:"/<area\s+href=[\x22\x27]file\x3ajavascript\x3a/smi"; metadata:ruleset community, service http; reference:bugtraq,8453; reference:bugtraq,9378; reference:cve,2003-0726; classtype:attempted-user; sid:2437; rev:20;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime enof atom parsing heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"tapt"; byte_extract:4,-8,track_aperture_atom_siz,relative; content:"enof"; within:track_aperture_atom_siz; byte_test:4,<,0x14,-8,relative; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60099; reference:cve,2013-0986; reference:url,support.apple.com/kb/HT5770; classtype:attempted-user; sid:27103; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime enof atom parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"tapt"; byte_extract:4,-8,track_aperture_atom_siz,relative; content:"enof"; within:track_aperture_atom_siz; byte_test:4,<,0x14,-8,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60099; reference:cve,2013-0986; reference:url,support.apple.com/kb/HT5770; classtype:attempted-user; sid:27102; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA MultiMedia Soft Components AdjMmsEng.dll PLS file processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pls; content:"Accept-Ranges: bytes|0D 0A|"; fast_pattern:only; file_data; content:"|5B|playlist|5D|"; depth:15; isdataat:1024,relative; content:!"|0A|"; within:1024; distance:2; metadata:service http; reference:bugtraq,33589; reference:cve,2009-0476; reference:cve,2009-4656; reference:cve,2009-5109; classtype:attempted-user; sid:28392; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"tmci"; byte_test:1,>=,251,24,relative; metadata:policy max-detect-ips drop, service pop3, service smtp; reference:bugtraq,15306; reference:cve,2005-2753; classtype:attempted-user; sid:28443; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"hdlr"; byte_test:1,>=,251,24,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15306; reference:cve,2005-2753; classtype:attempted-user; sid:28442; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"text|00 00 00 00 00 00|"; content:"|00 00 00 00 00 00|"; within:6; distance:16; byte_test:1,>=,251,13,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15306; reference:cve,2005-2753; classtype:attempted-user; sid:28441; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt"; flow:to_client,established; file_data; content:"stageDom|00|http"; content:"System|00|security|00|allowDomain|00|AdSetupVersion|00|cID|00|aID|00|creativeID|00|"; within:62; distance:26; content:"|96 04 00 08 33 05 00 1D 96 02 00 08 26 1C 96 02 00 08|"; distance:0; content:"|06 00 09 21 01 09 22 01 1D 96 02 00 08 2D 1C 96 02 00 08 BC 49 12 9D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64201; reference:cve,2013-5332; reference:url,helpx.adobe.com/security/products/flash-player/apsb13-28.html; classtype:attempted-user; sid:29061; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"|11 01|"; depth:2; offset:522; pcre:"/\x00[\x70-\x77]\x00[\x00-\x09]/R"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:29436; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|11 01|"; depth:2; offset:522; pcre:"/\x00[\x70-\x77]\x00[\x00-\x09]/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:29435; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_server,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|02 00|"; within:2; distance:6; content:"|02 00|"; within:2; distance:8; content:"|10 00|"; within:2; metadata:policy security-ips drop, service smtp; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29546; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_server,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|02 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:8; content:"|10 00|"; within:2; metadata:policy security-ips drop, service smtp; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29545; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_server,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|02 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:8; content:"|08 00|"; within:2; metadata:policy security-ips drop, service smtp; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29544; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_server,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|01 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:8; content:"|10 00|"; within:2; metadata:policy security-ips drop, service smtp; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29543; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_client,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|02 00|"; within:2; distance:6; content:"|02 00|"; within:2; distance:8; content:"|10 00|"; within:2; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29542; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_client,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|02 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:8; content:"|10 00|"; within:2; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29541; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_client,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|02 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:8; content:"|08 00|"; within:2; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29540; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_client,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|01 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:8; content:"|10 00|"; within:2; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29539; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Flip4Mac Windows media components WMV parsing memory corruption attempt"; flow:to_server,established; flowbits:isset,file.asf|file.wmv; file_data; content:"|26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C 0C B7 02 00 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,22286; reference:cve,2007-0466; reference:url,projects.info-pull.com/moab/MOAB-27-01-2007.html; classtype:attempted-user; sid:29521; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Flip4Mac Windows media components WMV parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.asf|file.wmv; file_data; content:"|26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C 0C B7 02 00 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,22286; reference:cve,2007-0466; reference:url,projects.info-pull.com/moab/MOAB-27-01-2007.html; classtype:attempted-user; sid:29520; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|52 58 6B 65 6B CD DC E0 DB A5 89 A8 4A BA A0 83 43 44 92 C6 A8 12 83 AC 6A 0C 05 E2 EE 96 01 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64201; reference:cve,2013-5332; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-08.html; classtype:attempted-user; sid:30152; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt"; flow:to_server,established; file_data; content:"stageDom|00|http"; content:"System|00|security|00|allowDomain|00|AdSetupVersion|00|cID|00|aID|00|creativeID|00|"; within:62; distance:26; content:"|96 04 00 08 33 05 00 1D 96 02 00 08 26 1C 96 02 00 08|"; distance:0; content:"|06 00 09 21 01 09 22 01 1D 96 02 00 08 2D 1C 96 02 00 08 BC 49 12 9D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64201; reference:cve,2013-5332; reference:url,helpx.adobe.com/security/products/flash-player/apsb13-28.html; classtype:attempted-user; sid:30151; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|52 58 6B 65 6B CD DC E0 DB A5 89 A8 4A BA A0 83 43 44 92 C6 A8 12 83 AC 6A 0C 05 E2 EE 96 01 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64201; reference:cve,2013-5332; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-08.html; classtype:attempted-user; sid:30150; rev:2;)
+# alert tcp $EXTERNAL_NET [554,8554] -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt"; flow:to_client,established; content:"|20|"; depth:1; content:"RTSP/"; offset:1; nocase; pcre:"/^\x20.*?RTSP\x2F\s?\d\x2E\s?\d[^\n\r]/i"; metadata:service rtsp; reference:bugtraq,65131; reference:bugtraq,65139; reference:cve,2013-6933; reference:cve,2013-6934; reference:url,isecpartners.github.io/fuzzing/vulnerabilities/2013/12/30/vlc-vulnerability.html; classtype:attempted-user; sid:30215; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-MULTIMEDIA CoCSoft Stream Download session"; flow:to_server,established; content:"User-Agent|3A| CoCSoft Stream Download|0D 0A|"; fast_pattern:only; http_header; flowbits:set,cocsoft.stream; flowbits:noalert; metadata:service http; reference:bugtraq,51190; reference:cve,2011-5052; classtype:attempted-user; sid:30532; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA CoCSoft Stream Down SEH based buffer overflow attempt"; flow:to_client,established; flowbits:isset,cocsoft.stream; file_data; content:"|EB 06|"; content:"|48 94 01 10|"; within:4; distance:2; metadata:service http; reference:bugtraq,51190; reference:cve,2011-5052; classtype:attempted-user; sid:30531; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA CoCSoft Stream Down SEH based buffer overflow attempt"; flow:to_client,established; flowbits:isset,cocsoft.stream; file_data; content:"|EB 06|"; content:"|13 B2 05 10|"; within:4; distance:2; metadata:service http; reference:bugtraq,51190; reference:cve,2011-5052; classtype:attempted-user; sid:30530; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime long rnet atom size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"|14 72 6E 65 74 00 00 00 00 00 00 00 05 00 00 00 01 00 00 00 1A 72 6D 76|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:bugtraq,56438; reference:cve,2012-3756; classtype:attempted-user; sid:30565; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime long rnet atom size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|14 72 6E 65 74 00 00 00 00 00 00 00 05 00 00 00 01 00 00 00 1A 72 6D 76|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56438; reference:cve,2012-3756; classtype:attempted-user; sid:30564; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt"; flow:to_server,established; flowbits:isset,file.abc; file_data; content:"X:"; content:"|0D 0A|T:"; distance:0; content:"|0D 0A|P:"; distance:0; fast_pattern; pcre:"/^P:[A-G]\d{3}/m"; metadata:service smtp; reference:cve,2013-4233; classtype:attempted-user; sid:30764; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt"; flow:to_server,established; flowbits:isset,file.abc; file_data; content:"X:"; content:"|0D 0A|T:"; distance:0; content:"|0D 0A|P:"; distance:0; fast_pattern; content:"P:"; content:"("; within:10; content:"("; within:10; content:"("; within:10; metadata:service smtp; reference:cve,2013-4233; classtype:attempted-user; sid:30763; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt"; flow:to_client,established; flowbits:isset,file.abc; file_data; content:"X:"; content:"|0D 0A|T:"; distance:0; content:"|0D 0A|P:"; distance:0; fast_pattern; pcre:"/^P:[A-G]\d{3}/m"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-4233; classtype:attempted-user; sid:30762; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt"; flow:to_client,established; flowbits:isset,file.abc; file_data; content:"X:"; content:"|0D 0A|T:"; distance:0; content:"|0D 0A|P:"; distance:0; fast_pattern; content:"("; within:10; content:"("; within:10; content:"("; within:10; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-4233; classtype:attempted-user; sid:30761; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|A2 07|defaultValue|00|A|A0 00 00 00 0B|8|80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:30877; rev:5;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A2 07|defaultValue|00|A|A0 00 00 00 0B|8|80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:30876; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt"; flow:to_server,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; depth:3; byte_test:2,!&,0xFFF0,1,relative,big; metadata:service smtp; reference:bugtraq,50741; reference:cve,2011-4259; classtype:attempted-user; sid:31376; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_server,established; file_data; content:"|FE 34 2D 67 73 13 05 AF 28 1D 46 15 B5 40 27 7D 02 21 5E 4B C3 0A 63 4E 28 50 99 0C 4E 82 E9 2D 19 23 7B A8 38 E6 86|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:31524; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_server,established; file_data; content:"|24 D0 30 D0 60 09 68 03 D0 49 00 5D 0D 4A 0D 00 82 D5 10 08 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:31523; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_server,established; file_data; content:"|A6 4F 32 6F 7B 76 B3 86 D1 55 33 05 B5 46 B6 78 9C C9 64 62 A8 23 99 8C 82 D9 A8 71 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:31522; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_client,established; file_data; content:"|FE 34 2D 67 73 13 05 AF 28 1D 46 15 B5 40 27 7D 02 21 5E 4B C3 0A 63 4E 28 50 99 0C 4E 82 E9 2D 19 23 7B A8 38 E6 86|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:31521; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_client,established; file_data; content:"|24 D0 30 D0 60 09 68 03 D0 49 00 5D 0D 4A 0D 00 82 D5 10 08 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:31520; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_client,established; file_data; content:"|A6 4F 32 6F 7B 76 B3 86 D1 55 33 05 B5 46 B6 78 9C C9 64 62 A8 23 99 8C 82 D9 A8 71 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:31519; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime text track descriptors heap buffer overflow attempt"; flow:to_server,established; content:".mov"; file_data; content:"{"; isdataat:1033,relative; content:!"}"; within:1033; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0664; classtype:attempted-user; sid:32739; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime text track descriptors heap buffer overflow attempt"; flow:to_server,established; content:".mov"; file_data; content:"{"; isdataat:1033,relative; content:!"}"; within:1033; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0664; classtype:attempted-user; sid:32738; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt"; flow:to_server,established; file_data; content:"stsd"; fast_pattern; content:"Motion JPEG"; within:11; distance:59; byte_extract:2,-30,width,relative; byte_extract:2,-28,height,relative; content:"tkhd"; content:"Video Media"; within:11; distance:199; content:"|00 00|"; within:2; distance:-147; byte_test:2,!=,width,-4,relative; content:"|00 00|"; within:2; distance:2; byte_test:2,!=,height,0,relative; metadata:service smtp; reference:cve,2013-1020; classtype:attempted-user; sid:32899; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt"; flow:to_client,established; file_data; content:"stsd"; fast_pattern; content:"Motion JPEG"; within:11; distance:59; byte_extract:2,-30,width,relative; byte_extract:2,-28,height,relative; content:"tkhd"; content:"Video Media"; within:11; distance:267; content:"|00 00|"; within:2; distance:-200; byte_test:2,!=,width,-4,relative; content:"|00 00|"; within:2; distance:2; byte_test:2,!=,height,-4,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1020; classtype:attempted-user; sid:32898; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Multiple media players M3U playlist file handling buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"|23|EXTM3U"; nocase; pcre:"/^[^\x0a]{501}/R"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,16410; reference:bugtraq,16623; reference:bugtraq,21206; reference:cve,2006-0476; reference:cve,2006-0708; reference:cve,2006-6063; classtype:attempted-user; sid:33043; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"#EXTM3U"; depth:7; content:!"#EXT-X-"; within:10; pcre:"/^\x23EXTM3U.{5}[^\x0d\x0a]{512}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53933; reference:cve,2012-0677; classtype:attempted-user; sid:33041; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC 2.1.5 Media Player libavcodex memory corruption attempt"; flow:to_server, established; file_data; flowbits:isset,file.mpeg; content:"|57 27 0B 2C 00 00 01 B3 0C 17 F0 15 04 E2 23 80 00 00 01 B5 14 8A 00 01 00 00 00 00 01 B5|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-9598; classtype:attempted-user; sid:33206; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC 2.1.5 Media Player libavcodex memory corruption attempt"; flow:to_client, established; file_data; flowbits:isset,file.mpeg; content:"|57 27 0B 2C 00 00 01 B3 0C 17 F0 15 04 E2 23 80 00 00 01 B5 14 8A 00 01 00 00 00 00 01 B5|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-9598; classtype:attempted-user; sid:33205; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 malformed avc atom memory corruption attempt"; flow:established,to_server; flowbits:isset,file.mp4; file_data; content:"|61 76 63 43 01 42 C0 0D FF E1 00 1B 67 42 C0 0D 9A 74 0A 0F DF F8 07 80 0C 98 80 00 00 03 00 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0321; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33474; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 malformed avc atom memory corruption attempt"; flow:established,to_client; flowbits:isset,file.mp4; file_data; content:"|61 76 63 43 01 42 C0 0D FF E1 00 1B 67 42 C0 0D 9A 74 0A 0F DF F8 07 80 0C 98 80 00 00 03 00 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0321; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33473; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime Image Description Atom sign extension memory corruption attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"stsd"; content:"rpza"; distance:12; fast_pattern; content:"|00 00 00 00 00 00|"; within:6; byte_test:2,>,0x1FFC,18,relative,big; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35166; reference:cve,2009-0955; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:33586; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"Vjpeg"; fast_pattern; content:"appl"; within:16; distance:12; byte_test:2,<,0xFA,8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:33578; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"Vjpeg"; fast_pattern; content:"appl"; within:16; distance:12; byte_test:2,<,0x37,10,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:33577; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"Vjpeg"; fast_pattern; content:"appl"; within:16; distance:12; byte_test:2,<,0xFA,8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:33576; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"Vjpeg"; fast_pattern; content:"appl"; within:16; distance:12; byte_test:2,<,0x37,10,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:33575; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player AVC parser integer overflow attempt"; flow:to_server,established; flowbits:isset,file.mp4; file_data; content:"|22 D1 AA 79 FD 5A 5B 6C 77 45 8F 7E 66 43 C1 B5 EE BA 3F 71 A2 D2 6D F0 6F 8E 6D 5F DF 7D AB 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0352; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34269; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player AVC parser integer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"|22 D1 AA 79 FD 5A 5B 6C 77 45 8F 7E 66 43 C1 B5 EE BA 3F 71 A2 D2 6D F0 6F 8E 6D 5F DF 7D AB 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0352; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34268; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF integer overflow attempt"; flow:to_server,established; flowbits:isset,file.xspf; file_data; content:"<extension"; nocase; content:"<vlc:id>"; within:1000; nocase; byte_test:10,>,100000,0,relative,string; metadata:service smtp; reference:bugtraq,48171; reference:cve,2011-2194; reference:url,videolan.org/security/sa1104.html; classtype:attempted-dos; sid:34344; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF integer overflow attempt"; flow:to_client,established; flowbits:isset,file.xspf; file_data; content:"<extension"; nocase; content:"<vlc:id>"; within:1000; nocase; byte_test:10,>,100000,0,relative,string; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48171; reference:cve,2011-2194; reference:url,videolan.org/security/sa1104.html; classtype:attempted-dos; sid:34343; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pictmov; file_data; content:"|88 22 88 22 00 5C 00 08 00 08 00 71 00 09 00 02 00 02 00 6E 00 AA 00 6E 00 02 00 02 00 54 00 6E 00 AA 00 6E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:31309; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pictmov; file_data; content:"|88 22 88 22 00 5C 00 08 00 08 00 71 00 09 00 02 00 02 00 6E 00 AA 00 6E 00 02 00 02 00 54 00 6E 00 AA 00 6E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:31308; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer RealMedia URL length buffer overflow attempt"; flow:to_server,established; file_data; content:"[InternetShortcut]"; fast_pattern:only; content:"URL="; nocase; isdataat:500,relative; content:!"|0D|"; within:500; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56956; reference:cve,2012-5691; classtype:attempted-user; sid:28962; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer RealMedia URL length buffer overflow attempt"; flow:to_client,established; file_data; content:"[InternetShortcut]"; fast_pattern:only; content:"URL="; nocase; isdataat:500,relative; content:!"|0D|"; within:500; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56956; reference:cve,2012-5691; classtype:attempted-user; sid:28961; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Mozilla products Ogg Vorbis decoding memory corruption attempt"; flow:to_client,established; file_data; content:"OggS|00|"; depth:5; content:"|0A 42 64 86 A8 CA 34 3C 04 87 07 97 00 11 71 15|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,51753; reference:cve,2012-0444; classtype:attempted-user; sid:25297; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime text track descriptors heap buffer overflow attempt"; flow:to_client,established; file_data; content:"{QTtext}"; depth:8; pcre:"/\x7b[^\x3a\x7d]+?\x3a[^\x7d]{1023}/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0664; classtype:attempted-user; sid:24700; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4|file.m4v; file_data; content:"moov"; nocase; content:"trak"; distance:0; nocase; content:"mdia"; distance:0; nocase; content:"minf"; distance:0; nocase; content:"stbl"; distance:0; nocase; content:"stsd"; distance:0; nocase; content:"avc1"; distance:0; nocase; content:"avcC"; distance:0; nocase; content:"|FF E1|"; within:2; distance:4; byte_test:2,>=,0x8000,0,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-4381; reference:url,support.apple.com/kb/TA24355; classtype:attempted-user; sid:24640; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime MOV Atom length buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"hspa"; content:"vrsg"; distance:0; byte_test:2,>,0x7000,14,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0667; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:24549; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"#EXTM3U"; depth:7; content:!"#EXT-X-"; within:10; pcre:"/^\x23EXTM3U.{5}[^\x0d\x0a]{512}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53933; reference:cve,2012-0677; classtype:attempted-user; sid:23271; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; byte_test:1,>,0xBF,0,relative; byte_test:1,<,0xF0,0,relative; byte_jump:2,1,relative,post_offset -4; content:"|FF FF FF FF|"; within:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0659; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:23170; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"vide"; distance:0; content:"stsd"; distance:0; content:"avc"; distance:0; content:"|FF E1|"; within:128; byte_test:2,>,256,0,relative; byte_test:2,>,256,21,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2140; reference:url,adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:23098; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom cprt field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"cprt|00|"; nocase; content:"|00 00 00 0D|"; within:4; distance:-9; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21342; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom 'dscp' field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"dscp|00|"; nocase; byte_test:4,<=,0x0000000d,-9,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21341; rev:12;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom titl field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"titl|00|"; nocase; byte_test:4,<=,0x0000000d,-9,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0754; reference:cve,2015-0360; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21340; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom auth field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"auth|00|"; nocase; byte_test:4,<=,0x0000000d,-9,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21339; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt"; flow:to_client,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; depth:3; byte_test:2,!&,0xFFF0,1,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,50741; reference:cve,2011-4259; classtype:attempted-user; sid:21112; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player digital video recording buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.dvr-ms; file_data; content:"Vali"; byte_test:4,>,5000000,28,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-3401; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-092; classtype:attempted-user; sid:20734; rev:16;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer QCP parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.qcp; file_data; content:"RIFF"; depth:4; content:"QLCMfmt|20|"; within:8; distance:4; byte_test:4,>,220,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2950; classtype:attempted-user; sid:20288; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC ModPlug ReadS3M overflow attempt"; flow:to_client,established; flowbits:isset,file.s3m; file_data; content:"SCRM"; depth:4; offset:44; byte_test:2,>,65,-12,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1574; classtype:attempted-user; sid:20284; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC ModPlug ReadS3M overflow attempt"; flow:to_client,established; flowbits:isset,file.s3m; file_data; content:"SCRM"; depth:4; offset:44; byte_test:2,>,65,-14,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1574; classtype:attempted-user; sid:20283; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"P|00|r|00|o|00|d|00|u|00|c|00|e|00|r|00|.|00|d|00|a|00|t|00 00 00|"; fast_pattern; nocase; byte_extract:4,94,low,relative,little; content:"W|00|m|00|t|00|o|00|o|00|l|00|s|00|V|00|a|00|l|00|i|00|d|00 00 00|"; distance:0; nocase; byte_test:4,>,low,94,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0265; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-016; classtype:attempted-user; sid:19956; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"|06 AF E1 00 EC 7B D1 11 A5 82 00 C0 4F C2 9C FB|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19450; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"N|B8 98|f|FA 0A|0C|AE B2 1C 0A 98 D7 A4|M"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19449; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media pixel aspect ratio header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"T|E5 1E 1B EA F9 C8|K|82 1A|7kt|E4 C4 B8|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19448; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media content type header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:" |DC 90 D5 BC 07|lC|9C F7 F3 BB FB F1 A4 DC|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19447; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media file name header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"|0E EC|e|E1 ED 19 D7|E|B4 A7|%|CB D1 E2 8E 9B|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19446; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Timecode header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"|EC 95 95|9g|86|-N|8F DB 98 81|L|E7|l|1E|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19445; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media sample duration header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"P|94 BD C6 7F 86 07|I|83 A3 C7|y!|B7|3|AD|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19444; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp MIDI Timestamp buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mid; file_data; content:"|4D 55 53 1A C0 EB|"; depth:6; content:"|81 80 80 80 48|"; within:5; distance:308; fast_pattern; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,45221; classtype:attempted-user; sid:19432; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp MIDI Timestamp buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mid; file_data; content:"|4D 55 53 1A C0 EB|"; depth:6; content:"|81 80 80 80 48|"; within:5; distance:180; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,45221; classtype:attempted-user; sid:19431; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player Subtitle StripTags Heap Buffer Overflow"; flow:to_client,established; flowbits:isset,file.mkv; file_data; content:"|80 00 00 00 A0 B9 A1 B3 83 05 0C 00 3C 66 6F 6F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46008; reference:cve,2011-0522; classtype:attempted-user; sid:19421; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player Subtitle StripTags Heap Buffer Overflow"; flow:to_client,established; flowbits:isset,file.mkv; file_data; content:"|40 A0 83 03 8F 00 3C 70 6F 63|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46008; reference:cve,2011-0522; classtype:attempted-user; sid:19420; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows AVI cinepak codec decompression remote code execution attempt"; flow:to_server,established; file_data; content:"strh"; content:"vidscvid"; within:8; distance:4; content:"movi00dc"; byte_test:2,>,3,12,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,42256; reference:cve,2010-2553; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-055; classtype:attempted-user; sid:19403; rev:17;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows AVI Header insufficient data corruption attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"RIFF"; fast_pattern; content:"AVI "; within:4; distance:4; content:"avih"; distance:0; byte_extract:4,0,chunk_size,little,relative; isdataat:!chunk_size,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35967; reference:cve,2009-1545; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-038; classtype:attempted-user; sid:19320; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer vidplin.dll avi header parsing execution attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"strlstrh"; fast_pattern; nocase; byte_jump:4,0,relative,little; content:!"strf"; within:4; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46047; reference:cve,2010-4393; classtype:attempted-user; sid:19169; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player SWF file MP4 data parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stsc"; byte_test:4,>,0xFFFF,12,relative,big; byte_jump:4,-8,relative,big; content:"stsz"; within:4; byte_test:4,>,10,8,relative,big; pcre:"/^.{12}([^\x00].{3}){10}/sR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40801; reference:cve,2010-2162; reference:url,www.adobe.com/support/security/bulletins/apsb10-14.html; classtype:attempted-user; sid:19148; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX quartz.dll MJPEG content processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|32 32 32 32 32 32 FF C0 00 0B 08 00 F0 01 40 01 9C 11 01 FF DD 00 04 00 00 FF C4 00 9F 01 72 12 00 00 00 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40432; reference:cve,2010-1879; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:19146; rev:16;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player JPG header record mismatch memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"LIST"; content:"strl"; within:4; distance:4; content:"strf"; distance:0; content:"MJPG"; within:4; distance:20; content:"LIST"; distance:0; content:"movi"; within:4; distance:4; content:"|FF C0|"; distance:0; byte_extract:1,7,cnt,relative; content:"|FF DA|"; within:490; byte_test:1,!=,cnt,2,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40464; reference:cve,2010-1880; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:19143; rev:16;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer IVR handling heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer; file_data; content:"|01 00 00 00 00 00 00 5C 00 00 00 78 E0 00 00 05 40 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46946; reference:cve,2011-1525; classtype:attempted-user; sid:19127; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer IVR handling heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer; file_data; content:"|08 00 00 00 00 00 00 00 00 02 00 00 04 4E 00 01 03 00 00 00 00 00 03 CA 00 00 03 E6 E0 00 00 05 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46946; reference:cve,2011-1525; classtype:attempted-user; sid:19126; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker string size overflow attempt"; flow:to_client,established; flowbits:isset,file.mswmm; file_data; content:"|00 12 00 00|AAAAAAAAAAAA"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2564; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-050; classtype:attempted-user; sid:19063; rev:16;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime streaming debug error logging buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"<smil"; fast_pattern:only; content:"src"; nocase; isdataat:449,relative; pcre:"/^\s*\=\s*(?![\x22\x27]?http(|s|1|s1)\x3a\x2f{2})(\x22[^\x22]{449}|\x27[^\x27]{449}|\S{449})/iR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,41962; reference:cve,2010-1799; classtype:attempted-user; sid:18928; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player network sharing service RTSP code execution attempt"; flow:to_server,established; content:"SETUP"; depth:5; content:"rtsp|3A 2F 2F|"; within:7; distance:1; content:"|0D 0A 0D 0A|"; distance:0; isdataat:8,relative; content:!"OPTIONS"; within:7; content:!"DESCRIBE"; within:8; content:!"SETUP"; within:5; metadata:policy max-detect-ips drop; reference:bugtraq,43776; reference:cve,2010-3225; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-075; classtype:attempted-user; sid:17753; rev:15;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt"; flow:to_client,established; content:"Transfer-Encoding"; nocase; http_header; content:"chunked"; fast_pattern; nocase; http_header; content:"Content-Type|3A|"; nocase; http_header; pcre:"/Content-Type\x3a[^\x10\x13]*real(audio|video)/smiH"; content:"HTTP"; within:4; nocase; rawbytes; content:"|0D 0A 0D 0A|"; distance:0; isdataat:1024,relative; pcre:"/([^\x0A]{1024,}|.*?\x0A[^\x0A]{1024,})/smiR"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17202; reference:cve,2005-2922; classtype:attempted-user; sid:17666; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stts"; content:"|00 00 00 00 00 00 00 01 EE 00 00 26 00 00 04 00 00|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17612; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stss"; content:"|00 00 00 00 00 00 00 03 00 00 00 01 00 FF FF FF|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17611; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"ctts"; content:"|00 00 00 00 00 00 00 8F 00 00 00 01 00 00 00 14 00 FF FF FF|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17610; rev:15;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA ffdshow codec URL parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; fast_pattern:only; content:"<param "; nocase; content:"URL"; distance:0; nocase; pcre:"/<param\s+name\s*=\s*(?P<q1>\x22|\x27|)URL(?P=q1)[^>]+?value\s*=\s*(\x22|\x27)[^\x22\x27]{500}/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32438; reference:cve,2008-5381; classtype:attempted-user; sid:17573; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer IVR Overly Long Filename Code Execution attempt"; flow:to_client,established; file_data; content:"|1F 5C 80 00 00 08 72 61 6D 34 2E 72 65 63 00 00 00 00 00 00 01 79|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33652; reference:cve,2009-0375; classtype:attempted-user; sid:17561; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime SMIL File Handling Integer Overflow attempt"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"<smil>"; pcre:"/meta\s*name\x3d\s*(?P<q1>(\x22|\x27|))(author|copyright|title|information)\s*(?P=q1)/smiR"; content:"content|3D 22|"; distance:1; nocase; isdataat:1024,relative; content:!"|22|"; within:1024; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24873; reference:cve,2007-2394; classtype:attempted-user; sid:17548; rev:16;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|55 12 FE 3F 35 F2 C0 00 00 00 0B 01 03 0A B1 54 0D 02 4A E3 17 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23650; reference:cve,2007-2295; classtype:attempted-user; sid:17531; rev:18;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player MP4_BoxDumpStructure Buffer Overflow"; flow:to_client,established; file_data; content:"|6F 76 00 00 19 FE 6D 6F 6F 76 00 00 19 F6 6D 6F|"; content:"|6F 76 00 00 19 CE 6D 6F 6F 76 00 00 19 C6 6D 6F|"; offset:32; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35232; reference:cve,2009-1122; classtype:attempted-user; sid:17527; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime H.264 Movie File Buffer Overflow"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|81 F6 3B 80 00 00 40 80 FF FF FF 87 25 B8 20 00|"; content:"|F9 31 40 00 52 EA FB EF BE FB EF BE FB EF BE FB|"; within:16; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,36328; reference:cve,2009-2799; classtype:attempted-user; sid:17523; rev:16;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime|file.jpeg; file_data; content:"|00 00 00 56 6A 70 65 67 00 00 00 00 00 00 00 01 00 00 00 00 61 70 70 6C 00 00 00 00 00 00 02 00 00 02 00 03 00 48 00 00 00 48 00 00 00 00 00 00 00 01 0C 50 68 6F 74 6F 20 2D 20 4A 50 45 47 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:17470; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Mplayer Real Demuxer stream_read heap overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer; file_data; content:".RMF"; depth:4; content:"|14 76 69 64 65 6F 2F 78 2D 70 6E 2D 72 65 61 6C 76 69 64 65 6F 00 00 00 1A 59 49 59 55 56 49 44 4F 52 56 32 30 00 01 00 01 00 1E 59 49 59 55 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31473; reference:cve,2008-3827; classtype:attempted-user; sid:17469; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft DirectShow AVI decoder buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"strn"; distance:0; nocase; byte_test:4,>,128,0,relative, little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15063; reference:cve,2005-2128; classtype:attempted-user; sid:17443; rev:16;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime PDAT Atom parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|00 00 00 01 0F 00 00 00 FE B4 00 00 FE 01 1A C4 42 01 1A C4 41 1A EC EC 42 81 1A C4 43 81 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3625; reference:url,support.apple.com/kb/HT3027; classtype:attempted-user; sid:17381; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime panorama atoms buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"pano"; content:"pdat"; within:250; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:4; byte_test:4,>,104,-20,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26342; reference:cve,2007-4675; classtype:attempted-user; sid:17373; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime udta atom parsing heap overflow vulnerability"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"udta"; content:"|A9|nam|FF|"; distance:0; byte_test:2,>,251,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22844; reference:cve,2007-0714; classtype:attempted-user; sid:17372; rev:14;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime marshaled punk remote code execution"; flow:to_client,established; file_data; content:"_Marshaled_pUnk"; nocase; pcre:"/name\s*=\s*(?P<q1>\x22|\x27|)_Marshaled_pUnk(?P=q1)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1818; classtype:attempted-user; sid:17211; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC renamed zip file handling code execution attempt - 3"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|50 4B 03 04|"; depth:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40428; classtype:attempted-user; sid:17150; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC renamed zip file handling code execution attempt - 2"; flow:to_client,established; flowbits:isset,file.mp3; file_data; content:"|50 4B 03 04|"; depth:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40428; classtype:attempted-user; sid:17149; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC renamed zip file handling code execution attempt - 1"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"|50 4B 03 04|"; depth:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40428; classtype:attempted-user; sid:17148; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker string size overflow attempt"; flow:to_client,established; flowbits:isset,file.mswmm; file_data; content:"|00 10 00 00|AAAAAAAAAAAA"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2564; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-050; classtype:attempted-user; sid:17135; rev:16;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows AVI cinepak codec decompression remote code execution attempt"; flow:to_client,established; file_data; content:"strh"; content:"vidscvid"; within:8; distance:4; content:"movi00dc"; byte_test:2,>,3,12,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42256; reference:cve,2010-2553; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-055; classtype:attempted-user; sid:17128; rev:19;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows MPEG Layer-3 audio heap corruption attempt"; flow:to_client,established; file_data; content:"|A9 00 04 48 58 DC E1 83 4B 68 32 01 9B BC 04 A3 27 0E A5 3D 71 66 0D 2D A8 D3 84 AF 3C 14 88 94|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1882; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-052; classtype:attempted-user; sid:17117; rev:17;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xspf; file_data; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0A\x0D\x3C]{251}/mi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35500; reference:cve,2009-2484; classtype:attempted-user; sid:16752; rev:14;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player TY processing buffer overflow attempt"; flow:to_client,established; file_data; content:"|F5 46 7A BD 00 00 00 02 00 02 00 00|"; depth:12; byte_test:4,>,32,8,relative,big; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31813; reference:cve,2008-4654; classtype:attempted-user; sid:16720; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp CAF file processing integer overflow attempt"; flow:to_client,established; file_data; content:"caff|00 01 00 00|desc"; depth:12; byte_test:4,>,268435455,32,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33963; reference:cve,2009-0186; classtype:attempted-user; sid:16683; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX quartz.dll MJPEG content processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|8E 8C 8B 8E 8C 8B 8E 8C 8C 8D 8B 8C 8D 8B 8C 8D 8B 8C 8D 8B 8C 8D 8B 8C FF C4 00 9F 01 72 12 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1879; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:16661; rev:20;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player codec code execution attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"strh"; content:"auds"; within:4; distance:4; fast_pattern; byte_jump:4,-8,relative,little; isdataat:16,relative; content:"strf"; within:4; content:"U|00|"; within:2; distance:4; byte_test:4,!=,48000,2,relative,little; byte_test:4,!=,44100,2,relative,little; byte_test:4,!=,32000,2,relative,little; byte_test:4,!=,24000,2,relative,little; byte_test:4,!=,22050,2,relative,little; byte_test:4,!=,16000,2,relative,little; byte_test:4,!=,12000,2,relative,little; byte_test:4,!=,11025,2,relative,little; byte_test:4,!=,8000,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0480; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-026; classtype:attempted-user; sid:16543; rev:16;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime Image Description Atom sign extension memory corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stsd"; content:"rpza"; distance:12; fast_pattern; content:"|00 00 00 00 00 00|"; within:6; byte_test:2,>,0x1FFC,18,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35166; reference:cve,2009-0955; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:16360; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA FFmpeg OGV file format memory corruption attempt"; flow:to_client,established; file_data; content:"OggS"; depth:4; content:"|82|theora"; distance:0; byte_test:1,!&,0xE0,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,36465; reference:cve,2009-4631; reference:cve,2009-4632; reference:cve,2009-4633; reference:cve,2009-4634; reference:cve,2009-4635; reference:cve,2009-4636; reference:cve,2009-4637; reference:cve,2009-4638; reference:cve,2009-4639; reference:cve,2009-4640; reference:url,secunia.com/advisories/36805; classtype:attempted-user; sid:16353; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile truncated media file processing memory corruption attempt"; flow:to_client,established,only_stream; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST"; within:8; distance:4; content:"hdrlavih8|00 00 00|"; within:12; distance:4; isdataat:!56,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:16342; rev:17;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime and iTunes heap memory corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"dinf|00 00 00 1C|dref|00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15732; reference:cve,2005-4092; classtype:attempted-user; sid:16148; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes AAC file handling integer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"mp4a"; content:"stsc"; distance:0; byte_jump:4,-8,relative,big; content:"stsz"; within:4; byte_test:4,<,257,-8,relative,big; byte_test:4,>,60,8,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18730; reference:cve,2006-1467; classtype:attempted-user; sid:16055; rev:15;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer RealMedia file format processing heap corruption attempt"; flow:to_client,established; file_data; content:"DATA|00 00|A'|00 00 00 00 00|'|00 00 00 00 00 00 01|<|FF FF|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26214; reference:cve,2007-5081; classtype:attempted-user; sid:16046; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime FLIC animation file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.fli; file_data; content:"|FA F1 02 00 00 00 00 00 00 00 00 00 0A 03 00 00 0B 00 01 00 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19976; reference:cve,2006-4384; classtype:attempted-user; sid:16041; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp midi file header overflow attempt"; flow:to_client,established; flowbits:isset,file.mid; file_data; content:"MThd|00 00 00 06 00 00 00 01 00|`MTrk"; byte_test:4,>,2147483648,8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18507; reference:cve,2006-3228; classtype:attempted-user; sid:16027; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime color table id memory corruption attempt"; flow:to_client,established; file_data; content:"|00 00 00 00 18 00 00 00 00 00 0C 67 61 6D 61 00 01 CC CC 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22839; reference:cve,2007-0718; reference:url,docs.info.apple.com/article.html?artnum=305149; classtype:attempted-user; sid:16006; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX malformed mjpeg arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|50 2E 00 00 10 27 00 00 00 00 00 00 00 00 00 00 40 01 F0 00|strf|28 00 00 00 28 00 00 00 40 00 00 00 F0 00 00 00 01 00 18 00|MJPG|00 84|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-033; classtype:attempted-user; sid:15995; rev:16;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer Multiple Products RA file processing overflow attempt"; flow:to_client,established; file_data; content:".ra|FD 00 04 00 00|.ra4|00 00 00 89 00 04 0F FF FF FF|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26214; reference:cve,2007-2264; classtype:attempted-user; sid:15940; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime VR Track Header Atom heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"trak"; content:"tkhd|00 00 00 0F|"; within:8; distance:4; fast_pattern; isdataat:40,relative; pcre:"/trak.{4}tkhd.{40}(?=.{20})(?!\x00\x01\x00\x00.{12}\x00\x01\x00\x00)/s"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33384; reference:cve,2009-0002; reference:url,support.apple.com/kb/HT3403; classtype:attempted-user; sid:15909; rev:18;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp AIFF parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.aiff; file_data; content:"FORM"; depth:4; nocase; content:"AIF"; within:3; distance:4; fast_pattern; nocase; content:"COMM"; within:4; distance:1; byte_test:4,>,0xD9EF,0,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33226; reference:cve,2009-0263; classtype:attempted-user; sid:15901; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA FFmpeg 4xm processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.4xm; file_data; content:"strk|28 00 00 00|"; byte_test:4,>,0x7ffffffe,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33502; reference:cve,2009-0385; classtype:attempted-user; sid:15871; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile media file processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST"; within:8; distance:4; content:"hdrlavih"; within:8; distance:4; byte_test:4,!=,56,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:15854; rev:18;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes ITPC protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itpc|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itpc\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15707; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow QuickTime file stsc atom parsing heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stbl"; content:"stsd"; within:4; distance:4; content:"ima4"; distance:8; content:"stsc"; distance:0; byte_jump:4,4,relative,multiplier 12,big; isdataat:7,relative; content:!"stsz"; within:4; distance:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-1538; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-028; classtype:attempted-user; sid:15682; rev:16;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie file clipping region handling heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"clip"; content:"crgn"; within:4; distance:4; byte_jump:4,-8,relative,big; content:!"|7F FF 7F FF|"; within:4; distance:-8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35167; reference:cve,2009-0954; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:15559; rev:16;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows AVI DirectShow QuickTime parsing overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"vide"; distance:0; content:"stsd"; distance:0; fast_pattern; byte_test:1,>,31,58,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35139; reference:cve,2009-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-028; classtype:attempted-user; sid:15517; rev:18;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Multiple media players M3U playlist file handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|23|EXTM3U|0D 0A|"; depth:9; nocase; content:"|23|EXTINF:"; within:50; nocase; isdataat:400,relative; pcre:"/\x23EXTINF\:\d*\,\w*\x0D\x0A[^\x0A]{401}/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16410; reference:bugtraq,16623; reference:bugtraq,21206; reference:cve,2006-0476; reference:cve,2006-0708; reference:cve,2006-6063; classtype:attempted-user; sid:15473; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Multiple MP3 player PLS buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pls; file_data; content:"[playlist]"; fast_pattern; nocase; content:"File"; distance:0; nocase; content:"="; within:5; distance:1; isdataat:500,relative; content:!"|0A|"; within:500; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16410; reference:bugtraq,33589; reference:cve,2006-0476; reference:cve,2009-0476; classtype:attempted-user; sid:15472; rev:18;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|00 11 02 FF 0C 00|"; depth:6; offset:522; pcre:"/\x00[\x70-\x77]\x00[\x00-\x09]/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:15384; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC real.c ReadRealIndex real demuxer integer overflow attempt"; flow:to_client,established; flowbits:isset,file.realmedia; file_data; content:"INDX"; content:"|00 00|"; within:2; distance:4; byte_test:4,>,0x15555554,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32545; reference:cve,2008-5276; classtype:attempted-user; sid:15241; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime for Java toQTPointer function memory corruption attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"toQTPointer"; content:"quicktime/util/QTPointerRef"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23608; reference:cve,2007-2175; classtype:attempted-user; sid:15238; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player RealText buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"<time "; nocase; pcre:"/\x3ctime\x20[^\x3e]*(begin|end)\x3d\x22[^\x22]{13}/Osmi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-5036; classtype:attempted-user; sid:15166; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xspf; file_data; content:"<trackList>"; nocase; content:"<track>"; within:200; nocase; content:"<identifier>-"; within:1000; nocase; content:"</track>"; within:1000; nocase; content:"</trackList>"; within:200; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4558; classtype:attempted-user; sid:15157; rev:16;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Visual Basic 6.0 malformed AVI buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI "; within:4; distance:4; content:"strf"; byte_test:4,>,1088,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15104; rev:18;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player WAV processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.wav; file_data; content:"RIFF"; content:"WAVEfmt"; distance:4; byte_test:4,>,0xfffffffc,1,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30058; reference:cve,2008-2430; classtype:misc-activity; sid:15080; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime Obji Atom parsing stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"obji"; byte_test:4,<,20,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28583; reference:cve,2008-1022; classtype:attempted-user; sid:13920; rev:17;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"text|00 00 00 00 00 00|"; content:"|00 00 00 00 00 00|"; within:6; distance:16; byte_test:1,>=,251,13,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15306; reference:cve,2005-2753; classtype:attempted-user; sid:13919; rev:16;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"hdlr"; byte_test:1,>=,251,24,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15306; reference:cve,2005-2753; classtype:attempted-user; sid:13917; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple Quicktime malformed idsc atom"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"idsc"; byte_test:4,<,94,-8,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0033; classtype:attempted-user; sid:13517; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime HTTP error response buffer overflow"; flow:to_client,established; flowbits:isset,quicktime_agent; content:"HTTP/1.1 404"; isdataat:256,relative; content:!"|0A|"; within:256; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27225; reference:cve,2008-0234; classtype:attempted-user; sid:13516; rev:12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-MULTIMEDIA Apple QuickTime user agent"; flow:to_server,established; content:"User-Agent|3A| QuickTime"; fast_pattern:only; http_header; flowbits:set,quicktime_agent; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:13515; rev:15;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA 3ivx MP4 file parsing nam buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi|file.mp4; file_data; content:"|A9|nam"; fast_pattern; content:"data"; within:4; distance:4; byte_test:4,>,512,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; reference:cve,2007-6402; classtype:attempted-user; sid:13317; rev:21;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime panorama atoms buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"pano"; content:"pdat"; within:250; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:4; byte_test:4,>,104,-20,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26342; reference:cve,2007-4675; classtype:attempted-user; sid:13293; rev:16;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX SAMI file CRawParser buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.smi; file_data; content:"<SAMI>"; fast_pattern:only; pcre:"/\x3C\S+\s+[^\x3E]*?(\x22[^\x22]{500}|\x27[^\x27]{500}|[^\x3E\x20\x09]{500})/O"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3901; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:12983; rev:17;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"idx1"; nocase; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:12971; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime invalid stsd atom out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"stbl"; distance:0; byte_extract:4,-8,stbl_size,relative; content:"stsd"; within:stbl_size; distance:-4; content:"|00 00 00|"; within:3; distance:1; byte_test:4,>,0,0,relative; byte_test:4,<,12,4,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26341; reference:cve,2007-3750; reference:cve,2015-3789; reference:url,support.apple.com/en-us/HT205031; reference:url,talosintel.com/reports/2015/08/13/TALOS-2015-0013.html; classtype:attempted-user; sid:12746; rev:24;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA FLAC libFLAC picture metadata buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.flac; file_data; content:"fLaC"; content:"|06|"; content:"|FF FF FF FF|"; within:4; distance:7; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12745; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA FLAC libFLAC VORBIS string buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.flac; file_data; content:"fLaC"; content:"|04|"; content:"|FF FF FF FF|"; within:4; distance:3; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12744; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA FLAC libFLAC picture description metadata buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.flac; file_data; content:"fLaC"; content:"|06|"; byte_jump:4,7,relative; content:"|FF FF FF FF|"; within:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12743; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks SMIL wallclock stack overflow attempt"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"<smi"; nocase; content:"wallclock|28|"; pcre:"/^[^\x29]*\x2E[0-9]{11}/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24658; reference:cve,2007-3410; classtype:attempted-user; sid:12728; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer lyrics heap overflow attempt"; flow:to_client,established; flowbits:isset,file.mp3; file_data; content:"LYRICSBEGIN"; nocase; pcre:"/(EAL|EAR|ETT)\s*-0{0,4}1/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26214; reference:cve,2007-5080; classtype:attempted-user; sid:12707; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer SMIL wallclock parsing buffer overflow"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"smil "; nocase; content:"wallclock|28|"; distance:0; nocase; pcre:"/wallclock\x28((\d{2}\x3A){2}\d{2}\.[^\x2b\x2d\x5a]{11}|\d{4}-\d{2}-\d{2}T(\d{2}\x3A){2}\d{2}\.[^\x2b\x2d\x5a]{11})/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24658; reference:cve,2007-3410; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=547; classtype:attempted-user; sid:12219; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie ftyp buffer underflow"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|00 00 00 01|ftyp"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23652; reference:cve,2007-2296; classtype:attempted-user; sid:11180; rev:18;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime HREF Track Detected"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"> T<"; fast_pattern:only; pcre:"/A?<\s*([A-Za-z]{3,5}\x3A\x2F\x2F|javascript\x3a)[^>]+> T</sm"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0059; reference:url,projects.info-pull.com/moab/MOAB-03-01-2007.html; reference:url,www.apple.com/quicktime/tutorials/hreftracks.html; classtype:misc-activity; sid:9840; rev:23;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime RTSP URI overflow attempt"; flow:to_client,established; file_data; content:"rtsp|3A|//"; nocase; pcre:"/(=\s*([\x27\x22]rtsp\x3A[^\x22\x27\s]{200}|rstp\x3A[^\s\x3E]{200})|\x3Csrc\x3Ertsp\x3A[^\x3C]{200})/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21829; reference:cve,2007-0015; reference:url,applefun.blogspot.com/2007/01/moab-01-01-2007-apple-quicktime-rtsp.html; classtype:attempted-user; sid:9823; rev:15;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime Movie link file URI security bypass attempt"; flow:to_client,established; file_data; content:"<?xml version"; nocase; content:"<?QuickTime type=|22|application/x-quicktime-media-link"; distance:0; nocase; content:"qtnext=|22|"; distance:0; nocase; pcre:"/qtnext=\x22((-e\s+|-chrome\s+)?(file|javascript))/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20138; reference:cve,2006-4965; classtype:attempted-user; sid:9430; rev:14;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer error message format string vulnerability attempt"; flow:to_client,established; file_data; content:"<imfl>"; nocase; pcre:"/<[^>]*?\x25/ROsmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14945; reference:cve,2005-2710; classtype:attempted-user; sid:8091; rev:15;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime udta atom overflow attempt"; flow:to_client,established; file_data; content:"udta"; byte_test:4,>,4294967291,-8,relative; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17953; reference:cve,2006-1460; classtype:attempted-user; sid:6506; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows wmf file arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"&"; content:"|09 00|"; within:2; distance:1; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16074; reference:cve,2005-4560; reference:cve,2007-3034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-046; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-001; classtype:web-application-attack; sid:5318; rev:20;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer realtext file bad version buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rt; file_data; content:"<window"; nocase; content:"version"; distance:0; nocase; pcre:"/<window\s+version\s*=\s*(?!(1\.[02456]))/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14048; reference:cve,2005-1766; reference:nessus,18558; classtype:attempted-user; sid:3823; rev:21;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer SMIL file overflow attempt"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"<smil>"; nocase; content:"system-screen-size=|22|"; distance:0; nocase; isdataat:256,relative; content:!"|22|"; within:256; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12698; reference:cve,2005-0455; classtype:attempted-user; sid:3473; rev:24;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer playlist rtsp URL overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13264; reference:bugtraq,9579; reference:cve,2004-0258; reference:cve,2005-0755; classtype:attempted-user; sid:2440; rev:23;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer playlist http URL overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13264; reference:bugtraq,9579; reference:cve,2004-0258; reference:cve,2005-0755; classtype:attempted-user; sid:2439; rev:23;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer playlist file URL overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13264; reference:bugtraq,9579; reference:cve,2004-0258; reference:cve,2005-0755; classtype:attempted-user; sid:2438; rev:23;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Windows Media Player ASF marker object memory corruption attempt "; flow:established,to_client; flowbits:isset,file.asf; file_data; content:"|34 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; byte_test:4,>,134217727,24,relative,little; metadata:service http; reference:cve,2009-2527; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-052; classtype:attempted-user; sid:16156; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple Quicktime corrupt stbl atom out of bounds read attempt"; flow:to_server,established; file_data; content:"ftyp"; depth:4; offset:4; content:"mdia"; content:"hdlr"; within:200; content:"vide"; within:200; content:"minf"; distance:0; byte_extract:4,-8,minf_size,relative; isdataat:minf_size,relative; content:!"stbl"; within:minf_size; metadata:service smtp; reference:cve,2015-3667; reference:url,support.apple.com/en-us/HT204942; classtype:attempted-user; sid:35023; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple Quicktime corrupt stbl atom out of bounds read attempt"; flow:to_client,established; file_data; content:"ftyp"; depth:4; offset:4; content:"mdia"; content:"hdlr"; within:200; content:"vide"; within:200; content:"minf"; distance:0; byte_extract:4,-8,minf_size,relative; isdataat:minf_size,relative; content:!"stbl"; within:minf_size; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3667; reference:url,support.apple.com/en-us/HT204942; classtype:attempted-user; sid:35022; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple iLife iPhoto Photocast XML format string code injection attempt"; flow:to_server,established; file_data; content:"www.apple.com/ilife/wallpapers"; fast_pattern:only; content:"<title>"; nocase; content:"%n"; distance:0; content:"</title>"; within:10; nocase; metadata:service smtp; reference:bugtraq,21871; reference:cve,2007-0051; classtype:attempted-user; sid:35414; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iLife iPhoto Photocast XML format string code injection attempt"; flow:to_client,established; file_data; content:"www.apple.com/ilife/wallpapers"; fast_pattern:only; content:"<title>"; nocase; content:"%n"; distance:0; content:"</title>"; within:10; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,21871; reference:cve,2007-0051; classtype:attempted-user; sid:35413; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime invalid mvhd atom size out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"mvhd|00 00 00 00|"; byte_test:4,<,0x6c,-12,relative; metadata:service smtp; reference:cve,2015-3790; reference:url,support.apple.com/en-us/HT205031; reference:url,talosintel.com/reports/2015/08/13/TALOS-2015-0014.html; classtype:attempted-user; sid:35568; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime invalid mvhd atom size out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"mvhd|00 00 00 00|"; byte_test:4,<,0x6c,-12,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3790; reference:url,support.apple.com/en-us/HT205031; reference:url,talosintel.com/reports/2015/08/13/TALOS-2015-0014.html; classtype:attempted-user; sid:35567; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime esds atom buffer overread attempt"; flow:to_server,established; file_data; content:"ftyp"; depth:4; offset:4; content:"esds"; content:"|05 22|"; within:26; content:"|01 B5 0E E0 C0 C0 CF|"; within:7; distance:7; content:"|C1 44 3F 06|"; within:4; distance:17; metadata:service smtp; reference:cve,2015-3791; reference:url,support.apple.com/en-us/HT205031; reference:url,talosintel.com/reports/2015/08/13/TALOS-2015-0015.html; classtype:attempted-user; sid:35564; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime esds atom buffer overread attempt"; flow:to_client,established; file_data; content:"ftyp"; depth:4; offset:4; content:"esds"; content:"|05 22|"; within:26; content:"|01 B5 0E E0 C0 C0 CF|"; within:7; distance:7; content:"|C1 44 3F 06|"; within:4; distance:17; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3791; reference:url,support.apple.com/en-us/HT205031; reference:url,talosintel.com/reports/2015/08/13/TALOS-2015-0015.html; classtype:attempted-user; sid:35563; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt"; flow:to_server,established; file_data; content:"|29 06 A0 E5 05 00 5A 6F 2D 06 A4 E5 16 01 15 BF 2D 27 A4 E6 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-3792; reference:url,support.apple.com/en-us/HT205031; reference:url,talosintel.com/reports/2015/08/13/TALOS-2015-0017.html; classtype:attempted-user; sid:35562; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt"; flow:to_client,established; file_data; content:"|29 06 A0 E5 05 00 5A 6F 2D 06 A4 E5 16 01 15 BF 2D 27 A4 E6 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3792; reference:url,support.apple.com/en-us/HT205031; reference:url,talosintel.com/reports/2015/08/13/TALOS-2015-0017.html; classtype:attempted-user; sid:35561; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime invalid stsd atom out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"stbl"; distance:0; byte_extract:4,-8,stbl_size,relative; content:"stsd"; within:stbl_size; distance:-4; content:"|00 00 00|"; within:3; distance:1; byte_test:4,>,0,0,relative; byte_test:4,<,12,4,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26341; reference:cve,2007-3750; reference:cve,2015-3789; reference:url,support.apple.com/en-us/HT205031; reference:url,talosintel.com/reports/2015/08/13/TALOS-2015-0013.html; classtype:attempted-user; sid:35560; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime tkhd atom matrix integer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"trak"; content:"tkhd|00 00 00 0F|"; within:8; distance:4; fast_pattern; content:"|00 00 00 00|"; within:4; distance:12; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:4; content:"|00 00|"; within:2; distance:6; byte_test:4,>,0x7fffffff,4,relative; metadata:service smtp; reference:cve,2015-5786; reference:url,support.apple.com/en-us/HT205046; reference:url,www.talosintel.com/vulnerability-reports; classtype:attempted-user; sid:35629; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime tkhd atom matrix integer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"trak"; content:"tkhd|00 00 00 0F|"; within:8; distance:4; fast_pattern; content:"|00 00 00 00|"; within:4; distance:12; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:4; content:"|00 00|"; within:2; distance:6; byte_test:4,>,0x7fffffff,4,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-5786; reference:url,support.apple.com/en-us/HT205046; reference:url,www.talosintel.com/vulnerability-reports; classtype:attempted-user; sid:35628; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime traf atom out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"moof"; byte_extract:4,-8,moof_size,relative; content:"traf"; within:moof_size; distance:-4; byte_test:4,>,moof_size,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-3668; reference:url,support.apple.com/en-us/HT204947; classtype:attempted-user; sid:35860; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime traf atom out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moof"; byte_extract:4,-8,moof_size,relative; content:"traf"; within:moof_size; distance:-4; byte_test:4,>,moof_size,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3668; reference:url,support.apple.com/en-us/HT204947; classtype:attempted-user; sid:35859; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA PLF playlist name buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.plf; content:"Content-Type:"; nocase; content:"application/octet-stream"; within:50; nocase; file_data; isdataat:256,relative; content:!"|20|"; depth:256; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,21337; reference:cve,2006-6199; classtype:attempted-user; sid:35939; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt"; flow:to_server,established; file_data; content:"ID3|03 00|"; depth:5; nocase; byte_test:1,&,0x80,14,relative; byte_test:4,>,0x2aaaaaaa,15,relative; pcre:"/ID3\x03\x00.{5}([TW][A-Z]{3}|COMM)/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,76289; reference:cve,2015-5560; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:36114; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt"; flow:to_client,established; file_data; content:"ID3|03 00|"; depth:5; nocase; byte_test:1,&,0x80,14,relative; byte_test:4,>,0x2aaaaaaa,15,relative; pcre:"/ID3\x03\x00.{5}([TW][A-Z]{3}|COMM)/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,76289; reference:cve,2015-5560; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:36113; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA MultiMedia Soft Components AdjMmsEng.dll PLS file processing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pls; content:"Content-Type: audio/x-scpls|3B|"; fast_pattern:only; file_data; isdataat:1024; content:!"|0A|"; depth:1024; metadata:service smtp; reference:bugtraq,33589; reference:cve,2009-0476; reference:cve,2009-4656; reference:cve,2009-5109; classtype:attempted-user; sid:36456; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt"; flow:to_server,established; file_data; content:"|FB 00 00 00 E8 00 00 0B 4D 00 00 01 59 00 00 01 73 00 00 0A 93 00 00 01 69 00 00 01 66 00 00 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5580; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36513; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt"; flow:to_client,established; file_data; content:"|FB 00 00 00 E8 00 00 0B 4D 00 00 01 59 00 00 01 73 00 00 0A 93 00 00 01 69 00 00 01 66 00 00 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5580; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36512; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA libav LZO integer overflow attempt"; flow:to_server,established; flowbits:isset,file.mkv; file_data; content:"|1A 45 DF A3|"; depth:4; content:"|42 82 88|matroska"; fast_pattern:only; content:"|42 54|"; content:"|02|"; within:3; content:"|1F 43 B6 75|"; content:"|E7|"; within:10; content:"|A3|"; within:4; content:"|00 00 00 00|"; within:300; pcre:"/\x1F\x43\xB6\x75.{0,10}\xE7.{0,4}\xA3.{0,300}?\x00{200}/"; metadata:service smtp; reference:bugtraq,68217; reference:cve,2014-4609; classtype:attempted-user; sid:36565; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA libav LZO integer overflow attempt"; flow:to_client,established; flowbits:isset,file.mkv; file_data; content:"|1A 45 DF A3|"; depth:4; content:"|42 82 88|matroska"; fast_pattern:only; content:"|42 54|"; content:"|02|"; within:3; content:"|1F 43 B6 75|"; content:"|E7|"; within:10; content:"|A3|"; within:4; content:"|00 00 00 00|"; within:300; pcre:"/\x1F\x43\xB6\x75.{0,10}\xE7.{0,4}\xA3.{0,300}?\x00{200}/"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,68217; reference:cve,2014-4609; classtype:attempted-user; sid:36564; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX malformed mjpeg arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.avi.video; file_data; content:"|50 2E 00 00 10 27 00 00 00 00 00 00 00 00 00 00 40 01 F0 00|strf|28 00 00 00 28 00 00 00 40 00 00 00 F0 00 00 00 01 00 18 00|MJPG|00 84|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-033; classtype:attempted-user; sid:37153; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX malformed mjpeg arbitrary code execution attempt"; flow:to_server,established; file_data; content:"movi00db|98 10 00 00 0B 8E 44 3F 96 EF 0B C2 F0 BC 2F 0B C2 F0 BC 2F 0B C2 F0 BC|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-033; classtype:attempted-user; sid:37152; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX malformed mjpeg arbitrary code execution attempt"; flow:to_client,established; file_data; content:"movi00db|98 10 00 00 0B 8E 44 3F 96 EF 0B C2 F0 BC 2F 0B C2 F0 BC 2F 0B C2 F0 BC|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-033; classtype:attempted-user; sid:37151; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Matroska libmatroska track video double free attempt"; flow:to_server,established; file_data; content:"|1A 45 DF A3|"; depth:4; content:"|12 54 C3 67|"; content:"|73 73|"; distance:0; content:"|63 C0|"; within:2; distance:8; content:!"|01 00 00|"; within:3; isdataat:!127,relative; metadata:service smtp; reference:cve,2015-8790; reference:url,www.talosintelligence.com/reports/TALOS-2016-0036; classtype:attempted-user; sid:35778; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Matroska libmatroska track video double free attempt"; flow:to_client,established; file_data; content:"|1A 45 DF A3|"; depth:4; content:"|12 54 C3 67|"; content:"|73 73|"; distance:0; content:"|63 C0|"; within:2; distance:8; content:!"|01 00 00|"; within:3; isdataat:!127,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-8790; reference:url,www.talosintelligence.com/reports/TALOS-2016-0036; classtype:attempted-user; sid:35777; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Matroska libmatroska track video double free attempt"; flow:to_server,established; file_data; content:"|1A 45 DF A3|"; depth:4; content:"|18 53 80 67|"; content:"|18 53 80 67|"; distance:0; content:"|1C 53 BB 6B|"; distance:0; content:"|BB|"; within:150; content:"|B7|"; within:20; isdataat:!100,relative; byte_test:1,>,200,0,relative; metadata:service smtp; reference:cve,2015-8790; reference:url,www.talosintelligence.com/reports/TALOS-2016-0036; classtype:attempted-user; sid:35776; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Matroska libmatroska track video double free attempt"; flow:to_client,established; file_data; content:"|1A 45 DF A3|"; depth:4; content:"|18 53 80 67|"; content:"|18 53 80 67|"; distance:0; content:"|1C 53 BB 6B|"; distance:0; content:"|BB|"; within:150; content:"|B7|"; within:20; isdataat:!100,relative; byte_test:1,>,200,0,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-8790; reference:url,www.talosintelligence.com/reports/TALOS-2016-0036; classtype:attempted-user; sid:35775; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Matroska libmatroska track video double free attempt"; flow:to_server,established; file_data; content:"|1A 45 DF A3|"; depth:4; content:"|16 54 AE 6B|"; content:"|16 54 AE 6B|"; distance:0; content:"|AE 01 00 00|"; distance:0; content:"|E0|"; within:150; content:!"|01 00|"; within:2; isdataat:!127,relative; metadata:service smtp; reference:cve,2015-8790; reference:url,www.talosintelligence.com/reports/TALOS-2016-0036; classtype:attempted-user; sid:35774; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Matroska libmatroska track video double free attempt"; flow:to_client,established; file_data; content:"|1A 45 DF A3|"; depth:4; content:"|16 54 AE 6B|"; content:"|16 54 AE 6B|"; distance:0; content:"|AE 01 00 00|"; distance:0; content:"|E0|"; within:150; content:!"|01 00|"; within:2; isdataat:!127,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-8790; reference:url,www.talosintelligence.com/reports/TALOS-2016-0036; classtype:attempted-user; sid:35773; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Matroska libmatroska ebml unicode string out of bounds read attempt"; flow:to_server,established; file_data; content:"|6E 67 1F 43 B6 75 01 00 00 00 00 00 01 85 E7 81 00 A3 40 83 81 00 00 80 00 00 01 B3 00 10 07 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8789; reference:url,www.talosintelligence.com/reports/TALOS-2016-0037; classtype:attempted-user; sid:35726; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Matroska libmatroska ebml unicode string out of bounds read attempt"; flow:to_client,established; file_data; content:"|6E 67 1F 43 B6 75 01 00 00 00 00 00 01 85 E7 81 00 A3 40 83 81 00 00 80 00 00 01 B3 00 10 07 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8789; reference:url,www.talosintelligence.com/reports/TALOS-2016-0037; classtype:attempted-user; sid:35725; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"P|00|r|00|o|00|d|00|u|00|c|00|e|00|r|00|.|00|d|00|a|00|t|00 00 00|"; fast_pattern; nocase; byte_extract:4,94,low,relative,little; content:"W|00|m|00|t|00|o|00|o|00|l|00|s|00|V|00|a|00|l|00|i|00|d|00 00 00|"; distance:0; nocase; byte_test:4,>,low,94,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2010-0265; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-016; classtype:attempted-user; sid:37663; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple iTunes PLS file parsing buffer overflow attempt"; flow:to_server,established; file_data; content:"[playlist]"; nocase; content:"File"; distance:0; nocase; pcre:"/^File\d+\s*\x3D\s*[^\x2E\r\n]+\x2E[^\r\n]{32}/mi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,36478; reference:cve,2009-2817; classtype:attempted-user; sid:37959; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_server,established; file_data; content:"|97 41 8F FA 5F F2 57 F4 2B FA A5 D0 DB BB 4E 74 EF 9C FE 09 48 95 B2 0D 6B 82 C4 20 B4 50 71 A1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:37940; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_client,established; file_data; content:"|97 41 8F FA 5F F2 57 F4 2B FA A5 D0 DB BB 4E 74 EF 9C FE 09 48 95 B2 0D 6B 82 C4 20 B4 50 71 A1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:37939; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|00 A2 01|minValue|00|"; fast_pattern; content:"|A2 01|maxValue|00|"; within:11; distance:4; content:"defaultValue|00|"; within:100; content:!"|A2 01|"; within:2; distance:-15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:37938; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|00 A2 01|minValue|00|"; fast_pattern; content:"|A2 01|maxValue|00|"; within:11; distance:4; content:"defaultValue|00|"; within:100; content:!"|A2 01|"; within:2; distance:-15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:37937; rev:2;)
+# alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt"; flow:to_server,established; file_data; content:"|55 45 49 02 EC 81 F0 00 03 EC 8A F0 06 0A 04 65 6E 67 00 03 EC 8C F0 06 0A 04 64 75 74 00 03 EC|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-027; classtype:attempted-user; sid:38125; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt"; flow:to_client,established; file_data; content:"|55 45 49 02 EC 81 F0 00 03 EC 8A F0 06 0A 04 65 6E 67 00 03 EC 8C F0 06 0A 04 64 75 74 00 03 EC|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-027; classtype:attempted-user; sid:38124; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed MP4 atom use-after-free attempt"; flow:to_server,established; flowbits:isset,file.mp4; file_data; content:"|2D AE 2F 27 B8 C5 76 35 87 75 0F 87 48 EF 3E 1E 01 9A 8D 37 EF 58 6A DE 48 13 CB 4A 12 BC CA 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8655; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38218; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed mp4 atom use-after-free attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"|2D AE 2F 27 B8 C5 76 35 87 75 0F 87 48 EF 3E 1E 01 9A 8D 37 EF 58 6A DE 48 13 CB 4A 12 BC CA 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8655; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38217; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed mp4 out of bounds write attempt"; flow:to_server,established; file_data; content:"|08 BF AB 6A 60 6F EA DA 98 1B E8 DA 98 1B E8 DA 98 18 1B E8 C0 C0 C0 C0 DA 98 18 18 1B E5 F2 F9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8658; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38210; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed mp4 out of bounds write attempt"; flow:to_client,established; file_data; content:"|08 BF AB 6A 60 6F EA DA 98 1B E8 DA 98 1B E8 DA 98 18 1B E8 C0 C0 C0 C0 DA 98 18 18 1B E5 F2 F9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8658; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38209; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 length tag out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.mp4; file_data; content:"stsd|00|"; byte_jump:4,-9,relative,post_offset -4; byte_test:4,>,15000000,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8652; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:38202; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 length tag out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"stsd|00|"; byte_jump:4,-9,relative,post_offset -4; byte_test:4,>,15000000,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8652; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:38201; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt"; flow:to_server,established; file_data; content:"|4C 90 64 DC 09 76 21 76 AD 01 46 E8 35 2D D9 58 AA E5 15 71 A7 11 F8 F5 73 81 02 BB 6D 13 91 A6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7089; reference:url,www.talosintel.com/reports/TALOS-CAN-0021; classtype:attempted-user; sid:35718; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt"; flow:to_client,established; file_data; content:"|4C 90 64 DC 09 76 21 76 AD 01 46 E8 35 2D D9 58 AA E5 15 71 A7 11 F8 F5 73 81 02 BB 6D 13 91 A6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7089; reference:url,www.talosintel.com/reports/TALOS-CAN-0021; classtype:attempted-user; sid:35717; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt"; flow:to_server,established; file_data; content:"|8A 73 73 CC 33 83 9A 14 A1 F0 C9 10 62 00 89 78 EF 03 80 08 B8 2C 67 CF BB 05 16 03 C0 29 C1 9B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7088; reference:url,www.talosintel.com/reports/TALOS-CAN-0020; classtype:attempted-user; sid:35716; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt"; flow:to_client,established; file_data; content:"|8A 73 73 CC 33 83 9A 14 A1 F0 C9 10 62 00 89 78 EF 03 80 08 B8 2C 67 CF BB 05 16 03 C0 29 C1 9B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7088; reference:url,www.talosintel.com/reports/TALOS-CAN-0020; classtype:attempted-user; sid:35715; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"dinf"; distance:0; content:"dref"; within:4; distance:4; fast_pattern; byte_test:4,>,0,4,relative; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7090; reference:url,www.talosintel.com/reports/TALOS-CAN-0023; classtype:attempted-user; sid:35714; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"dinf"; distance:0; content:"dref"; within:4; distance:4; fast_pattern; byte_test:4,>,0,4,relative; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7090; reference:url,www.talosintel.com/reports/TALOS-CAN-0023; classtype:attempted-user; sid:35713; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"dinf"; distance:0; content:"dref"; within:4; distance:4; content:"alis"; within:500; byte_test:2,>=,0x9c,2,relative; byte_test:4,<,0x9c,-8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7117; reference:url,www.talosintel.com/reports/TALOS-CAN-0022; classtype:attempted-user; sid:35712; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"dinf"; distance:0; content:"dref"; within:4; distance:4; content:"alis"; within:500; byte_test:2,>=,0x9c,2,relative; byte_test:4,<,0x9c,-8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7117; reference:url,www.talosintel.com/reports/TALOS-CAN-0022; classtype:attempted-user; sid:35711; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"stsd"; distance:0; content:"|00 00 00|"; within:3; distance:1; content:"samr"; within:500; byte_test:4,>=,0x2c,-8,relative; byte_test:4,<=,0x34,-8,relative; content:"damr"; within:4; distance:32; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7087; reference:url,www.talosintel.com/reports/TALOS-CAN-0019; classtype:attempted-user; sid:35627; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"stsd"; distance:0; content:"|00 00 00|"; within:3; distance:1; content:"samr"; within:500; byte_test:4,>=,0x25,-8,relative; byte_test:4,<=,0x2b,-8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7087; reference:url,www.talosintel.com/reports/TALOS-CAN-0019; classtype:attempted-user; sid:35626; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"stsd"; distance:0; content:"|00 00 00|"; within:3; distance:1; content:"samr"; within:500; byte_test:4,>=,0x2c,-8,relative; byte_test:4,<=,0x34,-8,relative; content:"damr"; within:4; distance:32; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7087; reference:url,www.talosintel.com/reports/TALOS-CAN-0019; classtype:attempted-user; sid:35625; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"stsd"; distance:0; content:"|00 00 00|"; within:3; distance:1; content:"samr"; within:500; byte_test:4,>=,0x25,-8,relative; byte_test:4,<=,0x2b,-8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7087; reference:url,www.talosintel.com/reports/TALOS-CAN-0019; classtype:attempted-user; sid:35624; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 stsz atom memory corruption attempt"; flow:to_server,established; flowbits:isset,file.mp4; file_data; content:"|5F AF 00 00 5A 00 00 00 5E 00 00 00 87 00 00 00 62 00 00 00 67 00 00 00 7C 00 00 00 47 00 00 00 C2 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2926; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:41343; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 stsz atom memory corruption attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"|5F AF 00 00 5A 00 00 00 5E 00 00 00 87 00 00 00 62 00 00 00 67 00 00 00 7C 00 00 00 47 00 00 00 C2 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2926; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:41342; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Chrome Pepper Flash Player SampleCount heap overflow attempt"; flow:to_server,established; flowbits:isset,file.mp4; file_data; content:"|78 21 68 A2 1F 06 01 02 00 00 00 00 00 00 06 A0 73 74 74 73 00 00 00 00 00 00 00 D2 00 00 00 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2992; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; classtype:attempted-user; sid:41746; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Chrome Pepper Flash Player SampleCount heap overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"|78 21 68 A2 1F 06 01 02 00 00 00 00 00 00 06 A0 73 74 74 73 00 00 00 00 00 00 00 D2 00 00 00 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2992; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; classtype:attempted-user; sid:41745; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple OSX SceneKit invalid COLLADA file geometry attribute type confusion attempt"; flow:to_server,established; file_data; content:"<COLLADA"; nocase; content:"<instance_geometry"; fast_pattern:only; content:"<light"; nocase; pcre:"/<light\s[^>]*?id\s*=\s*[\x22\x27](?P<id>[\w-]+)[\x22\x27].*?<instance_geometry\s[^>]*?url\s*=\s*[\x22\x27]\x23(?P=id)[\x22\x27]/siO"; metadata:service smtp; reference:cve,2016-1850; reference:url,www.talosintelligence.com/reports/TALOS-2016-0183; classtype:attempted-user; sid:39598; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple OSX SceneKit invalid COLLADA file geometry attribute type confusion attempt"; flow:to_client,established; file_data; content:"<COLLADA"; nocase; content:"<instance_geometry"; fast_pattern:only; content:"<light"; nocase; pcre:"/<light\s[^>]*?id\s*=\s*[\x22\x27](?P<id>[\w-]+)[\x22\x27].*?<instance_geometry\s[^>]*?url\s*=\s*[\x22\x27]\x23(?P=id)[\x22\x27]/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-1850; reference:url,www.talosintelligence.com/reports/TALOS-2016-0183; classtype:attempted-user; sid:39597; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player JPG header record mismatch memory corruption attempt"; flow:to_server,established; flowbits:isset,file.avi.video; file_data; content:"LIST"; content:"strl"; within:4; distance:4; content:"strf"; distance:0; content:"MJPG"; within:4; distance:20; content:"LIST"; distance:0; content:"movi"; within:4; distance:4; content:"|FF C0|"; distance:0; content:"|00 01|"; within:2; distance:5; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,40464; reference:cve,2010-1880; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:43336; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player JPG header record mismatch memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"LIST"; content:"strl"; within:4; distance:4; content:"strf"; distance:0; content:"MJPG"; within:4; distance:20; content:"LIST"; distance:0; content:"movi"; within:4; distance:4; content:"|FF C0|"; distance:0; content:"|00 01|"; within:2; distance:5; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40464; reference:cve,2010-1880; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:43335; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_server,established; flowbits:isset,file.avi.video; file_data; content:"JUNK"; byte_test:4,>,0x7FFFFFF7,0,little,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-3895; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:43270; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_server,established; flowbits:isset,file.avi.video; file_data; content:"LIST"; byte_test:4,>,0x7FFFFFF7,0,little,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-3895; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:43269; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BITBLT record out of bounds access attempt"; flow:to_server,established; file_data; content:"|E9 00 00 00 42 00 00 00 00 00 00 00 00 00 00 00 EA 00 00 00 43 00 00 00 29 00 AA 00 00 00 00 00 00 00 00 00 00 00 80 3F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11233; reference:cve,2018-15939; reference:cve,2018-15942; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43889; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BITBLT record out of bounds access attempt"; flow:to_client,established; file_data; content:"|E9 00 00 00 42 00 00 00 00 00 00 00 00 00 00 00 EA 00 00 00 43 00 00 00 29 00 AA 00 00 00 00 00 00 00 00 00 00 00 80 3F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11233; reference:cve,2018-15939; reference:cve,2018-15942; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43888; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIER16 out of bounds access attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|58 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 03 00 00 00 FC 01 D6 01 FA 01 D3 01 F7 01 D1 01|"; metadata:service smtp; reference:cve,2017-3122; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43971; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIER16 out of bounds access attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|58 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 03 00 00 00 FC 01 D6 01 FA 01 D3 01 F7 01 D1 01|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3122; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43970; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|E8 0C 00 00 58 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 03 00 00 00 4C 00 E8 0C 48 00 E5 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11238; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43968; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|E8 0C 00 00 58 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 03 00 00 00 4C 00 E8 0C 48 00 E5 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11238; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43967; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt"; flow:to_server,established; file_data; content:"|46 00 00 00 44 02 00 00 38 02 00 00|EMF+|2A 40 00 00 24 00 00 00 18 00 00 00 00 00 80 3F 00 00 00 80 00 00 00 80 00 00 80 3F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11227; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43941; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt"; flow:to_client,established; file_data; content:"|46 00 00 00 44 02 00 00 38 02 00 00|EMF+|2A 40 00 00 24 00 00 00 18 00 00 00 00 00 80 3F 00 00 00 80 00 00 00 80 00 00 80 3F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11227; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43940; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt"; flow:to_server,established; file_data; content:"|27 00 00 00 18 00 00 00 02 00 00 00 00 00 00 00 F9 EE C2 00 00 00 00 00 25 00 00 00 0C 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11232; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44000; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt"; flow:to_client,established; file_data; content:"|27 00 00 00 18 00 00 00 02 00 00 00 00 00 00 00 F9 EE C2 00 00 00 00 00 25 00 00 00 0C 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11232; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43999; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00 50 00 00 00 44 00 00 00 45 4D 46 2B 08 40 16 02 40 00 00 00 34 00 00 00 02 10 C0 DB|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-11245; reference:cve,2018-15946; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44056; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00 50 00 00 00 44 00 00 00 45 4D 46 2B 08 40 16 02 40 00 00 00 34 00 00 00 02 10 C0 DB|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11245; reference:cve,2018-15946; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44055; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt"; flow:to_server,established; file_data; content:"|13 00 00 00 00 00 00 00 00 00 00 00 FF FF FF 00 C8 D0 D4 00 80 80 80 00 40 40 40 00 BD C4 C8 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11269; reference:cve,2017-11270; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44100; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt"; flow:to_client,established; file_data; content:"|13 00 00 00 00 00 00 00 00 00 00 00 FF FF FF 00 C8 D0 D4 00 80 80 80 00 40 40 40 00 BD C4 C8 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11269; reference:cve,2017-11270; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44099; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; fast_pattern; content:"|50 00 00 00|"; within:4; distance:44; content:"|28 00 00 00|"; within:4; distance:28; byte_test:4,>=,0x400000,28,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11271; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44095; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; fast_pattern; content:"|50 00 00 00|"; within:4; distance:44; content:"|28 00 00 00|"; within:4; distance:28; byte_test:4,>=,0x400000,28,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11271; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44094; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA multiple audio players playlist file handling heap overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u|file.pls; file_data; content:"http|3A 2F 2F|"; isdataat:262,relative; content:!"|0A|"; within:262; content:!" "; within:259; distance:3; metadata:service smtp; reference:bugtraq,46926; reference:bugtraq,62926; reference:cve,2009-2650; reference:cve,2013-7409; reference:url,exploit-db.com/exploits/36022/; classtype:attempted-user; sid:44194; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"P|00|r|00|o|00|d|00|u|00|c|00|e|00|r|00|.|00|d|00|a|00|t|00 00 00|"; fast_pattern; nocase; content:"|1A 00 02 01 FF FF|"; distance:0; content:"|04 00 00 00 4E 11 00 00 00 00 00 00 01 00 00 00 02 00 00 00 FE FF FF FF 04 00 00 00 FE FF FF|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2010-0265; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-016; classtype:attempted-user; sid:45554; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"P|00|r|00|o|00|d|00|u|00|c|00|e|00|r|00|.|00|d|00|a|00|t|00 00 00|"; fast_pattern; nocase; content:"|1A 00 02 01 FF FF|"; distance:0; content:"|04 00 00 00 4E 11 00 00 00 00 00 00 01 00 00 00 02 00 00 00 FE FF FF FF 04 00 00 00 FE FF FF|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0265; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-016; classtype:attempted-user; sid:45553; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt"; flow:to_server,established; file_data; content:"MThd"; depth:4; content:"|00 00 00 00 00 00|"; within:6; distance:4; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,21612; reference:cve,2006-6601; reference:cve,2007-0562; classtype:denial-of-service; sid:45586; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"meta"; byte_extract:4,-8,meta_size,relative,big; content:"keys|00|"; within:meta_size; byte_test:4,>,0x1ffffffe,3,relative,big; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,94196; reference:cve,2016-5199; reference:url,ffmpeg.org/pipermail/ffmpeg-cvslog/2016-September/101971.html; classtype:attempted-user; sid:46481; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"meta"; byte_extract:4,-8,meta_size,relative,big; content:"keys|00|"; within:meta_size; byte_test:4,>,0x1ffffffe,3,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,94196; reference:cve,2016-5199; reference:url,ffmpeg.org/pipermail/ffmpeg-cvslog/2016-September/101971.html; classtype:attempted-user; sid:46480; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt"; flow:to_client,established; file_data; content:".abc"; fast_pattern:only; content:"X:"; content:"|0D 0A|T:"; distance:0; content:"|0D 0A|P:"; distance:0; content:"("; within:10; content:"("; within:10; pcre:"/^P:[^\x0d]*?\x28[A-Z]\x29\d{5}/mi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-4233; classtype:attempted-user; sid:46916; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt"; flow:to_server,established; file_data; content:".abc"; fast_pattern:only; content:"X:"; content:"|0D 0A|T:"; distance:0; content:"|0D 0A|P:"; distance:0; content:"("; within:10; content:"("; within:10; pcre:"/^P:[^\x0d]*?\x28[A-Z]\x29\d{5}/mi"; metadata:service smtp; reference:cve,2013-4233; classtype:attempted-user; sid:46915; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; byte_test:1,>,0xBF,0,relative; byte_test:1,<,0xF0,0,relative; byte_test:2,<=,0x0004,1,relative; content:"|FF FF FF FF FF|"; within:5; distance:3; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-0659; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:47033; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; byte_test:1,>,0xBF,0,relative; byte_test:1,<,0xF0,0,relative; byte_test:2,<=,0x0004,1,relative; content:"|FF FF FF FF FF|"; within:5; distance:3; metadata:service smtp; reference:cve,2012-0659; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:47032; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt"; flow:to_server,established; file_data; content:"|05 76 6F 72 62 69 73 00 42 43 56 60 00 20 00 00 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5146; classtype:attempted-user; sid:48106; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt"; flow:to_client,established; file_data; content:"|05 76 6F 72 62 69 73 00 42 43 56 60 00 20 00 00 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5146; classtype:attempted-user; sid:48105; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|61 76 63 43 01 64 00 A9 F7 E1 00 1E 67 64 00 00 AA 2D C3 8D 01 80 C0 97 03 0E 02 02 FF FF DF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12827; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-25.html; classtype:attempted-user; sid:47534; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|61 76 63 43 01 64 00 A9 F7 E1 00 1E 67 64 00 00 AA 2D C3 8D 01 80 C0 97 03 0E 02 02 FF FF DF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12827; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-25.html; classtype:attempted-user; sid:47533; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt"; flow:to_client,established; file_data; content:"COMM|00 00 00 0F 00 80 00 00 00 08 78 9C 63 74 84 00 00 07 2C 01 C9 FF FB 90 64 00 00 02|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12824; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-25.html; classtype:attempted-user; sid:47530; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt"; flow:to_server,established; file_data; content:"COMM|00 00 00 0F 00 80 00 00 00 08 78 9C 63 74 84 00 00 07 2C 01 C9 FF FB 90 64 00 00 02|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12824; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-25.html; classtype:attempted-user; sid:47529; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer vidplin.dll avi header parsing execution attempt"; flow:to_server,established; flowbits:isset,file.avi; file_data; content:"strlstrh"; fast_pattern; nocase; byte_jump:4,0,relative,little; content:!"strf"; within:4; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,46047; reference:cve,2010-4393; classtype:attempted-user; sid:49404; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt"; flow:to_client,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; depth:3; content:!"|B3|"; within:1; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50741; reference:cve,2011-4259; reference:url,osvdb.org/show/osvdb/77280; classtype:attempted-user; sid:49574; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt"; flow:to_server,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; depth:3; content:!"|B3|"; within:1; metadata:service smtp; reference:bugtraq,50741; reference:cve,2011-4259; reference:url,osvdb.org/show/osvdb/77280; classtype:attempted-user; sid:49573; rev:1;)
--- a/docker/etc/rules/file-office.rules
+++ b/docker/etc/rules/file-office.rules
--- a/docker/etc/rules/file-other.rules
+++ b/docker/etc/rules/file-other.rules
--- a/docker/etc/rules/file-pdf.rules
+++ b/docker/etc/rules/file-pdf.rules
--- a/docker/etc/rules/finger.rules
+++ b/docker/etc/rules/finger.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#--------------
+# FINGER RULES
+#--------------
+
--- a/docker/etc/rules/ftp.rules
+++ b/docker/etc/rules/ftp.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------
+# FTP RULES
+#-----------
+
--- a/docker/etc/rules/icmp-info.rules
+++ b/docker/etc/rules/icmp-info.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------------
+# ICMP-INFO RULES
+#-----------------
+
--- a/docker/etc/rules/icmp.rules
+++ b/docker/etc/rules/icmp.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#------------
+# ICMP RULES
+#------------
+
--- a/docker/etc/rules/imap.rules
+++ b/docker/etc/rules/imap.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#------------
+# IMAP RULES
+#------------
+
--- a/docker/etc/rules/indicator-compromise.rules
+++ b/docker/etc/rules/indicator-compromise.rules
@@ -0,0 +1,474 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#----------------------------
+# INDICATOR-COMPROMISE RULES
+#----------------------------
+
+alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|29|iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service dns; reference:url,www.virustotal.com/en/domain/iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/information/; classtype:trojan-activity; sid:44037; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE .com- potentially malicious hostname"; flow:to_server,established; content:"Host:"; http_header; content:".com-"; within:70; fast_pattern; http_header; content:!"www"; within:3; distance:-8; http_header; pcre:"/Host: [^\x0d\x0a]*?\.com-/Hi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:bad-unknown; sid:32488; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - sql"; flow:to_server,established; content:"act=sql"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16622; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - about"; flow:to_server,established; content:"act=about"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16616; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - eval"; flow:to_server,established; content:"act=eval"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16623; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - cmd"; flow:to_server,established; content:"act=cmd"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16613; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - ps_aux"; flow:to_server,established; content:"act=ps_aux"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16619; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - selfremove"; flow:to_server,established; content:"act=selfremove"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16625; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - ls"; flow:to_server,established; content:"act=ls"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16627; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - ftpquickbrute"; flow:to_server,established; content:"act=ftpquickbrute"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16620; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - encoder"; flow:to_server,established; content:"act=encoder"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16617; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - upload"; flow:to_server,established; urilen:<50; content:"act=upload"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16615; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - search"; flow:to_server,established; urilen:<50; content:"act=search"; fast_pattern:only; http_uri; content:"submit="; nocase; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16614; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - feedback"; flow:to_server,established; content:"act=feedback"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16624; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - fsbuff"; flow:to_server,established; content:"act=fsbuff"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16626; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - phpinfo"; flow:to_server,established; content:"act=phpinfo"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16628; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - bind"; flow:to_server,established; content:"act=bind"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16618; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - security"; flow:to_server,established; urilen:<50; content:"act=security"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16621; rev:7;)
+# alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell domain lookup page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"Enter any Domain-name to lookup"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21131; rev:5;)
+# alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell database parsing page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"Database parser"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21138; rev:5;)
+# alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE WSO web shell"; flow:to_client,established; file_data; content:"WSO"; content:"toolsTbl"; content:"toolsInp"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21117; rev:5;)
+# alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE WSO web shell interactive SQL display"; flow:to_client,established; file_data; content:"WSO"; content:"var a_ = 'Sql'"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21121; rev:5;)
+# alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell password cracking page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"Password crackers"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21135; rev:5;)
+# alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell enumeration page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"Enumerated shell link:"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21130; rev:5;)
+# alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE WSO web shell security information display"; flow:to_client,established; file_data; content:"WSO"; content:"var a_ = 'SecInfo'"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21118; rev:5;)
+# alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell sql interaction page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"Host:"; content:"Username:"; distance:0; content:"Password:"; distance:0; content:"Port:"; distance:0; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21132; rev:5;)
+# alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell kill shell page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"Do you *really* want to kill the shell?"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21140; rev:5;)
+# alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell security bypass page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"Security (open_basedir) bypassers"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21136; rev:5;)
+# alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE WSO web shell interactive console display"; flow:to_client,established; file_data; content:"WSO"; content:"var a_ = 'Console'"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21120; rev:5;)
+# alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE WSO web shell interactive file system information display"; flow:to_client,established; file_data; content:"WSO"; content:"var a_ = 'FilesMan'"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21119; rev:5;)
+# alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell encoder page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"Encrypt"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21133; rev:5;)
+# alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell spread shell page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"[ Kill Shell ]"; content:"This tool will attempt to copy the shell into every writable director"; distance:0; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21139; rev:5;)
+# alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell tools page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"Port scanner"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21137; rev:5;)
+# alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21129; rev:5;)
+# alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell security information page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"PHP Version"; content:"Safe mode"; distance:0; content:"Magic_Quotes"; distance:0; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21134; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - cmd"; flow:to_server,established; content:"act=cmd"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22917; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - selfremove"; flow:to_server,established; content:"act=selfremove"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22929; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - fsbuff"; flow:to_server,established; content:"act=fsbuff"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22930; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - tools"; flow:to_server,established; content:"act=tools&"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22933; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - encoder"; flow:to_server,established; content:"act=encoder"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22921; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - security"; flow:to_server,established; content:"act=security"; http_client_body; content:!"_"; within:1; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22925; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - search"; flow:to_server,established; content:"act=cmd"; http_uri; content:"act=search"; fast_pattern:only; http_client_body; content:"submit="; nocase; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22918; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - about"; flow:to_server,established; content:"act=about"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22920; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - feedback"; flow:to_server,established; content:"act=feedback"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22928; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - phpinfo"; flow:to_server,established; content:"act=phpinfo"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22932; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - upload"; flow:to_server,established; content:"act=upload"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22919; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - ftpquickbrute"; flow:to_server,established; content:"act=ftpquickbrute"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22924; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - eval"; flow:to_server,established; content:"act=eval"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22927; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - ls"; flow:to_server,established; content:"act=ls"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22931; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - sql"; flow:to_server,established; content:"act=sql"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22926; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - ps_aux"; flow:to_server,established; content:"act=ps_aux"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22923; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - bind"; flow:to_server,established; content:"act=bind"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22922; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE base64-encoded c99shell download"; flow:to_client,established; file_data; content:"KioNCioNCioJCQkJCWM5OXNoZWxsLnBocCB2"; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:trojan-activity; sid:23016; rev:5;)
+# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Invalid URL"; flow:to_client,established; file_data; content:"Invalid URL"; nocase; metadata:ruleset community, service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-063; classtype:attempted-recon; sid:1200; rev:17;)
+# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE index of /cgi-bin/ response"; flow:to_client,established; file_data; content:"Index of /cgi-bin/"; nocase; metadata:ruleset community, service http; reference:nessus,10039; classtype:bad-unknown; sid:1666; rev:11;)
+# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE 403 Forbidden"; flow:to_client,established; content:"403"; http_stat_code; metadata:ruleset community, service http; classtype:attempted-recon; sid:1201; rev:13;)
+# alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE oracle one hour install"; flow:to_client,established; content:"Oracle Applications One-Hour Install"; metadata:ruleset community; reference:nessus,10737; classtype:bad-unknown; sid:1464; rev:10;)
+# alert tcp $HOME_NET 512 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE rexec username too long response"; flow:to_client,established; content:"username too long"; depth:17; metadata:ruleset community; reference:bugtraq,7459; reference:cve,2003-1097; classtype:unsuccessful-user; sid:2104; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE successful cross site scripting forced download attempt"; flow:to_server,established; content:"|0A|Referer|3A| res|3A|/C|3A|"; metadata:ruleset community; classtype:successful-user; sid:2412; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE directory listing"; flow:established; content:"Volume Serial Number"; metadata:ruleset community; classtype:bad-unknown; sid:1292; rev:12;)
+# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE command completed"; flow:established; content:"Command completed"; fast_pattern:only; pcre:"/^Command\s+?completed\b/sm"; metadata:ruleset community, service http; reference:bugtraq,1806; reference:cve,2000-0884; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-078; classtype:bad-unknown; sid:494; rev:20;)
+# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE command error"; flow:established; content:"Bad command or filename"; nocase; metadata:ruleset community, service http; classtype:bad-unknown; sid:495; rev:14;)
+# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE file copied ok"; flow:to_client,established; file_data; content:"1 file|28|s|29| copied"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:20;)
+# alert ip any any -> any any (msg:"INDICATOR-COMPROMISE id check returned root"; content:"uid=0|28|root|29|"; metadata:ruleset community; classtype:bad-unknown; sid:498; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:1445; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; distance:1; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:543; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; distance:1; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:544; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'CWD  ' possible warez site"; flow:to_server,established; content:"CWD  "; depth:5; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:546; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'MKD  ' possible warez site"; flow:to_server,established; content:"MKD  "; depth:5; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:547; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:548; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; metadata:ruleset community, service ftp; classtype:misc-activity; sid:545; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'MKD / ' possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; metadata:ruleset community, service ftp; classtype:misc-activity; sid:554; rev:10;)
+# alert udp $HOME_NET any -> $HOME_NET 53 (msg:"INDICATOR-COMPROMISE Suspicious .ru dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru|00|"; distance:0; pcre:"/[\x05-\x20][bcdfghjklmnpqrstvwxyz]{5,32}[^\x00]*?\x02ru\x00/i"; metadata:service dns; classtype:trojan-activity; sid:15168; rev:13;)
+# alert udp $HOME_NET any -> $HOME_NET 53 (msg:"INDICATOR-COMPROMISE Suspicious .cn dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cn|00|"; distance:0; pcre:"/[\x05-\x20][bcdfghjklmnpqrstvwxyz]{5,32}[^\x00]*?\x02cn\x00/i"; metadata:service dns; classtype:trojan-activity; sid:15167; rev:12;)
+# alert udp $HOME_NET any -> $HOME_NET 53 (msg:"INDICATOR-COMPROMISE Suspicious .cc dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cc|00|"; distance:0; pcre:"/[\x05-\x20][bcdfghjklmnpqrstvwxyz]{5,32}([\x01-\x20].*?|)\x02cc\x00/i"; metadata:service dns; classtype:trojan-activity; sid:19020; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"INDICATOR-COMPROMISE IRC dns request on non-standard port"; flow:to_server,established; content:"USERHOST "; depth:9; metadata:service irc; classtype:trojan-activity; sid:20095; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"INDICATOR-COMPROMISE IRC channel join on non-standard port"; flow:to_server,established; dsize:<140; content:"JOIN #"; depth:6; metadata:service irc; classtype:trojan-activity; sid:20092; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"INDICATOR-COMPROMISE IRC DCC chat request on non-standard port"; flow:to_server,established; content:"PRIVMSG "; depth:8; nocase; content:" |3A|.DCC CHAT chat"; distance:0; nocase; metadata:service irc; classtype:trojan-activity; sid:20091; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"INDICATOR-COMPROMISE IRC nick change on non-standard port"; flow:to_server,established; dsize:<140; content:"NICK "; depth:5; content:"|0D 0A|USER "; within:100; metadata:service irc; classtype:trojan-activity; sid:20089; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"INDICATOR-COMPROMISE IRC channel notice on non-standard port"; flow:to_server,established; content:"NOTICE "; depth:7; metadata:service irc; classtype:trojan-activity; sid:20093; rev:7;)
+# alert tcp $HOME_NET any <> $EXTERNAL_NET !6666:7000 (msg:"INDICATOR-COMPROMISE IRC message on non-standard port"; flow:established; dsize:<140; content:"PRIVMSG "; depth:8; metadata:service irc; classtype:trojan-activity; sid:20094; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"INDICATOR-COMPROMISE IRC DCC file transfer request on non-standard port"; flow:to_server,established; content:"PRIVMSG "; depth:8; nocase; content:" |3A|.DCC SEND"; distance:0; nocase; metadata:service irc; classtype:trojan-activity; sid:20090; rev:6;)
+# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Win32.Virut web propagation detection"; flow:to_client,established; file_data; content:"<iframe"; content:".pl/rc/"; distance:0; fast_pattern; pcre:"/\x3ciframe[^\x3e]*?src\x3d\x22http\x3a\x2f\x2f[^\x26\x2e]+\x26\x2346\x3b[^\x2e]+\x2epl\x2frc\x2f\x22/"; metadata:impact_flag red, service http; reference:url,securelist.com/en/analysis/204792122/; classtype:trojan-activity; sid:22940; rev:2;)
+# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE hex-encoded create_function detected"; flow:to_client,established; file_data; content:"|5C|x63|5C|x72|5C|x65|5C|x61|5C|x74|5C|x65|5C|x5f|5C|x66|5C|x75|5C|x6e|5C|x63|5C|x74|5C|x69|5C|x6f|5C|x6e"; fast_pattern:only; metadata:impact_flag red, service http; classtype:attempted-user; sid:22098; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE potential malware - download of winzf32.dll"; flow:to_server,established; content:"GET"; http_method; content:"/winzf32.dll"; fast_pattern:only; http_uri; pcre:"/\x2fwinzf32\x2edll$/smiU"; metadata:service http; classtype:suspicious-filename-detect; sid:17814; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE potential malware - download of iexplore.exe"; flow:to_server,established; content:"GET"; http_method; content:"/iexplore.exe"; fast_pattern:only; http_uri; pcre:"/\x2fiexplore\x2eexe$/smiU"; metadata:service http; classtype:suspicious-filename-detect; sid:17812; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE potential malware - download of server32.exe"; flow:to_server,established; content:"GET"; http_method; content:"/server32.exe"; fast_pattern:only; http_uri; pcre:"/\x2fserver32\x2eexe$/smiU"; metadata:service http; reference:url,en.wikipedia.org/wiki/Zeus_(trojan_horse); classtype:suspicious-filename-detect; sid:17810; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE potential malware - download of iprinp.dll"; flow:to_server,established; content:"GET"; http_method; content:"/iprinp.dll"; fast_pattern:only; http_uri; pcre:"/\x2fiprinp\x2edll$/smiU"; metadata:service http; classtype:suspicious-filename-detect; sid:17813; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE potential malware - download of svchost.exe"; flow:to_server,established; content:"GET"; http_method; content:"/svchost.exe"; fast_pattern:only; http_uri; pcre:"/\x2fsvchost\x2eexe$/smiU"; metadata:policy max-detect-ips drop, service http; classtype:suspicious-filename-detect; sid:17811; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE script before DOCTYPE possible malicious redirect attempt"; flow:to_client,established; file_data; content:"</script><!DOCTYPE"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:23179; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE iframe before DOCTYPE possible malicious redirect attempt"; flow:to_client,established; file_data; content:"</iframe><!DOCTYPE"; fast_pattern:only; metadata:service http; classtype:web-application-attack; sid:23596; rev:1;)
+# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Alsa3ek Web Shell"; flow:to_client,established; content:"<?php /* Cod3d by Mr.Alsa3ek and Al-Swisre"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; classtype:trojan-activity; sid:23830; rev:3;)
+# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Loaderz Web Shell"; flow:to_client,established; content:"/* Loader|27|z WEB Shell v"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; classtype:trojan-activity; sid:23829; rev:3;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|s|00|a|00|c|00|s|00|e|00|s|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23926; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|c|00|a|00|c|00|l|00|s|00|r|00|v|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23905; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|n|00|t|00|f|00|r|00|s|00|u|00|t|00|i|00|l|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23918; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|m|00|s|00|i|00|n|00|i|00|t|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23917; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|w|00|c|00|s|00|c|00|r|00|i|00|p|00|t|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23929; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|p|00|o|00|w|00|e|00|r|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23920; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|f|00|i|00|n|00|d|00|f|00|i|00|l|00|e|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23913; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|d|00|f|00|r|00|a|00|g|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23909; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|g|00|p|00|g|00|e|00|t|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23914; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|n|00|e|00|t|00|x|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23931; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|r|00|o|00|u|00|t|00|e|00|m|00|a|00|n|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23924; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|c|00|t|00|r|00|l|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23908; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|f|00|s|00|u|00|t|00|l|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23932; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|e|00|v|00|e|00|n|00|t|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23912; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|s|00|m|00|b|00|i|00|n|00|i|00|t|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23928; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|d|00|v|00|d|00|q|00|u|00|e|00|r|00|y|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23911; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|s|00|i|00|g|00|v|00|e|00|r|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23923; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|i|00|i|00|s|00|s|00|r|00|v|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23916; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|e|00|x|00|t|00|r|00|a|00|c|00|t|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23933; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|s|00|f|00|m|00|s|00|c|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23927; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|c|00|l|00|e|00|a|00|n|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23907; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|d|00|n|00|s|00|l|00|o|00|o|00|k|00|u|00|p|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23910; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|n|00|t|00|d|00|s|00|u|00|t|00|l|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23919; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|r|00|e|00|g|00|s|00|y|00|s|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23922; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|r|00|d|00|s|00|a|00|d|00|m|00|i|00|n|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23921; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|i|00|p|00|s|00|e|00|c|00|u|00|r|00|e|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23915; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|n|00|t|00|n|00|w|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23930; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|c|00|e|00|r|00|t|00|u|00|t|00|l|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23906; rev:2;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|r|00|r|00|a|00|s|00|r|00|v|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23925; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Wordpress Request for html file in fgallery directory"; flow:to_server,established; content:"wp-content/uploads/fgallery"; fast_pattern:only; http_uri; pcre:"/wp-content\/uploads\/fgallery\/.+\x2ehtml?(\?|$)/U"; metadata:service http; classtype:web-application-attack; sid:23171; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Wordpress Request for php file in fgallery directory"; flow:to_server,established; content:"wp-content/uploads/fgallery"; fast_pattern:only; http_uri; pcre:"/wp-content\/uploads\/fgallery\/.+\x2ephp(\?|$)/U"; metadata:service http; classtype:web-application-attack; sid:21941; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE c99shell comment"; flow:to_client,established; file_data; content:"<h2>I'm a man!</h2>"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:23017; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Wordpress Invit0r plugin non-image file upload attempt"; flow:to_server,established; content:"/wp-content/plugins/invit0r/lib/php-ofc-library/ofc_upload_image.php"; fast_pattern:only; http_uri; content:"name="; http_uri; pcre:!"/name=($|[^\x26]+\x2e(jpe?g|bmp|png|gif)($|\x26))/Ui"; metadata:service http; reference:bugtraq,53995; reference:url,www.opensyscom.fr/Actualites/wordpress-plugins-invit0r-arbitrary-file-upload-vulnerability.html; classtype:web-application-attack; sid:23484; rev:5;)
+# alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - QUERY_PATH_INFO csrss.exe"; flow:to_server,established; content:"|FF 53 4D 42 32 00 00 00 00|"; depth:9; offset:4; content:"|00 05 00|"; within:3; distance:51; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|c|00|s|00|r|00|s|00|s|00 2E 00|e|00|x|00|e|00|"; distance:0; nocase; metadata:service netbios-ssn; reference:url,www.symantec.com/connect/blogs/shamoon-attacks-continue; classtype:trojan-activity; sid:24127; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE IP only webpage redirect attempt"; flow:to_client,established; file_data; content:"document.location="; pcre:"/^[^>]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/sR"; metadata:ruleset community, service http; classtype:bad-unknown; sid:24254; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE IP only webpage redirect attempt"; flow:to_client,established; file_data; content:"<html><head><meta http-equiv=|22|refresh"; pcre:"/^[^>]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/sR"; metadata:ruleset community, service http; classtype:bad-unknown; sid:24253; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE itsoknoproblembro write file"; flow:to_server,established; content:"action=stpf"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/file/c5a96f83bed99141a20d31a9b624db8891e475737c2be9a6cdf9cf024e3d2210/analysis/; classtype:policy-violation; sid:24392; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE itsoknoproblembro stop attack"; flow:to_server,established; content:"action=ssttoopp"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/file/c5a96f83bed99141a20d31a9b624db8891e475737c2be9a6cdf9cf024e3d2210/analysis/; classtype:policy-violation; sid:24393; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE itsoknoproblembro file upload"; flow:to_server,established; content:"pass=FgYuD@37"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/file/256fee47ccdf100a1c00e32b9cb2b1d18d5fcdccf4ae90085bc90130daa68c95/analysis/; classtype:policy-violation; sid:24388; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE itsoknoproblembro start perl"; flow:to_server,established; content:"action=start.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/file/c5a96f83bed99141a20d31a9b624db8891e475737c2be9a6cdf9cf024e3d2210/analysis/; classtype:policy-violation; sid:24390; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE itsoknoproblembro start attack"; flow:to_server,established; content:"action=start"; fast_pattern:only; http_uri; content:"time_s="; http_uri; content:"time_e="; http_uri; content:"page="; http_uri; metadata:service http; reference:url,www.virustotal.com/file/573da03a5d0ade02643203b47a6925db43b0d53dfeaf20c31e7700377cd79d15/analysis/; classtype:policy-violation; sid:24394; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE itsoknoproblembro status check"; flow:to_server,established; content:".php?action=status"; fast_pattern:only; http_uri; content:".php?action=status "; metadata:service http; reference:url,www.virustotal.com/file/c5a96f83bed99141a20d31a9b624db8891e475737c2be9a6cdf9cf024e3d2210/analysis/; classtype:policy-violation; sid:24389; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE itsoknoproblembro start php"; flow:to_server,established; content:"action=startphp.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/file/c5a96f83bed99141a20d31a9b624db8891e475737c2be9a6cdf9cf024e3d2210/analysis/; classtype:policy-violation; sid:24391; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE fx29shell.php connection attempt"; flow:to_server,established; content:"/fx29sh"; fast_pattern:only; http_uri; metadata:service http; classtype:policy-violation; sid:24434; rev:2;)
+# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS invalid user authentication response"; flow:to_client,established; content:"E Fatal error, aborting."; fast_pattern:only; content:"|3A| no such user"; metadata:ruleset community; classtype:misc-attack; sid:2008; rev:9;)
+# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS invalid repository response"; flow:to_client,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; fast_pattern:only; metadata:ruleset community; classtype:misc-attack; sid:2009; rev:7;)
+# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS double free exploit attempt response"; flow:to_client,established; content:"free|28 29 3A| warning|3A| chunk is already free"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,6650; reference:cve,2003-0015; reference:nessus,11385; classtype:misc-attack; sid:2010; rev:12;)
+# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS invalid directory response"; flow:to_client,established; content:"E protocol error|3A| invalid directory syntax in"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,6650; reference:cve,2003-0015; reference:nessus,11385; classtype:misc-attack; sid:2011; rev:12;)
+# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS missing cvsroot response"; flow:to_client,established; content:"E protocol error|3A| Root request missing"; fast_pattern:only; metadata:ruleset community; classtype:misc-attack; sid:2012; rev:7;)
+# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS invalid module response"; flow:to_client,established; content:"cvs server|3A| cannot find module"; fast_pattern:only; content:"error"; metadata:ruleset community; classtype:misc-attack; sid:2013; rev:8;)
+# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS non-relative path error response"; flow:to_client,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,9178; reference:cve,2003-0977; reference:nessus,11947; classtype:misc-attack; sid:2317; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"INDICATOR-COMPROMISE nimda RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0|00|.|00|D|00|L|00|L"; nocase; metadata:ruleset community; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1295; rev:13;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE php-shell remote command shell upload attempt"; flow:to_client,established; file_data; content:"debug_msg('<h1>GOTCHA:"; fast_pattern:only; metadata:service http; classtype:attempted-admin; sid:23441; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE php-shell failed remote command injection attempt"; flow:to_client,established; file_data; content:".phpwas not found on this server.</p>"; fast_pattern:only; metadata:service http; classtype:attempted-admin; sid:23443; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE php-shell remote command shell upload attempt"; flow:to_client,established; file_data; content:"stripslashes($_REQUEST[|5C|'"; fast_pattern:only; content:"function"; nocase; content:"debug_msg"; distance:0; nocase; content:"my_exec"; distance:0; nocase; content:"spawn_shell"; distance:0; nocase; metadata:service http; classtype:attempted-admin; sid:23440; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE php-shell remote command shell upload attempt"; flow:to_client,established; file_data; content:"stripslashes($_REQUEST[|5C|'"; fast_pattern:only; pcre:"/global\s+(?P<global>\$\w+)\s*\x3b\s*(?P=global)\s*=.*?\{\s*eval\(\s*stripslashes\(\s*\$_REQUEST\[\x5c'.*?function_exists\(\s*(?P<q>.)(exec|passthru|system|shell_exec|exec_popen)(?P=q)\s*\)/smi"; metadata:service http; classtype:attempted-admin; sid:23439; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE php-shell remote command injection attempt"; flow:to_server,established; content:".php?"; fast_pattern:only; http_uri; pcre:"/\x2f(links|xml|configs|functions|virtual|pointer)\.php?.*?[a-f0-9]{32}=\w+\x28.*?\x29\x3b/iU"; metadata:service http; classtype:attempted-admin; sid:23442; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE php-shell remote command shell initialization attempt"; flow:to_client,established; file_data; content:"|3B|s:4:|22|pass|22 3B|s:32:|22|"; fast_pattern:only; pcre:"/\x3bs\x3a4\x3a\x22pass\x22\x3bs\x3a32\x3a\x22[a-f0-9]{32}\x22/i"; metadata:service http; classtype:attempted-admin; sid:23438; rev:4;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Lame"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|0E 97 88 1C 6C A1 37 96 42 03 BC 45 42 24 75 6C|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25841; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 No-Name"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|83 ED 52 2E 5A E0 7B C0|"; within:50; content:"A|40 40|hole"; nocase; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25848; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Virtuallythere"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|00 EE 48 13 76 F1 76 4B 6A FE 6D 8C 5E 60 44 19 B1 0A B1 9E BB 63 80 8F C8 43 C8 73 AE 77|"; within:512; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25836; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Moon-Night"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|7C 8D 59 39 32 60 9B 8E 45 6B 3F 84 16 92 1F C2|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25847; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Email"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|2F 09 DD E0 FF 81 B7 6C BF 2F 17 92 0C D8 BD 57|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25840; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Alpha"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|46 37 EA 15 B6 54 96 4C B6 44 2B 7B 06 1A A5 30|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25839; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Sur"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|20 82 92 3F 43 2C 8F 75 B7 EF 0F 6A D9 3C 8E 5D|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25844; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Yahoo"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|0A 38 C9 27 08 6F 96 4B BE 75 DC 9F C0 1A C6 28|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25846; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Webmail"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|4C 0B 1D 19 74 86 A7 66 B4 1A BF 40 27 21 76 28|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25838; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Server"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|52 55 38 16 FB 0D 1A 8A 4B 45 04 CB 06 BC C4 AF|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25843; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 NS"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|72 A2 5C 8A B4 18 71 4E BF C6 6F 3F 98 D6 F7 74|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25842; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 AOL"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|7C A2 74 D0 FB C3 D1 54 B3 D1 A3 00 62 E3 7E F6|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25845; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 IBM"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|00 D3 89 1C 10 09 D8 EC 74 2F 5C 1E 24 C0 89 CD 02 2F AD 13 FA 37 EA 9A F9 73 EF 08 DD 3C|"; within:512; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25837; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Java user-agent request to svchost.jpg"; flow:to_server,established; content:"/svchost.jpg"; fast_pattern:only; http_uri; content:"Java/1."; http_header; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-1493; classtype:trojan-activity; sid:26025; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to dyndns.org detected"; flow:to_server,established; content:"Host|3A 20|checkip.dyndns.org"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:misc-activity; sid:26353; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate for login.yahoo.com detected"; flow:to_client,established; ssl_state:server_hello; content:"login.yahoo.com"; nocase; content:"|3E 75 CE D4 6B 69 30 21 21 88 30 AE 86 A8 2A 71|"; fast_pattern:only; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18569; rev:5;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate from usertrust.com detected"; flow:to_client,established; ssl_state:server_hello; content:"usertrust.com"; nocase; content:"|72 03 21 05 C5 0C 08 57 3D 8E A5 30 4E FE E8 B0|"; fast_pattern:only; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=643056; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18576; rev:5;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate for addons.mozilla.org detected"; flow:to_client,established; ssl_state:server_hello; content:"addons.mozilla.org"; nocase; content:"|92 39 D5 34 8F 40 D1 69 5A 74 54 70 E1 F2 3F 43|"; fast_pattern:only; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18571; rev:5;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate for login.yahoo.com detected"; flow:to_client,established; ssl_state:server_hello; content:"login.yahoo.com"; nocase; content:"|D7 55 8F DA F5 F1 10 5B B2 13 28 2B 70 77 29 A3|"; fast_pattern:only; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18567; rev:5;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate for global trustee detected"; flow:to_client,established; ssl_state:server_hello; content:"global trustee"; nocase; content:"|D8 F3 5F 4E B7 87 2B 2D AB 06 92 E3 15 38 2F B0|"; fast_pattern:only; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18573; rev:5;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate for login.skype.com detected"; flow:to_client,established; ssl_state:server_hello; content:"login.skype.com"; nocase; content:"|E9 02 8B 95 78 E4 15 DC 1A 71 0A 2B 88 15 44 47|"; fast_pattern:only; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18570; rev:5;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate for login.live.com detected"; flow:to_client,established; ssl_state:server_hello; content:"login.live.com"; nocase; content:"|B0 B7 13 3E D0 96 F9 B5 6F AE 91 C8 74 BD 3A C0|"; fast_pattern:only; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18572; rev:5;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate for login.yahoo.com detected"; flow:to_client,established; ssl_state:server_hello; content:"login.yahoo.com"; nocase; content:"|39 2A 43 4F 0E 07 DF 1F 8A A3 05 DE 34 E0 C2 29|"; fast_pattern:only; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18568; rev:5;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate for mail.google.com detected"; flow:to_client,established; ssl_state:server_hello; content:"mail.google.com"; nocase; content:"|04 7E CB E9 FC A5 5F 7B D0 9E AE 36 E1 0C AE 1E|"; fast_pattern:only; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18565; rev:5;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate for www.google.com detected"; flow:to_client,established; ssl_state:server_hello; content:"www.google.com"; nocase; content:"|F5 C8 6A F3 61 62 F1 3A 64 F5 4F 6D C9 58 7C 06|"; fast_pattern:only; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18566; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE BeEF javascript hook.js download attempt"; flow:to_client,established; file_data; content:"beef.onpopstate.push(function(event)"; fast_pattern:only; metadata:service http; classtype:attempted-user; sid:23107; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to myip.dnsomatic.com detected"; flow:to_server,established; content:"Host|3A 20|myip.dnsomatic.com"; fast_pattern:only; http_header; metadata:service http; classtype:misc-activity; sid:26397; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to j.maxmind.com detected"; flow:to_server,established; content:"/app/geoip.js"; http_uri; content:"Host|3A 20|j.maxmind.com"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:misc-activity; sid:26410; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirected URI attempt"; flow:to_server,established; urilen:>150,norm; content:"0aW1lP"; fast_pattern; http_uri; content:"/index.php?"; depth:11; http_uri; base64_decode:bytes 150, offset 10, relative; base64_data; content:"time="; content:"&src="; distance:0; content:"&surl="; distance:0; metadata:impact_flag red, service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26530; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirect attempt"; flow:to_client,established; content:"0aW1lP"; fast_pattern; http_header; content:"/index.php?"; distance:-50; http_header; base64_decode:bytes 150, offset 10, relative; base64_data; content:"time="; content:"&src="; distance:0; content:"&surl="; distance:0; metadata:impact_flag red, ruleset community, service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26528; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE config.inc.php in iframe"; flow:to_client,established; file_data; content:"<iframe"; content:"config.inc.php"; within:100; content:"</iframe>"; distance:0; metadata:ruleset community, service http; reference:url,blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html; classtype:trojan-activity; sid:26585; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Unknown ?1 redirect"; flow:to_server,established; content:"GET /?1 HTTP/1.1"; fast_pattern:only; metadata:ruleset community, service http; classtype:bad-unknown; sid:27047; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Apache auto_prepend_file a.control.bin C2 traffic"; flow:to_server,established; content:"User-Agent|3A| SEX|2F|1"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:27203; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE All Numbers .EXE file name from abnormally ordered HTTP headers - Potential Yakes Trojan Download"; flow:to_server,established; content:"GET"; http_method; content:".exe HTTP/1.1|0D 0A|Cache-Control: "; fast_pattern:only; content:".exe HTTP/1.1"; nocase; content:"|0D 0A|Cache-Control: no-cache|0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D 0A|User-Agent: "; within:76; content:"|3A 20|"; distance:0; content:!"|3A 20|"; distance:0; pcre:"/\x2f\d+\.exe$/Ui"; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6b8b038c98735814834334ccc03e4da3c/analysis/; classtype:trojan-activity; sid:27255; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE request for potential web shell - /jspspy.jsp"; flow:to_server,established; content:"/jspspy.jsp"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.mandiant.com/blog/responding-attacks-apache-struts2/; classtype:misc-activity; sid:27732; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE request for potential web shell - /inback.jsp"; flow:to_server,established; content:"/inback.jsp"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.mandiant.com/blog/responding-attacks-apache-struts2/; classtype:misc-activity; sid:27731; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE request for potential web shell - /css3.jsp"; flow:to_server,established; content:"/css3.jsp"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.mandiant.com/blog/responding-attacks-apache-struts2/; classtype:misc-activity; sid:27730; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE request for potential web shell - /Silic.jsp"; flow:to_server,established; content:"/Silic.jsp"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.mandiant.com/blog/responding-attacks-apache-struts2/; classtype:misc-activity; sid:27729; rev:4;)
+# alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .su dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|su|00|"; distance:0; fast_pattern; metadata:service dns; classtype:trojan-activity; sid:27721; rev:3;)
+# alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .pw dns query"; flow:to_server; content:!"|01|u|02|pw"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|pw|00|"; distance:0; fast_pattern; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:28039; rev:7;)
+# alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .cc dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cc|00|"; distance:0; fast_pattern; metadata:service dns; classtype:trojan-activity; sid:28190; rev:3;)
+# alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .nl.ai dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|nl|02|ai|00|"; distance:0; fast_pattern; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:trojan-activity; sid:28284; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE potential malware download - single digit .exe file download"; flow:to_server,established; urilen:6; content:".exe"; fast_pattern:only; pcre:"/\/[a-z0-9]\.exe$/Ui"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2F%5Ba-zA-Z%5D%5C.%5BEe%5D%5BXx%5D%5BEe%5D%24&type=regexp&start=2013-09-07&end=2013-12-06&max=400; classtype:trojan-activity; sid:28806; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE exe.exe download"; flow:to_server,established; urilen:>7; content:"/exe.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2F%5BEe%5D%5BXx%5D%5BEe%5D%5C.%5BEe%5D%5BXx%5D%5BEe%5D%24&type=regexp&start=2013-11-21&end=2013-12-06&max=400; classtype:trojan-activity; sid:28945; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE suspicious test for public IP - iframe.ip138.com"; flow:to_server,established; content:"/ic.asp"; http_uri; content:"Host|3A 20|iframe.ip138.com|0D 0A|"; fast_pattern:only; http_header; content:!"|0D 0A|Accept"; http_header; content:!"|0D 0A|Referer"; http_header; metadata:policy max-detect-ips drop, policy security-ips alert, service http; classtype:successful-recon-limited; sid:29090; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE ZenCart malicious redirect attempt detected"; flow:to_client,established; content:"Set-Cookie|3A 20|USERID=shine-check|3B|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.sucuri.net/2014/02/mysterious-zencart-redirects-leverage-http-headers.html; classtype:trojan-activity; sid:30066; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE ZenCart compromise attempt detected"; flow:to_client,established; content:"Set-Cookie|3A 20|USERID=twotime|3B|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.sucuri.net/2014/02/mysterious-zencart-redirects-leverage-http-headers.html; classtype:trojan-activity; sid:30065; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE suspicious test for public IP - www.dawhois.com"; flow:to_server,established; content:"Host|3A 20|www.dawhois.com|0D 0A|"; fast_pattern:only; http_header; content:!"Accept|3A|"; http_header; content:!"Referer|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/C84FC7BEF4E77E1F913A4BE1A7114D255459F9D808FCC09B0F441E3761E5E4A4/analysis/; classtype:trojan-activity; sid:30230; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".pdf.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31001; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31000; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30999; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".gif.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30998; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".doc.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30997; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE possible TAR file oversize length field"; flow:to_server,established; file_data; content:"ustar"; depth:5; offset:257; byte_test:10,>,100000,124,string,dec; metadata:service smtp; reference:cve,2012-1457; classtype:trojan-activity; sid:30995; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE possible TAR file oversize length field"; flow:to_client,established; file_data; content:"ustar"; depth:5; offset:257; byte_test:10,>,100000,124,string,dec; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1457; classtype:trojan-activity; sid:30994; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE connection to zeus malware sinkhole"; flow:to_client,established; content:"X-Sinkhole|3A| Malware GameOverZeus sinkhole"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/sinkhole_server; classtype:trojan-activity; sid:31214; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE http POST request smuggling attempt"; flow:to_server,established; content:"POST /"; fast_pattern:only; http_header; content:" HTTP/"; http_header; metadata:service http; reference:cve,2014-0099; classtype:misc-attack; sid:31213; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE http GET request smuggling attempt"; flow:to_server,established; content:"GET /"; fast_pattern:only; http_header; content:" HTTP/"; http_header; metadata:service http; reference:cve,2014-0099; classtype:misc-attack; sid:31212; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Liz0ziM php shell download attempt"; flow:to_server,established; file_data; content:"Liz0ziM"; fast_pattern:only; content:"|24 5F|POST|5B|liz0|5D|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/599a1ec19581cdcc5d268093bd8cbeaf2c6c519390d68820f2a1258297f0d783/analysis/; classtype:attempted-user; sid:31503; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Liz0ziM php shell command and control attempt"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"liz0="; fast_pattern:only; http_client_body; content:"liz0="; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/599a1ec19581cdcc5d268093bd8cbeaf2c6c519390d68820f2a1258297f0d783/analysis/; classtype:attempted-user; sid:31502; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Liz0ziM php shell command and control attempt"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"baba="; fast_pattern:only; http_client_body; content:"baba="; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/599a1ec19581cdcc5d268093bd8cbeaf2c6c519390d68820f2a1258297f0d783/analysis/; classtype:attempted-user; sid:31501; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS (msg:"INDICATOR-COMPROMISE Liz0ziM php shell upload attempt"; flow:to_server,established; file_data; content:"Liz0ziM"; fast_pattern:only; content:"|24 5F|POST|5B|liz0|5D|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/599a1ec19581cdcc5d268093bd8cbeaf2c6c519390d68820f2a1258297f0d783/analysis/; classtype:attempted-user; sid:31500; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Liz0ziM php shell download attempt"; flow:to_client,established; file_data; content:"Liz0ziM"; fast_pattern:only; content:"|24 5F|POST|5B|liz0|5D|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/599a1ec19581cdcc5d268093bd8cbeaf2c6c519390d68820f2a1258297f0d783/analysis/; classtype:attempted-user; sid:31499; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE MinerDeploy monitor request attempt"; flow:to_server,established; content:"/monitor.php?"; fast_pattern; http_uri; content:"myid="; distance:0; http_uri; content:"&ip="; distance:0; http_uri; content:"&cgminer="; distance:0; http_uri; content:"&operatingsystem="; distance:0; http_uri; content:!"Content-Length|3A 20|"; http_header; content:!"Content-Type|3A 20|"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/06033b08afd30b413cce3b9a169cb8396fe34865f3bacd436c652dbb469ced62/analysis/; classtype:trojan-activity; sid:31531; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"INDICATOR-COMPROMISE Keylog string over FTP detected"; flow:to_server,established; content:"|20|KeyLog"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp; reference:url,attack.mitre.org/techniques/T1056; classtype:string-detect; sid:31711; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - _pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"_pdf.exe"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0d68f1d3855543a4732e551e9e4375a2cd85d9ab11a86334f67ad99c5f6990a0/analysis/; classtype:trojan-activity; sid:32646; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Potential Redirect from Compromised WordPress site to Fedex - Spammed Malware Download attempt"; flow:to_server,established; urilen:1; content:"GET"; http_method; content:"/wp-admin/"; fast_pattern:only; http_header; content:"Host: www.fedex.com|0D 0A|"; http_header; pcre:"/Referer\x3a\x20[\x20-\x7E]*?\/wp\x2dadmin\/[a-z\d\x2d]+?\.php\r\n/Hi"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.hybrid-analysis.com/sample/a531bc62b0460eba5b0003b535a2e9cceae0b623aecfdc6f0331743fbee77e56/; classtype:trojan-activity; sid:32888; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Download of executable screensaver file"; flow:to_client,established; file_data; content:"PK|03 04|"; depth:4; content:".scr"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1180; reference:url,www.virustotal.com/en/file/cb7a29d1dec378f94b394ba4df3dc1fe5fe3b8d1d4ca3e70da3a611b67588ae7/analysis/; classtype:policy-violation; sid:32948; rev:4;)
+# alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|tor2web|03|org|00|"; fast_pattern:only; metadata:service dns; reference:url,www.virustotal.com/en/file/ce7ed063a777fc597c788ef5a1cfdff7b823f34b8207043a482025e4bcd8db7a/analysis/; classtype:misc-activity; sid:33216; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|icanhazip|03|com|00|"; fast_pattern:only; metadata:service dns; reference:url,www.virustotal.com/en/file/ce7ed063a777fc597c788ef5a1cfdff7b823f34b8207043a482025e4bcd8db7a/analysis/; classtype:misc-activity; sid:33215; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Win.Trojan.Blocker variant outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mozilla/5.0 (Windows NT 6.3|3B| WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36|0D 0A|Host: checkip.dyndns.org|0D 0A|"; fast_pattern:only; http_header; content:!"Accept"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/79b75a8564e2e446789e1890f52c025792de919b63719e02630a70d6ae9a3ca4/analysis/1421439683/; classtype:misc-activity; sid:33224; rev:1;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT28 Lisuife"; flow:to_client,established; ssl_state:server_hello; content:"SolusVM Slave"; fast_pattern:only; metadata:impact_flag red, service ssl; reference:url,www.virustotal.com/en/file/566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092/analysis/; classtype:trojan-activity; sid:34465; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Windows Internet Explorer EMET check and garbage collection"; flow:to_server,established; file_data; content:"CollectGarbage()"; content:"C:|5C 5C|windows|5C 5C|AppPatch|5C 5C|EMET.DLL"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-7331; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:misc-attack; sid:29822; rev:6;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Windows Internet Explorer EMET check and garbage collection"; flow:to_client,established; file_data; content:"CollectGarbage()"; content:"C:|5C 5C|windows|5C 5C|AppPatch|5C 5C|EMET.DLL"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-7331; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:misc-attack; sid:29821; rev:6;)
+# alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner Windows Vista"; flow:established; content:"Microsoft Windows"; depth:18; content:"Copyright |28|c|29| 2006"; distance:0; content:"Microsoft Corporation"; distance:0; metadata:policy max-detect-ips drop; reference:nessus,11633; classtype:successful-admin; sid:18757; rev:8;)
+# alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner Windows 7/Server 2008R2"; flow:established; content:"Microsoft Windows"; depth:18; content:"Copyright |28|c|29| 2009"; distance:0; content:"Microsoft Corporation"; distance:0; metadata:policy max-detect-ips drop; reference:nessus,11633; classtype:successful-admin; sid:18756; rev:9;)
+# alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; depth:18; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; metadata:policy max-detect-ips drop, ruleset community; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:12;)
+# alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE id check returned userid"; content:"uid="; nocase; content:" gid="; distance:0; pcre:"/uid=\d{1,5}\S+\s+gid=\d{1,5}/smi"; metadata:policy max-detect-ips drop, ruleset community; classtype:bad-unknown; sid:1882; rev:20;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established; content:"|16 03 03|"; content:"|0B|"; within:1; distance:2; content:"|30 82|"; within:2; distance:9; content:"|30 82|"; within:2; distance:2; content:"|A0 03 02 01 02 02|"; within:6; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|"; within:22; content:"|31|"; within:1; distance:5; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30|"; within:10; distance:3; content:"|17 0D|"; within:2; distance:1; content:"Z|17 0D|"; within:3; distance:12; content:"Z|30|"; within:2; distance:12; content:"|31|"; within:1; distance:1; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30 82|"; within:9; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; distance:2; content:"|30 82|"; within:2; distance:3; content:"|02 82|"; within:2; distance:2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; fast_pattern:only; metadata:ruleset community, service ssl; reference:url,blog.didierstevens.com; classtype:misc-activity; sid:34864; rev:2;)
+alert tcp $EXTERNAL_NET 448 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - Win.Trojan.Dridex"; flow:to_client,established; content:"koalabride"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/5aad7720c0bb9848d540705943999d4e90908ba40a9d38e20018e53eb741dcb8/analysis/; classtype:trojan-activity; sid:35222; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Wild Neutron potential exploit attempt"; flow:to_server,established; urilen:>25; content:".swf?"; http_uri; content:"styleid="; distance:0; http_uri; content:"&langid="; distance:0; http_uri; content:"&sid="; distance:0; http_uri; content:"&d="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:trojan-activity; sid:35745; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established; content:"|16 03 02|"; content:"|0B|"; within:1; distance:2; content:"|30 82|"; within:2; distance:9; content:"|30 82|"; within:2; distance:2; content:"|A0 03 02 01 02 02|"; within:6; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|"; within:22; content:"|31|"; within:1; distance:5; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30|"; within:10; distance:3; content:"|17 0D|"; within:2; distance:1; content:"Z|17 0D|"; within:3; distance:12; content:"Z|30|"; within:2; distance:12; content:"|31|"; within:1; distance:1; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30 82|"; within:9; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; distance:2; content:"|30 82|"; within:2; distance:3; content:"|02 82|"; within:2; distance:2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; fast_pattern:only; metadata:ruleset community, service ssl; reference:url,blog.didierstevens.com; classtype:misc-activity; sid:36612; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|0B|"; within:1; distance:2; content:"|30 82|"; within:2; distance:9; content:"|30 82|"; within:2; distance:2; content:"|A0 03 02 01 02 02|"; within:6; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|"; within:22; content:"|31|"; within:1; distance:5; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; byte_extract:1,0,string_size,relative; content:"|30|"; within:1; distance:string_size; content:"|17 0D|"; within:2; distance:1; content:"Z|17 0D|"; within:3; distance:12; content:"Z|30|"; within:2; distance:12; content:"|31|"; within:1; distance:1; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; byte_extract:1,0,string_size,relative; content:"|30 82|"; within:2; distance:string_size; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; distance:2; content:"|30 82|"; within:2; distance:3; content:"|02 82|"; within:2; distance:2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; fast_pattern:only; metadata:ruleset community, service ssl; reference:url,blog.didierstevens.com; classtype:misc-activity; sid:36611; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt"; flow:to_server,established; file_data; content:"setAttributeNS"; content:"required"; within:100; pcre:"/setAttributeNS\s*\x28[^,]*,[^,]*required(Features|Extensions)[^,]*,[^\x29]+[\x22\x27]([\0\s]|\\([vfbtnsr0]|x(20|0[\da-f])))+[\x22\x27]/im"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:misc-activity; sid:36760; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt"; flow:to_client,established; file_data; content:"setAttributeNS"; content:"required"; within:100; pcre:"/setAttributeNS\s*\x28[^,]*,[^,]*required(Features|Extensions)[^,]*,[^\x29]+[\x22\x27]([\0\s]|\\([vfbtnsr0]|x(20|0[\da-f])))+[\x22\x27]/im"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:misc-activity; sid:36759; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE download of a Office document with embedded PowerShell"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"powershell.exe"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1086; classtype:trojan-activity; sid:37244; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE download of a Office document with embedded PowerShell"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"powershell.exe"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips alert, service smtp; reference:url,attack.mitre.org/techniques/T1086; classtype:trojan-activity; sid:37243; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE malicious file download attempt"; flow:to_server,established; content:"|2F 70 6F 63|"; http_uri; pcre:"/\x2f\x70\x6f\x63(\d*|\x5f[\x61-\x7a]+)\x2e(\x68\x74\x6d\x6c|\x78(\x6c\x73|\x73\x6c|\x6d\x6c)|\x6a(\x73|\x61\x76a)|\x61\x73\x70|\x70(\x64f|\x70\x74|\x48\x70|\x73\x64)|\x66\x6c\x76|\x73\x77\x66|\x64\x6fc|\x74\x74\x66|\x62\x6d\x70|\x6d(\x70\x33|\x33\x75))/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:misc-activity; sid:37963; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Content-Type text/plain containing Portable Executable data"; flow:to_client,established; content:"Content-Type|3A 20|text/plain"; http_header; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy max-detect-ips drop, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/fc25709c4e05dbfbcc6ae0cf8a7c06e80156ae05179203021838259aeda9801a/analysis/1461600547/; classtype:trojan-activity; sid:38619; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE potential abuse of originating page privileges by new tab"; flow:to_client; file_data; content:"window.opener.location"; fast_pattern:only; metadata:service http; reference:url,www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/; classtype:policy-violation; sid:38767; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"INDICATOR-COMPROMISE IRC nick change on non-standard port"; flow:to_server,established; dsize:<100; content:"NICK "; depth:5; metadata:service irc; classtype:trojan-activity; sid:38933; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Netgear D6000 or D3600 password recovery page access attempt"; flow:to_server,established; content:"/cgi-bin/passrec.asp"; fast_pattern:only; nocase; http_uri; metadata:service http; reference:cve,2015-8289; reference:url,www.kb.cert.org/vuls/id/778696; classtype:misc-activity; sid:39444; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Content-Type image containing Portable Executable data"; flow:to_client,established; content:"Content-Type|3A 20|image/"; fast_pattern:only; http_header; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/2dc752d12baa8c8441b82dd52abfd51c25abd28ba42344b22869ba7ae5a9a877/analysis/1469197722/; classtype:trojan-activity; sid:39729; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Oracle E-Business Suite arbitrary node deletion"; flow:to_server,established; content:"/pls/"; http_uri; content:"/fnd_document_management.Dm_Nodes_Delete?"; fast_pattern:only; http_uri; content:"p_node_id="; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,23532; reference:cve,2007-2170; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html; classtype:misc-activity; sid:39870; rev:3;)
+# alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .tk dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|tk|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:url,en.wikipedia.org/wiki/.tk; classtype:misc-activity; sid:39867; rev:4;)
+# alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .ml dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|ml|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:url,en.wikipedia.org/wiki/.ml; classtype:misc-activity; sid:39866; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Connection to malware sinkhole - CERT.PL"; flow:to_client,established; content:"Content-Length: 24|0D 0A|"; http_header; content:"Sinkholed by CERT.PL<br>"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:39851; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Meteocontrol WEBlog config containing passwords download attempt"; flow:to_server,established; content:"/html/en/confAccessProt.html"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-2296; classtype:web-application-attack; sid:39881; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"INDICATOR-COMPROMISE Cisco IOS commandline overflow attempt."; flow:to_server,established; content:"|16 50 16 60 16 B8 16 82 16 AA 16 AA 16 AA 16 35 16 AA 16 AA 16 AA 16 AA 16 BF 16 14 16 B3 16|"; fast_pattern:only; reference:cve,2016-6367; classtype:attempted-admin; sid:39987; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"INDICATOR-COMPROMISE Cisco IOS commandline overflow attempt"; flow:to_server,established; content:"|16 08 16 08 16 08 16 08 16 08 16 08 16 08 16 08 16 08 16 08 16 08 16 08 16 08 16 08 16 08 16 08|"; fast_pattern:only; reference:cve,2016-6367; classtype:attempted-admin; sid:39986; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"INDICATOR-COMPROMISE Cisco IOS commandline overflow attempt."; flow:to_server,established; content:"|16 50 16 60 16 B8 16 82 16 AA 16 AA 16 AA 16 35 16 AA 16 AA 16 AA 16 AA 16 BF 16 20 16 E6 16|"; fast_pattern:only; reference:cve,2016-6367; classtype:attempted-admin; sid:39985; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"INDICATOR-COMPROMISE Cisco IOS commandline overflow attempt."; flow:to_server,established; content:"|16 01 16 01 16 01 16 01 16 01 16 01 16 01 16 01 16 01 16 01 16 01 16 01 16 01 16 01 16 01 16 01|"; fast_pattern:only; reference:cve,2016-6367; classtype:attempted-admin; sid:39984; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"INDICATOR-COMPROMISE Cisco IOS commandline overflow attempt"; flow:to_server,established; content:"|16|"; fast_pattern; content:"|16|"; within:1; distance:1; content:"|16|"; within:1; distance:1; content:"|16|"; within:1; distance:1; content:"|16|"; within:1; distance:1; content:"|16|"; within:1; distance:1; content:"|16|"; within:1; distance:1; content:"|16|"; within:1; distance:1; reference:cve,2016-6367; classtype:attempted-admin; sid:39983; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE TextDecorationLineUnderline property use"; flow:to_server,established; file_data; content:"TextDecorationLineUnderline"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service smtp; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40093; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE TextDecorationLineThrough property use"; flow:to_server,established; file_data; content:"TextDecorationLineThrough"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service smtp; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40092; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE TextDecorationLineOverline property use"; flow:to_server,established; file_data; content:"TextDecorationLineOverline"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service smtp; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40091; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE TextDecorationLineNone property use"; flow:to_server,established; file_data; content:"TextDecorationLineNone"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service smtp; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40090; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE TextDecorationBlink property use"; flow:to_server,established; file_data; content:"TextDecorationBlink"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service smtp; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40089; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE TextDecorationLineUnderline property use"; flow:to_client,established; file_data; content:"TextDecorationLineUnderline"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40088; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE TextDecorationLineThrough property use"; flow:to_client,established; file_data; content:"TextDecorationLineThrough"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40087; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE TextDecorationLineOverline property use"; flow:to_client,established; file_data; content:"TextDecorationLineOverline"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40086; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE TextDecorationLineNone property use"; flow:to_client,established; file_data; content:"TextDecorationLineNone"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40085; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE TextDecorationBlink property use"; flow:to_client,established; file_data; content:"TextDecorationBlink"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40084; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE wsf inside zip potential malicious file download attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"PK|03 04|"; depth:4; content:".wsf"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:url,bleepingcomputer.com/news/security/zepto-ransomware-locky-variant-being-distributed-via-wsf-attachments/; classtype:attempted-user; sid:40568; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE shell script download with curl from external source"; flow:to_server,established; content:"User-Agent: curl"; fast_pattern:only; http_header; content:".sh"; nocase; http_uri; pcre:"/\x2Esh$/Ui"; metadata:service http; classtype:suspicious-filename-detect; sid:40598; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE shell script download with wget from external source"; flow:to_server,established; content:"User-Agent: Wget"; fast_pattern:only; http_header; content:".sh"; nocase; http_uri; pcre:"/\x2Esh$/Ui"; metadata:service http; classtype:suspicious-filename-detect; sid:40597; rev:3;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE DNS response points to sinkholed domain"; flow:to_client,established; content:"|00 02 00 01|"; content:"honeybot|02|us"; fast_pattern:only; metadata:service dns; reference:url,whois.domaintools.com/honeybot.us; classtype:trojan-activity; sid:40610; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Malicious script redirect attempt"; flow:to_client, established; file_data; content:"<script"; nocase; content:"username=yelang88888"; within:200; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:40828; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE potential Squiblydoo application whitelisting bypass attempt"; flow:to_server,established; file_data; content:"<scriptlet>"; fast_pattern:only; content:"<registration"; nocase; content:"progid"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,msdn.microsoft.com/en-us/library/ms974602.aspx; classtype:attempted-user; sid:40830; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE potential Squiblydoo application whitelisting bypass attempt"; flow:to_client,established; file_data; content:"<scriptlet>"; fast_pattern:only; content:"<registration"; nocase; content:"progid"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,msdn.microsoft.com/en-us/library/ms974602.aspx; classtype:attempted-user; sid:40829; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"(*THEN"; fast_pattern:only; content:"|06|RegExp"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7868; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41009; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"(*THEN"; fast_pattern:only; content:"|06|RegExp"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7868; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41008; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"(*SKIP"; fast_pattern:only; content:"|06|RegExp"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7870; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41007; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"(*SKIP"; fast_pattern:only; content:"|06|RegExp"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7870; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41006; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"(*PRUNE"; fast_pattern:only; content:"|06|RegExp"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7869; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41001; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"(*PRUNE"; fast_pattern:only; content:"|06|RegExp"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7869; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41000; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|07 28 2A|MARK|3A|"; fast_pattern:only; content:"|06|RegExp"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7867; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:40997; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|07 28 2A|MARK|3A|"; fast_pattern:only; content:"|06|RegExp"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7867; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:40996; rev:2;)
+# alert tcp $HOME_NET [1024:] -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port"; flow:to_client,established; content:"|05 FF|"; depth:2; dsize:2; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41534; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port"; flow:to_server,established; content:"|05 03 00 04|"; depth:4; dsize:<30; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41533; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port"; flow:to_server,established; content:"|05 03 00 03|"; depth:4; dsize:<100; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41532; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port"; flow:to_server,established; content:"|05 03 00 01|"; depth:4; dsize:<100; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41531; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port"; flow:to_server,established; content:"|05 02 00 04|"; depth:4; dsize:<30; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41530; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port"; flow:to_server,established; content:"|05 02 00 03|"; depth:4; dsize:<100; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41529; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port"; flow:to_server,established; content:"|05 02 00 01|"; depth:4; dsize:<100; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41528; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port"; flow:to_server,established; content:"|05 01 00 04|"; depth:4; dsize:<30; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41527; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port"; flow:to_server,established; content:"|05 01 00 03|"; depth:4; dsize:<100; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41526; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port"; flow:to_server,established; content:"|05 01 00 01|"; depth:4; dsize:<100; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41525; rev:2;)
+# alert tcp $HOME_NET [1024:] -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port"; flow:to_client,established; content:"|05 00|"; depth:2; dsize:2; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41524; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"INDICATOR-COMPROMISE Writable SQL directories discovery attempt"; flow:to_server, established; content:"SELECT"; nocase; content:"INTO DUMPFILE"; distance:0; nocase; content:"SELECT"; distance:0; nocase; content:"INTO DUMPFILE"; distance:0; nocase; metadata:service mysql; reference:url,dev.mysql.com/doc/refman/5.7/en/select-into.html; classtype:attempted-recon; sid:41637; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Binary file download request from internationalized domain name using Microsoft BITS"; flow:to_server,established; content:"User-Agent|3A| Microsoft BITS"; http_header; content:"Host|3A 20|xn--"; fast_pattern:only; http_header; pcre:"/(\x2ebat|\x2eexe)$/smiU"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:41710; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"INDICATOR-COMPROMISE d-link sharecenter dns-320 denial of service attempt"; flow:to_server,established; content:"/cgi-bin/system_mgr.cgi"; fast_pattern:only; nocase; http_uri; content:"cmd=cgi_restart"; nocase; http_client_body; metadata:service http; reference:url,sharecenter.dlink.com/products/DNS-320; classtype:web-application-attack; sid:41758; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"INDICATOR-COMPROMISE d-link sharecenter dns-320 denial of service attempt"; flow:to_server,established; content:"/cgi-bin/system_mgr.cgi"; fast_pattern:only; nocase; http_uri; content:"cmd=cgi_shutdown"; nocase; http_client_body; metadata:service http; reference:url,sharecenter.dlink.com/products/DNS-320; classtype:web-application-attack; sid:41757; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"INDICATOR-COMPROMISE d-link sharecenter dns-320 denial of service attempt"; flow:to_server,established; content:"/cgi-bin/wizard_mgr.cgi"; fast_pattern:only; nocase; http_uri; content:"cmd=cgi_wizard"; nocase; http_client_body; metadata:service http; reference:url,sharecenter.dlink.com/products/DNS-320; classtype:web-application-attack; sid:41756; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"INDICATOR-COMPROMISE d-link sharecenter dns-320 denial of service attempt"; flow:to_server,established; content:"/cgi-bin/dks_mgr.cgi"; fast_pattern:only; nocase; http_uri; content:"cmd=FMT_restart"; nocase; http_client_body; metadata:service http; reference:url,sharecenter.dlink.com/products/DNS-320; classtype:web-application-attack; sid:41755; rev:1;)
+# alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE clorius controls information gathering attempt"; flow:to_client, established; content:"Server|3A| ISC SCADA Service HTTPserv|3A|00001"; fast_pattern:only; http_header; file_data; content:"Firmware Version"; nocase; content:"Script Version"; distance:0; nocase; content:"IP-adresse"; distance:0; nocase; content:"AI"; distance:0; nocase; content:"AO"; distance:0; nocase; content:"DI"; distance:0; nocase; content:"DO"; distance:0; nocase; content:"MAC-adresse"; distance:0; nocase; reference:url,ics-cert.us-cert.gov/alerts/ICS-ALERT-13-091-02; classtype:attempted-recon; sid:41784; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Request for external IP address detected"; flow:to_server,established; content:"Host: myexternalip.com"; fast_pattern:only; http_header; content:"/raw"; http_uri; content:!"User-Agent|3A|"; http_header; metadata:service http; reference:url,virustotal.com/en/file/9a8d73cb7069832b9523c55224ae4153ea529ecc50392fef59da5b5d1db1c740/analysis/; classtype:trojan-activity; sid:42082; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE RTF url moniker COM file download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"0e0c9ea79f9bace118c8200aa004ba90b"; content:"68007400740070003a002f002f00"; within:50; metadata:service smtp; reference:cve,2017-0199; classtype:misc-activity; sid:42230; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE RTF url moniker COM file download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"0e0c9ea79f9bace118c8200aa004ba90b"; content:"68007400740070003a002f002f00"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-0199; classtype:misc-activity; sid:42229; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE malicious javascript obfuscation detected"; flow:to_client,established; file_data; content:"tpircsbv"; content:"epyt"; within:20; content:"tpircs"; within:20; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:42292; rev:2;)
+# alert tcp $EXTERNAL_NET 10051 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Zabbix Proxy configuration containing script detected"; flow:to_client,established; content:"ZBXD|01|"; depth:5; fast_pattern; content:"scripts"; content:"fields"; distance:0; content:"scriptid"; distance:0; content:"command"; distance:0; content:"description"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-2825; reference:url,talosintelligence.com/reports/TALOS-2017-0326; classtype:attempted-user; sid:42337; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Image"; content:"/FlateDecode"; within:100; content:"stream|0D 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:200; metadata:service smtp; reference:cve,2016-1088; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; classtype:misc-activity; sid:42460; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Image"; content:"/FlateDecode"; within:100; content:"stream|0D 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-1088; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; classtype:misc-activity; sid:42459; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Office with embedded EPS download attempt "; flow:to_server,established; flowbits:isset,file.docx; file_data; content:"PK|03 04|"; byte_extract:2,22,nameLen,relative,little; content:".eps"; within:nameLen; distance:2; fast_pattern; metadata:service smtp; reference:cve,2017-0262; classtype:attempted-admin; sid:42928; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft Office with embedded EPS download attempt "; flow:to_client,established; flowbits:isset,file.docx; file_data; content:"PK|03 04|"; byte_extract:2,22,nameLen,relative,little; content:".eps"; within:nameLen; distance:2; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-0262; classtype:attempted-admin; sid:42927; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .top dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|top|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:url,en.wikipedia.org/wiki/.top; classtype:misc-activity; sid:43687; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE possible Samsung DVR authentication bypass attempt"; flow:to_server,established; content:"/cgi-bin/"; fast_pattern:only; http_uri; content:"DATA"; http_cookie; content:"="; within:1; distance:1; http_cookie; metadata:service http; reference:cve,2013-3585; reference:cve,2013-3586; classtype:attempted-admin; sid:43576; rev:1;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Juniper vSRX Application Firewall IPv6 REJECT buffer overflow attempt"; dsize:>200; icode:1; itype:1; content:"|90 90 90 90|"; fast_pattern:only; classtype:attempted-admin; sid:43546; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Symantec Endpoint Protection potential binary planting RCE attempt"; flow:to_client,established; file_data; flowbits:isset, file.zip; content:"PK"; content:"UxTheme.dll"; within:30; distance:30; fast_pattern; content:"PK"; content:"packlist.xml"; within:30; distance:30; nocase; metadata:service http; reference:cve,2015-1492; reference:url,symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150730_00; classtype:attempted-user; sid:43389; rev:1;)
+# alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Wing FTP Server potentially malicious admin user creation attempt"; flow:to_client,established; file_data; content:"form"; nocase; content:"action"; nocase; content:"/admin_addadmin.html"; within:100; fast_pattern; nocase; content:"method"; within:50; content:"post"; within:25; nocase; content:"domainlist"; nocase; content:"ipmasks"; nocase; content:"mydirectory"; nocase; metadata:service smtp; reference:url,www.wftpserver.com/serverhistory.htm; classtype:attempted-admin; sid:43385; rev:1;)
+# alert tcp $HOME_NET $FILE_DATA_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Wing FTP Server potentially malicious admin user creation attempt"; flow:to_client,established; file_data; content:"form"; nocase; content:"action"; nocase; content:"/admin_addadmin.html"; within:100; fast_pattern; nocase; content:"method"; within:50; content:"post"; within:25; nocase; content:"domainlist"; nocase; content:"ipmasks"; nocase; content:"mydirectory"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.wftpserver.com/serverhistory.htm; classtype:attempted-admin; sid:43384; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"INDICATOR-COMPROMISE OptoMMP FTP Username read or write attempt"; content:"|FF FF F0 3D 00 00|"; depth:6; offset:6; reference:url,blog.exodusintel.com/2016/09/08/firmware-updates-made-easy/; classtype:attempted-admin; sid:43126; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"INDICATOR-COMPROMISE OptoMMP FTP Password read or write attempt"; content:"|FF FF F0 3D 00 40|"; depth:6; offset:6; reference:url,blog.exodusintel.com/2016/09/08/firmware-updates-made-easy/; classtype:attempted-admin; sid:43125; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"INDICATOR-COMPROMISE OptoMMP FTP Username read or write attempt"; flow:established, to_server; content:"|FF FF F0 3D 00 00|"; depth:6; offset:6; reference:url,blog.exodusintel.com/2016/09/08/firmware-updates-made-easy/; classtype:attempted-admin; sid:43124; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"INDICATOR-COMPROMISE OptoMMP FTP Password read or write attempt"; flow:established, to_server; content:"|FF FF F0 3D 00 40|"; depth:6; offset:6; reference:url,blog.exodusintel.com/2016/09/08/firmware-updates-made-easy/; classtype:attempted-admin; sid:43123; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE OLE attachment with embedded PICT attempt"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:"R|00|o|00|o|00|t|00| |00|E|00|n|00|t|00|r|00|y|00|"; distance:0; content:"TCIP"; distance:0; metadata:service smtp; reference:cve,2017-8487; classtype:misc-activity; sid:43092; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1450 (msg:"INDICATOR-COMPROMISE SysAid mssql potentially malicious user permissions creation"; flow:established, to_server; content:"|00|I|00|N|00|S|00|E|00|R|00|T|00| |00|I|00|N|00|T|00|O|00| |00|i|00|l|00|i|00|e|00|n|00|t|00|.|00|d|00|b|00|o|00|.|00|s|00|y|00|s|00|a|00|i|00|d|00|_|00|u|00|s|00|e|00|r|00|_|00|p|00|e|00|r|00|m|00|i|00|s|00|s|00|i|00|o|00|n|00|s|00|"; fast_pattern:only; reference:cve,2015-3001; classtype:attempted-admin; sid:43075; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1450 (msg:"INDICATOR-COMPROMISE SysAid mssql potentially malicious new user creation attempt"; flow:established, to_server; content:"|00|I|00|N|00|S|00|E|00|R|00|T|00| |00|I|00|N|00|T|00|O|00| |00|i|00|l|00|i|00|e|00|n|00|t|00|.|00|d|00|b|00|o|00|.|00|s|00|y|00|s|00|a|00|i|00|d|00|_|00|u|00|s|00|e|00|r|00|"; fast_pattern:only; reference:cve,2015-3001; classtype:attempted-admin; sid:43074; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Trend Micro Control Manager WFINFOR cookie authentication bypass attempt"; flow:established, to_server; content:"/modTMCM"; fast_pattern:only; http_uri; content:"WFINFOR"; http_cookie; metadata:service http; reference:url,docs.trendmicro.com/all/ent/tmcm/v6.0-sp3/en-us/tmcm_6.0-sp3_readme.html; classtype:attempted-user; sid:43065; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE backwards executable download"; flow:to_client,established; file_data; content:"edom SOD ni nur eb tonnac margorp sihT"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:43839; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Adobe Flash file contains reference to kernel32.dll"; flow:to_client,established; file_data; content:"|0C|kernel32.dll"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:43838; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE VBScript accessing scripting API for WMI"; flow:to_client,established; file_data; content:"<script"; content:"vbscript"; within:25; content:"GetObject|28|"; content:"winmgmts|3A|"; within:15; fast_pattern; content:".InstancesOf"; within:15; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:43933; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .win dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|win|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:44077; rev:2;)
+# alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .trade dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|trade|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:44076; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE png file attachment without matching file magic"; flow:established,to_client; content:"Content-Type: image/png"; http_header; file_data; content:!"|89|PNG"; depth:4; metadata:service http; classtype:misc-activity; sid:44416; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE VBscript downloader detected"; flow:to_server,established; file_data; content:"SLShare"; fast_pattern:only; content:"CreateObject("; nocase; content:"split"; nocase; content:"replace"; within:10; nocase; content:"shell"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:url,virustotal.com/#/file/83a7891731aacbe25bb5f5e2ba0c8dabed379be8c6fbc25db78c0d771a20a432/detection; classtype:trojan-activity; sid:44613; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE VBscript downloader detected"; flow:to_client,established; file_data; content:"SLShare"; fast_pattern:only; content:"CreateObject("; nocase; content:"split"; nocase; content:"replace"; within:10; nocase; content:"shell"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/83a7891731aacbe25bb5f5e2ba0c8dabed379be8c6fbc25db78c0d771a20a432/detection; classtype:trojan-activity; sid:44612; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Meterpreter payload download attempt"; flow:to_client,established; content:"packet_call_completion_handlers"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop; classtype:trojan-activity; sid:44728; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Apache HTTP Server possible mod_dav.c remote denial of service vulnerability attempt"; flow:to_server,established; content:":merge"; fast_pattern:only; content:"MERGE"; http_method; content:"DAV:"; content:":href"; within:100; metadata:service http; reference:bugtraq,100872; reference:cve,2013-1896; classtype:attempted-dos; sid:44808; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Malicious VBA script detected"; flow:to_client,established; content:"<script"; nocase; content:"VBScript"; within:50; nocase; content:"StrReverse"; nocase; content:"Chr"; within:20; nocase; content:"StrReverse"; within:30; nocase; content:"Chr"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-admin; sid:44875; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Internet Explorer OLE auto-open attempt"; flow:to_server,established; file_data; content:"ms-word:ofe|7C|u|7C|"; fast_pattern:only; metadata:service smtp; classtype:misc-activity; sid:44865; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft Internet Explorer OLE auto-open attempt"; flow:to_client,established; file_data; content:"ms-word:ofe|7C|u|7C|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:44864; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft MsMpEng shrink compressed zip code execution attempt"; flow:to_server,established; file_data; content:"PK|03 04|"; content:"|01 00|"; within:2; distance:4; metadata:service smtp; reference:cve,2017-11937; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11937; classtype:attempted-admin; sid:45153; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft MsMpEng shrink compressed zip code execution attempt"; flow:to_client,established; file_data; content:"PK|03 04|"; content:"|01 00|"; within:2; distance:4; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11937; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11937; classtype:attempted-admin; sid:45152; rev:1;)
+alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit run hidden powershell attempt"; flow:to_client,established; file_data; content:"|5C|v1.0|5C|powershell.exe"; content:"New-Object System.Diagnostics.ProcessStartInfo"; fast_pattern:only; content:".FileName="; content:".Arguments="; content:".UseShellExecute="; content:".RedirectStandardOutput="; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1086; classtype:attempted-user; sid:45137; rev:3;)
+alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit PowerShell CLI Download and Run attempt"; flow:to_client,established; file_data; content:"<?XML"; depth:5; content:"powershell.exe"; content:"new-object Net.WebClient|29|.DownloadString"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1086; classtype:attempted-user; sid:45136; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt"; flow:to_server,established; file_data; flowbits:isset,file.doc|file.rtf; content:"|5C|objautlink"; content:"|5C|objupdate"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0199; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-0199; classtype:attempted-user; sid:45520; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt"; flow:to_client,established; file_data; flowbits:isset,file.doc|file.rtf; content:"|5C|objautlink"; content:"|5C|objupdate"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0199; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-0199; classtype:attempted-user; sid:45519; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Adobe Flash potential exploit download attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00 00 00 45 78 70 6C 6F 69 74 00 40 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:45742; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Adobe Flash potential exploit download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00 00 00 70 6F 63 00 40 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:45741; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Adobe Flash potential exploit download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00 00 00 45 78 70 6C 6F 69 74 00 40 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:45740; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Adobe Flash potential exploit download attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00 00 00 70 6F 63 00 40 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:45739; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE PHP shell_exec command execution attempt"; flow:to_server,established; content:"php"; nocase; http_client_body; content:"shell_exec"; within:150; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; classtype:web-application-attack; sid:45916; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE PHP obfuscated eval command execution attempt"; flow:to_server,established; content:"php"; nocase; http_client_body; content:"eval"; within:100; nocase; http_client_body; content:"base64_decode"; within:100; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:web-application-attack; sid:45915; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE PHP phpinfo command execution attempt"; flow:to_server,established; content:"php"; nocase; http_client_body; content:"phpinfo"; within:150; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; classtype:web-application-attack; sid:45914; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Potential data exfiltration through Google form submission"; flow:to_server,established; content:"/forms/d/e/"; depth:11; nocase; http_uri; content:"/viewform?entry."; fast_pattern; nocase; http_uri; content:"="; within:15; http_uri; content:"entry."; within:50; nocase; http_uri; content:"="; within:15; http_uri; content:"Host|3A| docs.google.com|0D 0A|"; nocase; http_header; pcre:"/entry\.\d+=\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/Ui"; metadata:service http; reference:url,attack.mitre.org/techniques/T1020; classtype:misc-activity; sid:46381; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Request for external IP address detected"; flow:to_server,established; content:"Host: ifconfig.co"; fast_pattern:only; http_header; content:"/ip"; http_uri; content:!"User-Agent|3A|"; http_header; metadata:service http; classtype:trojan-activity; sid:46679; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Outbound freegeoip.net geo-IP location connection attempt"; flow:to_server,established; content:"/xml/"; http_uri; content:"Host|3A| freegeoip.net"; fast_pattern:only; http_header; content:!"Referer|3A|"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file-scan/report.html?id=5d6691a4345258ce7de5002c322be83a3c0c94cffdfd1309ccc0bf593616f31e; classtype:trojan-activity; sid:46664; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Outbound telize.com geo-IP location connection attempt"; flow:to_server,established; content:"/geoip"; http_uri; content:"Host|3A| www.telize.com"; fast_pattern:only; http_header; content:!"Referer|3A|"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file-scan/report.html?id=5d6691a4345258ce7de5002c322be83a3c0c94cffdfd1309ccc0bf593616f31e; classtype:trojan-activity; sid:46663; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt"; flow:to_server,established; content:"WS1/cgi/x.cgi"; fast_pattern:only; http_uri; content:"NAVG="; http_uri; content:"username=dudxwd"; http_uri; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:url,www.virustotal.com/en/file/9b504da9e77ec067b0577b557443f76e84717cb00455ce39138eeaf344f3d2e3/analysis/; classtype:trojan-activity; sid:46641; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt"; flow:to_server,established; content:"/Arts/"; http_uri; content:"inf22.css"; within:50; http_uri; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:url,www.virustotal.com/en/file/9b504da9e77ec067b0577b557443f76e84717cb00455ce39138eeaf344f3d2e3/analysis/; classtype:trojan-activity; sid:46640; rev:2;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET 53 (msg:"INDICATOR-COMPROMISE Possible Samba internal DNS forged response"; flow:to_server; content:"|81 20 00 01 00 00 00 00 00 00|"; depth:10; offset:2; reference:cve,2014-0239; classtype:denial-of-service; sid:46848; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Windows Interrupt Service Routine stack rollback attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|8B 14 24|"; content:"|8D|"; within:15; content:"|24 08|"; within:2; distance:1; content:"|89|"; within:15; content:"|89|"; within:15; content:"|8B|"; within:15; content:"|48 CF|"; within:2; distance:1; metadata:service smtp; reference:cve,2018-8897; classtype:attempted-user; sid:46910; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft Windows Interrupt Service Routine stack rollback attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|8B 14 24|"; content:"|8D|"; within:15; content:"|24 08|"; within:2; distance:1; content:"|89|"; within:15; content:"|89|"; within:15; content:"|8B|"; within:15; content:"|48 CF|"; within:2; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-8897; classtype:attempted-user; sid:46909; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft Windows processor modification return to user-mode attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|0F 22|"; content:"|FB|"; within:30; content:"|0F 22|"; within:30; content:"|48 CF|"; within:30; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-8897; classtype:attempted-user; sid:46908; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Windows processor modification return to user-mode attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|0F 22|"; content:"|FB|"; within:30; content:"|0F 22|"; within:30; content:"|48 CF|"; within:30; metadata:service smtp; reference:cve,2018-8897; classtype:attempted-user; sid:46907; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Windows malicious CONTEXT structure creation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|A0 01|"; content:"|05 00 BF 00|"; within:50; content:"|10 00 10 00|"; within:50; metadata:service smtp; reference:cve,2018-8897; classtype:attempted-user; sid:46906; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft Windows malicious CONTEXT structure creation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|A0 01|"; content:"|05 00 BF 00|"; within:50; content:"|10 00 10 00|"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-8897; classtype:attempted-user; sid:46905; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Windows SYSTEM token stealing attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|FF 15|"; content:"|FF 15|"; within:50; content:"|FF 15|"; within:50; content:"|83|"; within:50; content:"|08|"; within:2; distance:1; content:"|81|"; within:30; content:"|83 E0 F0|"; within:100; metadata:service smtp; reference:cve,2018-8897; classtype:attempted-user; sid:46904; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft Windows SYSTEM token stealing attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|FF 15|"; content:"|FF 15|"; within:50; content:"|FF 15|"; within:50; content:"|83|"; within:50; content:"|08|"; within:2; distance:1; content:"|81|"; within:30; content:"|83 E0 F0|"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-8897; classtype:attempted-user; sid:46903; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1099 (msg:"INDICATOR-COMPROMISE Java ysoserial payload deserialization exploit attempt"; flow:to_server,established; content:"ysoserial"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service java_rmi; reference:cve,2017-11284; classtype:attempted-user; sid:46937; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE dynamic Excel web query file download attempt"; flow:to_client,established; file_data; content:"WEB|0D 0A|1"; depth:6; content:"http"; within:25; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/a0b80b57879ef437709bae7e2896efb7be9bd57291e64bc58d7cd13bd1de9f27/analysis; classtype:attempted-admin; sid:46932; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE dynamic Excel web query file download attempt"; flow:to_server,established; file_data; content:"WEB|0D 0A|1"; depth:6; content:"http"; within:25; nocase; metadata:service smtp; reference:url,virustotal.com/en/file/a0b80b57879ef437709bae7e2896efb7be9bd57291e64bc58d7cd13bd1de9f27/analysis; classtype:attempted-admin; sid:46931; rev:1;)
+# alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; depth:18; content:"Microsoft Corp"; within:250; metadata:policy max-detect-ips drop, ruleset community; reference:nessus,11633; classtype:successful-admin; sid:46983; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service"; flow:to_server,established; urilen:<10; content:"Host: "; http_header; content:"|0D 0A|"; within:14; http_header; content:"HEAD"; http_method; content:"User-Agent: Microsoft Office "; http_header; content:"Discovery|0D 0A|"; within:25; http_header; content:!"Accept"; http_header; content:!"Content-"; http_header; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; metadata:ruleset community, service http; reference:url,virustotal.com/en/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/analysis/; classtype:misc-activity; sid:46980; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service"; flow:to_server,established; urilen:<10; content:"Host: "; http_header; content:"|0D 0A|"; within:14; http_header; content:"OPTIONS"; http_method; content:"User-Agent: Microsoft Office "; http_header; content:"Discovery|0D 0A|"; within:25; http_header; content:!"Accept"; http_header; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; metadata:ruleset community, service http; reference:url,virustotal.com/en/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/analysis/; classtype:misc-activity; sid:46979; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE SettingContent-ms file type download attempt"; flow:to_client,established; file_data; content:"<DeepLink>"; nocase; content:"</ApplicationInformation"; distance:0; nocase; content:"</PCSettings>"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:47002; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE SettingContent-ms file type download attempt"; flow:to_server,established; file_data; content:"<DeepLink>"; nocase; content:"</ApplicationInformation"; distance:0; nocase; content:"</PCSettings>"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service imap, service pop3, service smtp; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:47001; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE SettingContent-ms file type download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objdata"; content:"3c504353657474696e67733e"; distance:0; content:"3c4170706c69636174696f6e496e666f726d6174696f6e3e"; distance:0; content:"3c446565704c696e6b3e"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:47000; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE SettingContent-ms file type download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objdata"; content:"3c504353657474696e67733e"; distance:0; content:"3c4170706c69636174696f6e496e666f726d6174696f6e3e"; distance:0; content:"3c446565704c696e6b3e"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:46999; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Request for external IP address detected"; flow:to_server,established; content:"Host: ipecho.net"; fast_pattern:only; http_header; content:"/plain"; http_uri; content:!"User-Agent|3A|"; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/a036279e3c27f0e716b8fa4b5c7378805b9788c7ce3f4eada9367a4f0738967f/detection; classtype:policy-violation; sid:47024; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4840 (msg:"INDICATOR-COMPROMISE Atvise SCADA privilege escalation attempt"; flow:to_server,established; content:"|01 00 C8 02|"; content:"SYSTEM"; distance:0; content:"AGENT.OPCUA.METHODS.setUserPassword"; distance:0; reference:url,atvise.com/en/products-solutions/atvise-scada; classtype:attempted-admin; sid:47044; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4840 (msg:"INDICATOR-COMPROMISE Atvise SCADA user enumeration attempt"; flow:to_server,established; content:"|01 00 0F 02|"; content:"SYSTEM.SECURITY.USERS"; distance:0; reference:url,atvise.com/en/products-solutions/atvise-scada; classtype:attempted-recon; sid:47043; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE SettingContent-ms file type download attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Type"; content:"/Filespec"; within:75; content:"/F"; within:75; content:"SettingContent-ms"; within:150; nocase; pcre:"/\x2fF[^>]+?SettingContent-ms/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:47654; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE SettingContent-ms file type download attempt"; flow:to_server,established; file_data; content:"|21 4A 6B B9 B2 3D 76 D5 D8 79 DB 08 48 65 41 1F 9E 25 13 4E CB C2 A4 F5 95 ED 54 66 B8 22 75 FE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:47653; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE SettingContent-ms file type download attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Type"; content:"/Filespec"; within:75; content:"/F"; within:75; content:"SettingContent-ms"; within:150; nocase; pcre:"/\x2fF[^>]+?SettingContent-ms/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:47652; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE SettingContent-ms file type download attempt"; flow:to_client,established; file_data; content:"|21 4A 6B B9 B2 3D 76 D5 D8 79 DB 08 48 65 41 1F 9E 25 13 4E CB C2 A4 F5 95 ED 54 66 B8 22 75 FE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:47651; rev:1;)
+# alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt"; content:"Windows PowerShell"; depth:18; metadata:policy max-detect-ips drop; reference:url,attack.mitre.org/techniques/T1086; reference:url,attack.mitre.org/wiki/Technique/T1059; classtype:attempted-user; sid:47400; rev:2;)
+# alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt"; content:"Microsoft Windows XP [Version"; depth:29; metadata:policy max-detect-ips drop; reference:url,attack.mitre.org/wiki/Technique/T1059; classtype:attempted-user; sid:47399; rev:1;)
+# alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt"; content:"Microsoft Windows [Version"; depth:26; metadata:policy max-detect-ips drop; reference:url,attack.mitre.org/wiki/Technique/T1059; classtype:attempted-user; sid:47398; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Request for external IP address/location detected"; flow:to_server,established; content:"Host: ip138.com"; fast_pattern:only; http_header; content:"/ic.asp"; http_uri; content:!"User-Agent|3A|"; http_header; metadata:service http; classtype:trojan-activity; sid:48439; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE malicious jquery.js load attempt"; flow:to_server,established; content:"/jquery.js"; http_uri; content:"Host|3A|"; http_header; content:"wp.org"; within:6; distance:7; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,labs.sucuri.net/?note=2018-10-30; classtype:attempted-user; sid:48575; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE malicious jquery.js load attempt"; flow:to_client,established; file_data; content:"script"; content:"src"; within:75; content:"wp.org/jquery.js"; within:100; fast_pattern; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,labs.sucuri.net/?note=2018-10-30; classtype:attempted-user; sid:48574; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE User-Agent blank user-agent string"; flow:to_server,established; content:"User-Agent:  |0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/63dc515aa44a48a31191b8f905b40ce8883bc864d4784a0bf84edf102ddffaf3/analysis/; classtype:misc-activity; sid:39362; rev:6;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .fur dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|fur|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48688; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .fur tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|03|fur|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48687; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .lib dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|lib|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48686; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .lib tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|03|lib|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48685; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .emc dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|emc|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48684; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .emc tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|03|emc|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48683; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .coin dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|coin|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48682; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .coin tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|04|coin|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48681; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .bazar dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|bazar|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48680; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .bazar tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|05|bazar|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48679; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .free dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|free|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48678; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .free tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|04|free|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48677; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .pirate dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|pirate|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48676; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .pirate tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|06|pirate|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48675; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .parody dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|parody|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48674; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .parody tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|06|parody|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48673; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .oz dns A query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|oz|00 00 01 00 01|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48672; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .oz tcp dns A query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|02|oz|00 00 01 00 01|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48671; rev:4;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .oss dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|oss|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48670; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .oss tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|03|oss|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48669; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .o dns A query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|o|00 00 01 00 01|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48668; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .o tcp dns A query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|01|o|00 00 01 00 01|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48667; rev:4;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .null dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|null|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48666; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .null tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|04|null|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48665; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .neo dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|neo|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48664; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .neo tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|03|neo|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48663; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .libre dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|libre|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48662; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .libre tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|05|libre|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48661; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .indy dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|indy|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48660; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .indy tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|04|indy|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48659; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .gopher dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|gopher|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48658; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .gopher tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|06|gopher|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48657; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .geek dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|geek|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48656; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .geek tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|04|geek|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48655; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .dyn dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|dyn|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48654; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .dyn tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|03|dyn|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48653; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .cyb dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|cyb|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48652; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .cyb tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|03|cyb|00|"; offset:13; fast_pattern; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48651; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .chan dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|chan|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48650; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .chan tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|04|chan|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48649; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .bbs dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bbs|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48648; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .bbs tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|03|bbs|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48647; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .glue tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|04|glue|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48714; rev:2;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .glue dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|glue|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48713; rev:2;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .oz dns TXT query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|oz|00 00 10 00 01|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48836; rev:1;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .oz dns AAAA query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|oz|00 00 1C 00 01|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48835; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .oz tcp dns TXT query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|02|oz|00 00 10 00 01|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48834; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .oz tcp dns AAAA query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|02|oz|00 00 1C 00 01|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48833; rev:1;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .o dns TXT query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|o|00 00 10 00 01|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48832; rev:1;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .o dns AAAA query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|o|00 00 1C 00 01|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48831; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .o tcp dns TXT query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|01|o|00 00 10 00 01|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48830; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .o tcp dns AAAA query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|01|o|00 00 1C 00 01|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48829; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PEAR Archive_Tar PHP object injection attempt"; flow:to_client,established; content:"class Archive_Tar"; fast_pattern; content:"$_temp_tarname"; distance:1; content:"new Phar"; content:"new Archive_Tar"; content:"->"; content:"_temp_tarname"; within:14; metadata:policy max-detect-ips drop, service http; reference:cve,2018-1000888; reference:url,www.exploit-db.com/exploits/46108; classtype:web-application-attack; sid:49185; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PEAR Archive_Tar PHP object injection attempt"; flow:to_client,established; file_data; content:"require"; content:"'Archive/Tar.php'"; within:25; distance:1; content:"new Archive_Tar"; fast_pattern:only; content:"extract()"; metadata:policy max-detect-ips drop, service http; reference:cve,2018-1000888; reference:url,www.exploit-db.com/exploits/46108; classtype:web-application-attack; sid:49184; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Windows NtTraceControl function use"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"NtTraceControl"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:misc-activity; sid:49164; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft Windows NtTraceControl function use"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"NtTraceControl"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:49163; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE avi file without matching file magic"; flow:to_server,established; content:"Content-Type: video/x-msvideo"; file_data; content:!"RIFF"; depth:4; content:!"AVI|20|"; depth:4; offset:7; metadata:service smtp; classtype:misc-activity; sid:49288; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE avi file without matching file magic"; flow:to_client,established; content:"Content-Type: video/x-msvideo"; http_header; file_data; content:!"RIFF"; depth:4; content:!"AVI|20|"; depth:4; offset:7; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:49287; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"INDICATOR-COMPROMISE Windows SMBv2 information disclosure attempt"; flow:to_server,established; content:"|FE|SMB"; depth:8; offset:4; content:"|01 06|"; within:2; distance:62; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2019-0703; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0703; classtype:attempted-recon; sid:49367; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"INDICATOR-COMPROMISE Windows SMBv1 information disclosure attempt"; flow:to_server,established; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; content:"|07 00|"; within:2; distance:52; content:"|EE 03|"; distance:2; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2019-0703; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0703; classtype:attempted-recon; sid:49366; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt"; flow:to_client,established; file_data; content:"Programm,BEGIN,"; content:".exe"; distance:0; content:"Programm,END,"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.autobase.biz; classtype:attempted-user; sid:49556; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt"; flow:to_server,established; file_data; content:"Programm,BEGIN,"; content:".exe"; distance:0; content:"Programm,END,"; distance:0; metadata:service smtp; reference:url,www.autobase.biz; classtype:attempted-user; sid:49555; rev:1;)
+alert tcp any $FILE_DATA_PORTS -> any any (msg:"INDICATOR-COMPROMISE Responder poisoner download attempt"; flow:to_client,established; file_data; content:"#|21|/usr/bin/env python|0A|# This file is part of Responder"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1187/; classtype:misc-attack; sid:49532; rev:1;)
+alert tcp any any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Responder poisoner download attempt"; flow:to_server,established; file_data; content:"#|21|/usr/bin/env python|0A|# This file is part of Responder"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1187/; classtype:misc-attack; sid:49531; rev:1;)
+alert tcp any any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Responder poisoner download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"poisoners.NBTNS"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1187/; classtype:misc-attack; sid:49530; rev:1;)
+alert tcp any $FILE_DATA_PORTS -> any any (msg:"INDICATOR-COMPROMISE Responder poisoner download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"poisoners.NBTNS"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1187/; classtype:misc-attack; sid:49529; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Script execution from TOR attempt"; flow:to_client,established; file_data; content:"wget"; content:"--no-check-certificate"; within:50; content:"-qU-"; within:60; distance:-40; content:"curl -fsSLkA-"; pcre:"/.+\.(tor2web\.(io|fyi|me)|onion\.(nz|pet|sh|si|to|ws|in\.net))/R"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/e6d1b5e5f6e1536fe619bec30caa1ac75aa008a05f5ecdb31960a1eb8c53731a; classtype:attempted-admin; sid:49671; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE php web shell upload attempt"; flow:to_server,established; content:"php $action = $_GET[|27|"; http_uri; content:"|27|]|3B|system($action)|3B|"; within:40; fast_pattern; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:49657; rev:1;)
--- a/docker/etc/rules/indicator-obfuscation.rules
+++ b/docker/etc/rules/indicator-obfuscation.rules
@@ -0,0 +1,252 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------------------------
+# INDICATOR-OBFUSCATION RULES
+#-----------------------------
+
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation technique - has been observed in Rmayana/DotkaChef/DotCache exploit kit"; flow:to_client,established; file_data; content:",$$$$|3A|(![]+|22 22|)"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:trojan-activity; sid:27875; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|7D|catch(d21vd12v)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27592; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION multiple plugin version detection attempt"; flow:to_client,established; file_data; content:"PluginDetect.getVersion"; fast_pattern:only; content:"PluginDetect.getVersion"; content:"PluginDetect.getVersion"; distance:0; content:"PluginDetect.getVersion"; distance:0; content:"PluginDetect.getVersion"; distance:0; content:!"LeadiD"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malwaremustdie.blogspot.com/2012/09/following-lead-of-suspected-blackhole2.html; classtype:attempted-recon; sid:27119; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION g01pack Javascript substr function wrapper attempt"; flow:to_client,established; file_data; content:"function "; content:"("; within:1; distance:1; content:"return "; within:24; distance:6; content:".substr("; within:8; distance:1; fast_pattern; content:"|3B|"; within:15; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.malwaresigs.com/2013/01/30/speedtest-net-g01pack-exploit-kit/; classtype:trojan-activity; sid:26451; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected"; flow:to_client,established; content:".write"; content:"unescape"; fast_pattern:only; pcre:"/var\s+([^\s]+)\s*=\s*unescape\s*\x28.*?\x2ewrite\s*\x28\s*\1/smi"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:21040; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Dadongs obfuscated javascript"; flow:to_client,established; file_data; content:"(|22|dadongs=|22|)"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:misc-activity; sid:21519; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION oversized cast statement - possible sql injection obfuscation"; flow:established,to_server; content:"CAST|28|"; nocase; isdataat:250,relative; content:!"|29|"; within:250; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:13791; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation"; flow:established,to_server; content:"POST"; http_method; content:"CHAR("; nocase; http_uri; pcre:"/[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(/smiU"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:13989; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION oversized convert statement - possible sql injection obfuscation"; flow:established,to_server; content:"CONVERT|28|"; nocase; isdataat:250,relative; content:!"|29|"; within:250; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:13987; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION large number of calls to concat function - possible sql injection obfuscation"; flow:established,to_server; content:"CONCAT|28|"; nocase; content:"CONCAT|28|"; distance:0; nocase; content:"CONCAT|28|"; distance:0; nocase; content:"CONCAT|28|"; distance:0; nocase; content:"CONCAT|28|"; distance:0; nocase; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:14008; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION large number of calls to ascii function - possible sql injection obfuscation"; flow:established,to_server; content:"ASCII|28|"; nocase; content:"ASCII|28|"; distance:0; nocase; content:"ASCII|28|"; distance:0; nocase; content:"ASCII|28|"; distance:0; nocase; content:"ASCII|28|"; distance:0; nocase; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:13988; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION select concat statement - possible sql injection"; flow:established,to_server; content:"select concat"; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; classtype:web-application-attack; sid:19437; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack"; flow:to_client,established; content:".fromCharCode"; nocase; content:".fromCharCode"; within:300; nocase; content:".fromCharCode"; within:300; nocase; content:".fromCharCode"; within:300; nocase; content:".fromCharCode"; within:300; nocase; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/3008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:15362; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Potential obfuscated javascript eval unescape attack attempt"; flow:to_client,established; content:"eval|28|"; nocase; content:"unescape|28|"; within:15; nocase; content:!"|29|"; within:250; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:15363; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hidden 1x1 div tag - potential malware obfuscation"; flow:to_client,established; file_data; content:"<div style=|22|overflow|3A|hidden|3B|width|3A|1px|3B|height|3A|1px|3B 22|>"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:19868; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION generic PHP code obfuscation attempt"; flow:established,to_server; content:"Array|28|"; content:"|20 20 20 20 2E|"; within:200; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:18493; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION malware-associated JavaScript obfuscation function"; flow:to_client,established; file_data; content:"function re|28|s,n,r,b,e|29|{if|28|s<b|7C 7C|s>e|29|return s|3B|"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,snort.org/rule_docs/1-18132; classtype:trojan-activity; sid:18132; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - eval"; flow:to_client,established; file_data; content:"|22|eva|22|+|22|l|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:21578; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - charcode"; flow:to_client,established; file_data; content:"|22|c|22|+|22|h|22|+|22|ar|22|+|22|Code|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:21577; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|from|22|+|22|CharCod|22|+|22|e|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:21580; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|fromCharCod|22|+|22|e|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:21579; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - charCode"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|"; distance:0; nocase; content:"c|00|h|00|a|00|r|00|C|00|o|00|d|00|e|00|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:22074; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - unescape"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|"; distance:0; nocase; content:"u|00|n|00|e|00|s|00|c|00|a|00|p|00|e|00|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:22073; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - fromCharCode"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|"; distance:0; nocase; content:"f|00|r|00|o|00|m|00|C|00|h|00|a|00|r|00|C|00|o|00|d|00|e|00|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:22072; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - eval"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|"; distance:0; nocase; content:"e|00|v|00|a|00|l|00|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:22071; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION eval of base64-encoded data"; flow:to_client,established; file_data; content:"eval|28|base64_decode|28|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:23018; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - qweqwe"; flow:to_client,established; file_data; content:"<qwe qweqwe=|27|asd|27|/>"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23088; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - push"; flow:to_client,established; file_data; content:"a|3D 27|pus|27 2B 27|h|27 3B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23086; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - xval"; flow:to_client,established; file_data; content:"q|3D|x|2B 27|v|27 2B 27|al|27 3B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23087; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - join"; flow:to_client,established; file_data; content:"b|3D 22|j|22 2B 22|o|22 2B 27|i|27 3B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23085; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript strings - obfuscation pattern"; flow:to_client,established; file_data; content:"|3A|present>"; content:"|3A|interactive>1</"; distance:0; pcre:"/\x3c(?P<string>\w+)\x3apresent.*?\x3c(?P=string)\x3ainteractive.*?\x3c\x2f(?P=string)\x3ainteractive/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23089; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious"; flow:to_client,established; file_data; content:"GIF89a"; depth:6; nocase; content:"<?php"; within:100; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,blog.talosintel.com/2012/06/web-shell-poses-as-gif.html; reference:url,snort.org/rule_docs/1-23114; classtype:misc-activity; sid:23114; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious"; flow:to_client,established; file_data; content:"eval|28|"; nocase; content:"gzinflate|28|"; within:25; nocase; content:"base64_decode|28|"; within:25; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,blog.talosintel.com/2012/06/web-shell-poses-as-gif.html; reference:url,snort.org/rule_docs/1-23113; classtype:misc-activity; sid:23113; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - eval"; flow:to_client,established; file_data; content:"|22|e|22|+|22|val|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:23161; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|fromCharC|22|+|22|ode|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:23160; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript error suppression routine"; flow:to_client,established; file_data; content:"window.onerror = function|20 28 29 20 7B|return true"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:23226; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hex escaped characters in addEventListener call"; flow:established,to_client; file_data; content:"addEventListener|28|"; nocase; content:"|5C|x"; within:10; nocase; content:"|5C|x"; within:10; nocase; pcre:"/addEventListener\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/smi"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23482; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hex escaped characters in setTimeout call"; flow:established,to_client; file_data; content:"setTimeout|28|"; nocase; content:"|5C|x"; within:10; nocase; content:"|5C|x"; within:10; nocase; pcre:"/setTimeout\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/smi"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23481; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION known packer routine with secondary obfuscation"; flow:to_client,established; file_data; content:"eval(function(p,a,c,k,e,r)"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,dean.edwards.name/packer/; classtype:misc-activity; sid:23621; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder"; flow:to_client,established; file_data; content:"|5B 27|parse|27 2B 27|Int|27 5D 28|"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,snort.org/rule_docs/1-23636; classtype:trojan-activity; sid:23636; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION script tag in POST parameters - likely cross-site scripting"; flow:to_server,established; content:"<script>"; fast_pattern:only; http_client_body; metadata:service http; reference:cve,2007-2865; reference:cve,2015-1653; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-036; classtype:web-application-attack; sid:21782; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION javascript escape function in POST parameters - likely javascript injection"; flow:to_server,established; content:"escape("; fast_pattern:only; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:web-application-attack; sid:21785; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION encoded union select function in POST - possible sql injection attempt"; flow:to_server,established; content:"%55%4e%49%4f%4e%20%53%45%4c%45%43%54"; fast_pattern:only; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; classtype:misc-attack; sid:21781; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting"; flow:to_server,established; content:"|26 23|x3c|3B 26 23|x73|3B 26 23|x63|3B 26 23|x72|3B 26 23|x69|3B 26 23|x70|3B 26 23|x74|3B 26 23|x3e|3B|"; fast_pattern:only; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:web-application-attack; sid:21784; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION encoded waitfor delay function in POST - possible sql injection attempt"; flow:to_server,established; content:"%77%61%69%74%66%6f%72%20%64%65%6c%61%79"; fast_pattern:only; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; classtype:misc-attack; sid:21780; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION encoded script tag in POST parameters - likely cross-site scripting"; flow:to_server,established; content:"%3C%73%63%72%69%70%74%3E"; fast_pattern:only; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:web-application-attack; sid:21783; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection"; flow:to_server,established; content:"|26 23|x65|3B 26 23|x73|3B 26 23|x63|3B 26 23|x61|3B 26 23|x70|3B 26 23|x65|3B 26 23|x28"; fast_pattern:only; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:web-application-attack; sid:21787; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION encoded javascript escape function in POST parameters - likely javascript injection"; flow:to_server,established; content:"%65%73%63%61%70%65%28"; fast_pattern:only; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:web-application-attack; sid:21786; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hidden iframe - potential include of malicious content"; flow:to_client, established; file_data; content:"<iframe "; nocase; content:"width=1"; within:50; nocase; content:"height=1"; within:80; distance:-40; nocase; content:"style=visibility|3A|hidden"; within:80; distance:-40; nocase; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,blog.unmaskparasites.com/2009/10/28/evolution-of-hidden-iframes/; classtype:bad-unknown; sid:24168; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION document write of unescaped value with remote script"; flow:to_client,established; file_data; content:"document.write|28|unescape|28 27|%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:24167; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION ActiveX multiple adjacent object tags"; flow:to_client,established; file_data; content:"<object "; content:"classid"; within:50; content:"<object "; within:100; content:"classid"; within:50; content:"<object "; within:100; content:"classid"; within:50; content:"<object "; within:100; content:"classid"; within:50; content:"<object "; within:100; content:"classid"; within:50; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-attack; sid:25060; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION GIF header followed by PDF header"; flow:to_client,established; content:"GIF8"; depth:4; content:"a"; within:1; distance:1; content:!"HTTP"; within:500; content:"%PDF-"; within:1024; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0624; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:misc-activity; sid:25451; rev:6;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION DOC header followed by PDF header"; flow:to_client,established; file_data; content:"|D0 CF 11 E0|"; depth:4; content:"%PDF-"; within:1024; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0624; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:misc-activity; sid:25454; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION DOC header followed by PDF header"; flow:to_server,established; file_data; content:"|D0 CF 11 E0|"; depth:4; content:"%PDF-"; within:1024; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0624; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:misc-activity; sid:25458; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION JPEG header followed by PDF header"; flow:to_server,established; file_data; content:"|FF D8 FF E0|"; depth:4; content:"|FA FF DA 00 0C|"; within:800; content:"%PDF-"; within:224; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0624; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:misc-activity; sid:25457; rev:5;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JPEG header followed by PDF header"; flow:to_client,established; file_data; content:"|FF D8 FF E0|"; depth:4; content:"|FA FF DA 00 0C|"; within:800; content:"%PDF-"; within:224; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0624; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:misc-activity; sid:25453; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION PNG header followed by PDF header"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:"%PDF-"; within:1024; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0624; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:misc-activity; sid:25456; rev:5;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION PNG header followed by PDF header"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:!"HTTP"; within:500; content:"%PDF-"; within:1024; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0624; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:misc-activity; sid:25452; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION GIF header followed by PDF header"; flow:to_server,established; file_data; content:"GIF8"; depth:4; content:"a"; within:1; distance:1; content:"%PDF-"; within:1024; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0624; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:misc-activity; sid:25455; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated document command - used in IFRAMEr tool injection"; flow:to_client,established; file_data; content:"|22|doc|22 2B 22|ument|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:25592; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION non-alphanumeric javascript detected"; flow:to_server,established; content:"+!![]"; content:"+!![]"; distance:0; content:"+!![]"; distance:0; content:"+!![]"; distance:0; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,patriciopalladino.com/blog/2012/08/09/non-alphanumeric-javascript.html; classtype:attempted-user; sid:23831; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION non-alphanumeric javascript detected"; flow:to_client,established; file_data; content:"+!![]"; content:"+!![]"; distance:0; content:"+!![]"; distance:0; content:"+!![]"; distance:0; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,patriciopalladino.com/blog/2012/08/09/non-alphanumeric-javascript.html; classtype:attempted-user; sid:23832; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION large number of calls to char function - possible sql injection obfuscation"; flow:established,to_server; content:"GET"; http_method; content:"CHAR("; nocase; http_uri; pcre:"/[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(.*?[^R]CHAR\(/smiU"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:25783; rev:3;)
+# alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-OBFUSCATION DNS tunneling attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 01 00 00 00 00 00 00 1A|"; depth:9; offset:4; content:"|1A|"; within:1; distance:26; content:"|02|"; within:2; distance:26; metadata:service dns; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:25983; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION fromCharCode seen in exploit kit landing pages"; flow:to_client,established; file_data; content:"|22|f|22|+|22|ro|22|+|22|mCh|22|+|22|arCode|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:26092; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION String.fromCharCode concatenation"; flow:to_client,established; file_data; content:"|22|fro|22|+|22|mC|22|+|22|harCode|22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26101; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated portable executable - seen in exploit kits"; flow:to_client,established; file_data; content:"|88 54 68 25 DA 20 70 FE C5 67 72 ED C3 20 63 ED C6 6E 6F F8 88 62 65 AC DA 75 6E AC BF 6E 20 10 E6 53 20 E1 C5 64 65 FA A3 0D 0A E8 A8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:26352; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION javascript uuencoded eval statement"; flow:to_client,established; content:"unescape"; nocase; content:"%u0065"; distance:0; nocase; content:"%u0076"; distance:0; nocase; content:"%u0061"; distance:0; nocase; content:"%u006c"; distance:0; nocase; pcre:"/unescape\s*\x28[\x22\x27]\s*\x25u0065\s*\x25u0076\s*\x25u0061\s*\x25u006c/i"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:19075; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected"; flow:to_client,established; file_data; content:">var "; nocase; content:"='="; within:3; distance:3; content:"var _0x"; distance:0; pcre:"/var [OIl]{3}='=[a-z0-9+=\/]+'\;var (?P<var>_0x[a-f0-9]+).*?(?:[lIO]+|data)\[(?P=var)\[\d+\]\]/ims"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:26440; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Obfuscated javascript/html generated by myobfuscate.com detected"; flow:to_client,established; file_data; content:"<!-- Obfuscated by www.myobfuscate.com -->"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:26441; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION eval of base64-encoded data"; flow:to_client,established; file_data; content:"eval|28|base64.decode|28|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:26568; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION base64-encoded nop sled detected"; flow:to_client,established; file_data; content:"JXU0MTQxJXU0MTQxJXU0MTQx"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:26565; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION base64-encoded nop sled detected"; flow:to_client,established; file_data; content:"NDE0MSV1NDE0MSV1NDE0"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:26566; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION base64-encoded nop sled detected"; flow:to_client,established; file_data; content:"dTQxNDEldTQxNDEldTQxNDEK"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:26567; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript indexOf rename attempt"; flow:to_client,established; file_data; content:"indexOf"; fast_pattern:only; pcre:"/=\s*[\x22\x27]indexOf[\x22\x27]\s*\x3b/"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.malwaresigs.com/2013/01/30/speedtest-net-g01pack-exploit-kit/; classtype:misc-activity; sid:26616; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript substr rename attempt"; flow:to_client,established; file_data; content:"substr"; fast_pattern:only; pcre:"/=\s*[\x22\x27]?substr[\x22\x27]?\s*\x3b/"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.malwaresigs.com/2013/01/30/speedtest-net-g01pack-exploit-kit/; classtype:misc-activity; sid:26615; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION multiple comment tags used in embedded RTF object - potentially malicious"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"{|5C|object"; fast_pattern; nocase; content:"{|5C|doccom"; distance:0; nocase; content:"{|5C|doccom"; within:150; nocase; content:"{|5C|doccom"; within:150; nocase; content:"{|5C|doccom"; within:150; nocase; content:"{|5C|doccom"; within:150; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-attack; sid:26620; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION multiple comment tags used in embedded RTF object - potentially malicious"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"{|5C|object"; fast_pattern; nocase; content:"{|5C|doccom"; distance:0; nocase; content:"{|5C|doccom"; within:150; nocase; content:"{|5C|doccom"; within:150; nocase; content:"{|5C|doccom"; within:150; nocase; content:"{|5C|doccom"; within:150; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-attack; sid:26619; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits"; flow:to_client,established; file_data; content:"|22|g|22|+|22|e|22|+|22|tEleme|22|+|22|nts|22|+|22|ByTagName|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:27074; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits"; flow:to_client,established; file_data; content:"|22|getEl|22|+|22|eme|22|+|22|ntsByTagName"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:27073; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION eval large block of fromCharCode"; flow:to_client,established; file_data; content:"eval|28|"; nocase; pcre:"/([A-Z\d]+)\s*=\s*([\x22\x27])(\d{1,3},){50}.*?\2.{1,50}\1\s*=\s*eval\x28/smi"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:27259; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION eval large block of fromCharCode"; flow:to_client,established; file_data; content:"eval|28|"; nocase; content:"String.fromCharCode|28|"; within:23; distance:1; nocase; pcre:"/([A-Z\d]+)\s*=\s*([\x22\x27])(\d{1,3},){50}.*?\2.{1,50}\1\s*=\s*eval\x28[\x22\x27]String\.fromCharCode\x28[\x22\x27]\x2B?\1/smi"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:27258; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|fro|22|+|22|mC|22|+|22|harC|22|+|22|o|22|+|22|de|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:27272; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split"; flow:to_client,established; file_data; content:"|22|s|22|+|22|pli|22|+|22|t|22|"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:27593; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|s|22|+|22|p|22|+|22|li|22|+|22|t|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27736; rev:6;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool usage"; flow:to_client,established; file_data; content:"|22|d|22|+|22|o|22|+|22|c|22|+|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27735; rev:6;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|spl|22|+|22|i|22|+|22|t|22 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27920; rev:6;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|S|22|+|22|tr|22|+|22|ing|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:28025; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"[ps](|22|,|22|))|3B|ss=String|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:28024; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - document - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"ps=|22|s|22|+|22|p|22|+|22|l|22|+|22|i|22|+|22|t|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28023; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"aq=|22|0x|22 3B|ff=String|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28346; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"ps=|22|split|22 3B|asd=function()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28345; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION large number of calls to chr function - possible sql injection obfuscation"; flow:established,to_server; content:"GET"; http_method; content:"CHR("; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:28344; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"+=String.fromCharCode(eval("; content:"gif=eval|3B|gif("; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28422; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|fr|22|+|22|omCh|22|+|22|arCo|22|+|22|de|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28421; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - createElement - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|c|22|+|22|r|22 3A|2+|22|e|22|+|22|a|22|+|22|t|22|+|22|e|22|+|22|E|22|+|22|l|22|+|22|e|22|+|22|m|22|+((f)?|22|e|22|+|22|n|22|+|22|t|22 3A 22 22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28420; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|28 22|mCharCode|22 29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28812; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|s|22 20 22|p|22 20 22|li|22 20 22|t|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28811; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"document[|22 5C|x62od|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28941; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - seen in Nuclear exploit kit"; flow:to_client,established; file_data; content:"s|27|+|27|t|27|+|27|y|27|+|27|l|27|+|27|e|27|+|27|=|27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:29190; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION potential math library debugging"; flow:to_client,established; file_data; content:"Math.atan2|28|0x"; content:"Math."; distance:0; content:"|28|0x"; within:8; content:"Math."; distance:0; content:"|28|0x"; within:8; content:"Math."; distance:0; content:"|28|0x"; within:8; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,blog.talosintel.com/2013/10/ie-zero-day-cve-2013-3897-youve-been.html; classtype:trojan-activity; sid:29213; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION Multiple character encodings detected"; flow:established,to_server; file_data; content:"unescape"; content:"String.fromCharCode"; content:".split"; content:").toString"; content:".reverse()"; content:".join(|22 22|)"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:29510; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION randomized HTML number encodings detected in clsid access attempt"; flow:to_client,established; content:"<object"; nocase; content:"classid="; nocase; content:"|3B 26 23|"; within:36; fast_pattern; pcre:"/classid=\s*[\x22\x27]\s*[A-Za-z\:\{-]{0,42}((\x26\x23\d{2,3}\x3B){2}[^\x22\x27]{0,35}){5}/i"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:29813; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Alternating character encodings - JS array"; flow:to_client,established; file_data; content:"|22 5C 5C|u00"; nocase; content:"|22 2C 20 22|"; within:4; distance:2; content:"|22 2C 20 22 5C 5C|u00"; within:9; distance:1; pcre:"/\x22\x5c\x5cu00[0-9a-f]{2}\x22\x2c\s\x22\w\x22\x2c\s\x22\x5c\x5cu00[0-9a-f]{2}/i"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:29807; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Alternating character encodings - JS variable"; flow:to_client,established; file_data; content:"var "; nocase; content:"|5C|x00"; within:50; fast_pattern; nocase; content:"|5C|u00"; within:4; distance:2; nocase; content:"|5C|x00"; within:4; distance:2; nocase; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:29745; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION multiple binary tags in close proximity - potentially malicious"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|bin"; fast_pattern; nocase; content:"|5C|bin"; within:15; nocase; content:"|5C|bin"; within:15; nocase; content:"|5C|bin"; within:15; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0158; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-attack; sid:30328; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION multiple binary tags in close proximity - potentially malicious"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|bin"; fast_pattern; nocase; content:"|5C|bin"; within:15; nocase; content:"|5C|bin"; within:15; nocase; content:"|5C|bin"; within:15; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-attack; sid:30327; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript variable obfuscation"; flow:to_client,established; file_data; content:"|22 2B 22 22 2B 22 22 2B 22 22 2B 22 22 2B 22|"; content:"|22 2B 22 22 2B 22 22 2B 22 22 2B 22 22 2B 22|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:32355; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION known malicious javascript packer detected"; flow:to_client,established; file_data; content:"=|22|1|22 3B|"; content:"=unescape|3B|"; within:25; nocase; content:"=|22|1|22 3B|"; within:25; content:"=eval|3B|"; within:25; nocase; content:"=|22|1|22 7D|"; within:25; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:34118; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION Multiple AV products evasion attempt"; flow:to_server,established; file_data; content:"|1F 8B|"; depth:2; content:"|00 00 1F 8B|"; fast_pattern:only; metadata:service smtp; reference:cve,2012-1461; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:34227; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Multiple AV products evasion attempt"; flow:to_client,established; file_data; content:"|1F 8B|"; depth:2; content:"|00 00 1F 8B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1461; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:34226; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation using split reverse join"; flow:to_client,established; content:".split(|22 22|).reverse().join(|22 22|)"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:29519; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Multiple character encodings detected"; flow:established,to_client; file_data; content:"unescape"; content:"String.fromCharCode"; content:".split"; content:").toString"; content:".reverse()"; content:".join(|22 22|)"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:29509; rev:8;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated script encoding detected"; flow:to_client,established; file_data; content:"script"; nocase; content:"language"; within:50; nocase; content:"|3B 26 23|"; within:20; fast_pattern; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:28630; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated script encoding detected"; flow:to_client,established; file_data; content:"script"; nocase; content:"language"; within:50; nocase; content:"JScript.Encode"; within:50; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:28629; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION javascript fromCharCode xor decryption routine detected"; flow:established,to_client; file_data; content:"String.fromCharCode"; fast_pattern:only; pcre:"/charCodeAt\s*\x28\s*?i\s*?\x29\s*?\x5e\s*?(?P<var>[^\s]+?)\.charCodeAt\s*?\x28\s*?i\s*?\x25\s*?(?P=var)/si"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:26596; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION javascript hex character extraction routine detected"; flow:established,to_client; file_data; content:"String.fromCharCode"; fast_pattern:only; pcre:"/String\x2efromCharCode\s*\x28[^\x29]*parseInt\s*\x28[^\x29]*substring\s*\x28\s*([^,]+)\s*,\s*\1\s*\+\s*2/si"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:26595; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected"; flow:to_client,established; content:".write"; content:"unescape"; pcre:"/\x2ewrite\s*\x28\s*unescape\s*\x28/smi"; content:"%"; distance:0; content:"%"; within:1; distance:2; content:"%"; within:1; distance:2; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:21039; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION String.fromCharCode with multiple encoding types detected"; flow:to_client,established; content:"String.fromCharCode"; fast_pattern:only; pcre:"/String\x2efromCharCode\s*\x28[^\x29]*0x[0-9a-f]{2}\s*,[^\x29]*,\s*0[0-7]{1,3}\s*,[^\x29]*,\s*[1-9][0-9]{0,2}\s*,/smi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:21038; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION randomized javascript encodings detected"; flow:to_client,established; file_data; content:"script"; content:"%u"; pcre:"/%u[0-1][0-9a-f]{2}[^\x29]*%u[0-1][0-9a-f]{2}[^\x29]*%u[0-1][0-9a-f]{2}[^\x29]*%u[0-1][0-9a-f]{2}/"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:21037; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION standard ASCII encoded with UTF-8 possible evasion detected"; flow:to_client,established; content:"charset"; nocase; http_header; content:"utf-8"; fast_pattern:only; http_header; pcre:"/charset\s*=\s*utf-8/smiH"; file_data; pcre:"/([\xc0-\xc1][\x80-\xbf]){10}/"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:20276; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Possible generic javascript heap spray attempt"; flow:to_client,established; content:"%u0a0a%u0a0a"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35660; reference:cve,2009-2477; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:20137; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION base64-encoded data object found"; flow:to_client,established; file_data; content:"data"; nocase; content:"text/html"; within:20; nocase; content:"base64"; within:20; fast_pattern; nocase; pcre:"/data\s*\x3a\s*text\x2fhtml\s*\x3b\s*base64\s*,/smi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,tools.ietf.org/html/rfc2397; classtype:policy-violation; sid:19889; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected"; flow:to_client,established; file_data; content:".write"; content:"unescape"; fast_pattern:only; pcre:"/var\s+([^\s]+)\s*=\s*unescape\s*\x28.*?\x2ewrite\s*\x28\s*\1/smi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:19888; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION potential javascript unescape obfuscation attempt detected"; flow:to_client,established; file_data; content:".write"; content:"unescape"; pcre:"/\x2ewrite\s*\x28\s*unescape\s*\x28/smi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:19887; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION String.fromCharCode with multiple encoding types detected"; flow:to_client,established; file_data; content:"String.fromCharCode"; fast_pattern:only; pcre:"/String\x2efromCharCode\s*\x28[^\x29]*0x[0-9a-f]{2}\s*,[^\x29]*,\s*0[0-7]{1,3}\s*,[^\x29]*,\s*[1-9][0-9]{0,2}\s*,/smi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:19884; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION randomized javascript encodings detected"; flow:to_client,established; file_data; content:"script"; content:"%u"; pcre:"/%u[0-9a-f]{2}[^\x29]*%[0-9a-f]{2}[^\x29]*%u[0-9a-f]{2}[^\x29]*%[0-9a-f]{2}/"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:19867; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION known suspicious decryption routine"; flow:to_client,established; file_data; content:".length|3B|i++"; content:"+= String.fromCharCode("; within:102; content:".charCodeAt(i)"; within:102; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:19081; rev:15;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION javascript uuencoded noop sled attempt"; flow:to_client,established; content:"unescape"; nocase; content:"%u9090%u9090"; distance:0; nocase; pcre:"/unescape\s*\x28[\x22\x27]\s*\x25u9090\x25u9090/i"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:19074; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION known malicious JavaScript decryption routine"; flow:to_client,established; file_data; content:"location.search.substring|28|1|29|"; nocase; content:".charCodeAt|28|"; within:200; content:".length|29|"; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:18239; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION rename of javascript unescape function detected"; flow:to_client,established; file_data; content:"unescape |3B|"; nocase; content:"="; within:2; distance:-12; content:!"AVG_Unescape"; within:12; distance:-14; pcre:"/var[^=]+?=\s?unescape\s?\x3b/i"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:17400; rev:17;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION base64-encoded uri data object found"; flow:to_client,established; file_data; content:"base64"; pcre:"/<\s*object[^>]*?data\s*\x3A[^,>]*?base64/smi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,tools.ietf.org/html/rfc2397; classtype:policy-violation; sid:17291; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION known JavaScript obfuscation routine"; flow:to_client,established; content:"String.fromCharCode|28|parseInt"; content:"String.fromCharCode|28|"; within:1000; content:".charCodeAt|28|"; within:100; content:".replace"; within:100; pcre:"/\.replace\x28\x2F[^\x2F]+\x2F[A-Z]*\x2C(\x22\x22|\x27\x27)/smi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:17111; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION rename of javascript unescape function detected"; flow:to_client,established; file_data; content:"unescape|3B|"; nocase; content:"="; within:2; distance:-11; content:!"AVG_Unescape"; within:12; distance:-14; pcre:"/var[^=]+?=\s?unescape\s?\x3b/i"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:15697; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Multiple Products IFRAME src javascript code execution"; flow:to_client,established; file_data; content:"IFRAME"; fast_pattern:only; pcre:"/\x3c\s*IFRAME\s*[^\x3e]*src=(\x22|\x27\|)javascript\x3a/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13544; reference:bugtraq,30560; reference:cve,2005-1476; reference:cve,2008-2939; reference:nessus,18243; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:3679; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION Javascript stealth executable download attempt"; flow:to_server,established; file_data; content:"addEventListener"; nocase; content:"DOMContentLoaded"; within:20; nocase; content:"onclick"; within:100; nocase; content:"application/x-msdownload"; distance:0; nocase; content:"saveAs"; within:30; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,blog.mrg-effitas.com/wp-content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf; classtype:trojan-activity; sid:35738; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript stealth executable download attempt"; flow:to_client,established; file_data; content:"addEventListener"; nocase; content:"DOMContentLoaded"; within:20; nocase; content:"onclick"; within:100; nocase; content:"application/x-msdownload"; distance:0; nocase; content:"saveAs"; within:30; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,blog.mrg-effitas.com/wp-content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf; classtype:trojan-activity; sid:35737; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"SecureSwfLoader|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:36036; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION Javascript obfuscation using split reverse join attempt"; flow:to_server,established; content:".split(|22 22|).reverse().join(|22 22|)"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:36070; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"Protected by secureSWF"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:37729; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION SWF with large DefineBinaryData tag"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"allowLoadBytesCodeExecution"; fast_pattern:only; content:"|FF 15|"; byte_test:4,>,1024,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3113; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-14.html; classtype:attempted-user; sid:37728; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION obfuscated script encoding detected"; flow:to_server,established; file_data; content:"script"; nocase; content:"language"; within:50; nocase; content:"|3B 26 23|"; within:20; fast_pattern; metadata:policy max-detect-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37972; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION obfuscated script encoding detected"; flow:to_server,established; file_data; content:"script"; nocase; content:"language"; within:50; nocase; content:"JScript.Encode"; within:50; nocase; metadata:policy max-detect-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37971; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION email of heavily compressed PDF attempt"; flow:to_server,established; file_data; content:"pdf:Producer>Neevia PDFcompress"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37950; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION download of heavily compressed PDF attempt"; flow:to_client,established; file_data; content:"pdf:Producer>Neevia PDFcompress"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37949; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION known malicious JavaScript decryption routine"; flow:to_server,established; file_data; content:"location.search.substring|28|1|29|"; nocase; content:".charCodeAt|28|"; within:200; content:".length|29|"; within:50; metadata:policy max-detect-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:37948; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION known javascript packer detected"; flow:to_client,established; file_data; content:"eval|28|function|28|p,a,c,k,e,"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37909; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION javascript with hex variable names"; flow:to_client,established; file_data; content:"var _0x"; content:"=[|22 5C|x"; within:8; distance:3; content:"|5C|x"; within:2; distance:2; content:"|5C|x"; within:2; distance:2; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37908; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION javascript unicode escape variable name attempt"; flow:to_client,established; file_data; content:"var |5C|u00"; content:"|5C|u00"; within:5; distance:2; content:"|5C|u00"; within:5; distance:2; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37907; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION javascript known obfuscation method attempt"; flow:to_client,established; file_data; content:"|24|=~[]|3B 24|={___|3A|++|24|,|24 24 24 24 3A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37906; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION javascript charset concatentation attempt"; flow:to_client,established; file_data; content:"charset=|5C 22|iso-8859-1|5C 22|>|22|.concat|28|d|28 22|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37905; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION fromCharcode known obfuscation attempt"; flow:to_client,established; file_data; content:"|22|charAt|22|,|22|indexOf|22|,|22|fromCharCode|22|,|22|length|22|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37904; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION fromCharcode known obfuscation attempt"; flow:to_client,established; file_data; content:"[String.fromCharCode,isNaN,parseInt,String]|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:37903; rev:2;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-OBFUSCATION DNS tunneling attempt"; flow:to_server,no_stream; content:"|00 01 00 00 00 00 00 00|"; depth:8; offset:4; isdataat:80,relative; content:"|00 0A 00 01|"; within:15; distance:80; fast_pattern; detection_filter:track by_src, count 25, seconds 1; metadata:service dns; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:37892; rev:3;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION DNS tunneling attempt"; flow:to_client,no_stream; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 07 06|(){}[]"; fast_pattern; content:"|00 0A 00 01|"; within:4; distance:-17; detection_filter:track by_src, count 25, seconds 1; metadata:service dns; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:37891; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION Javascript obfuscation double unescape"; flow:to_server,established; file_data; content:"unescape(unescape("; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:38105; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation double unescape"; flow:to_client,established; file_data; content:"unescape(unescape("; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:38104; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTML entity encoded script language declaration detected"; flow:to_client,established; file_data; content:"<script language="; nocase; content:"|26 23|"; within:10; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.w3.org/TR/html4/sgml/entities.html; classtype:misc-activity; sid:38251; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTML entity encoded ActiveX object instantiation detected"; flow:to_client,established; file_data; content:"CLASSID="; nocase; content:"|26 23|"; within:10; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.w3.org/TR/html4/sgml/entities.html; classtype:misc-activity; sid:38250; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Multiple Encodings header evasion attempt"; flow:to_client,established; content:"-Encoding:"; fast_pattern; nocase; http_header; content:!"Content-Transfer-Encoding"; within:26; distance:-27; nocase; http_header; content:!"Accept-Encoding"; within:15; distance:-16; nocase; http_header; content:!"chunked"; within:13; nocase; http_header; content:"|0D 0A|"; within:4; distance:-21; http_header; content:"-Encoding:"; distance:19; nocase; http_header; content:!"Content-Transfer-Encoding"; within:26; distance:-27; nocase; http_header; content:!"Accept-Encoding"; within:15; distance:-16; nocase; http_header; content:!"chunked"; within:13; nocase; http_header; content:"|0D 0A|"; within:4; distance:-21; http_header; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38341; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt"; flow:to_client,established; content:"-Encoding"; fast_pattern; nocase; http_header; content:!"Content-Transfer-Encoding"; within:26; distance:-26; nocase; http_header; content:!"Accept-Encoding"; within:15; distance:-15; nocase; http_header; content:"|2C|"; within:50; http_header; pcre:"/(Transfer|Content)-Encoding\s*:[^\r]*?(\x2c|\r\n\x20[^\r]*?\x2c)/Hmi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38340; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP header illegal character prior to encoding type evasion attempt"; flow:to_client,established; content:"-Encoding"; nocase; http_header; content:!"Content-Transfer-Encoding"; within:26; distance:-26; nocase; http_header; content:!"Accept-Encoding"; within:15; distance:-15; nocase; http_header; content:!"|3A| "; within:2; http_header; pcre:"/(Transfer|Content)-Encoding\s*?:[^\r]*?([\x2c\x0d\x00]|\r\n\x20[^\r]*?[\x2c\x0d\x00])(?!\x0a)/Hmi"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38337; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt"; flow:to_client,established; content:"-Encoding"; nocase; http_header; content:!"Content-Transfer-Encoding"; within:26; distance:-27; nocase; http_header; content:!"Accept-Encoding"; within:15; distance:-16; nocase; http_header; content:"|0D 0A|"; within:4; distance:-20; http_header; content:"|3A 3A|"; within:10; distance:16; http_header; pcre:"/\r\n(Transfer|Content)-Encoding\s*?\x3a\x3a/iH"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38332; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP header whitespace evasion attempt"; flow:to_client,established; content:"Content-Encoding"; fast_pattern:only; http_header; pcre:"/^Content-Encoding\s*:\s{2,}[a-z0-9\-]{2}/imH"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38369; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP illegal chars after encoding type evasion attempt"; flow:to_client,established; content:"Content-Encoding"; fast_pattern:only; http_header; pcre:"/Content-Encoding\s*:\s*[a-z0-9-]{2,}\s*[\x00\x0b\x0c,]/imH"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38368; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Gzip invalid extra field evasion attempt"; flow:to_client,established; content:"Content-Encoding"; fast_pattern; nocase; http_header; content:"gzip"; within:50; nocase; http_header; content:"|1F 8B 08|"; within:500; byte_test:1,&,4,0,relative; content:!"|00 00|"; within:2; distance:7; byte_extract:2,7,esize,relative,little; isdataat:esize,relative; content:!"|00|"; within:2; distance:esize; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38394; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION newline only separator evasion"; flow:to_client,established; content:"Content-Encoding"; fast_pattern:only; pcre:"/:[\x20-\x7e]*\nContent-Encoding/H"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38541; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Invalid HTTP version evasion attempt"; flow:to_client,established; content:"HTTP/"; depth:5; fast_pattern; nocase; content:!"0.9 "; within:4; content:!"1.0 "; within:4; content:!"1.1 "; within:4; content:!"2.0 "; within:4; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38595; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION newline only separator evasion"; flow:to_client,established; content:"|0A|Transfer-Encoding"; depth:18; nocase; http_stat_code; content:!"|0D 0A|"; within:2; distance:-19; http_stat_code; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38618; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION carriage return only separator evasion"; flow:to_client,established; content:"|0D|Transfer-Encoding"; depth:18; nocase; http_stat_code; content:!"|0D 0A|"; within:2; distance:-19; http_stat_code; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38617; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION carriage return only separator evasion"; flow:to_client,established; content:"|0D|Transfer-Encoding"; nocase; http_stat_msg; content:!"|0D 0A|"; within:2; distance:-19; http_stat_msg; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38616; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION newline only separator evasion"; flow:to_client,established; content:"|0A|Transfer-Encoding:"; nocase; http_header; content:!"|0D 0A|"; within:2; distance:-20; http_header; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38615; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION carriage return only separator evasion"; flow:to_client,established; content:"|0D|Content-Encoding:"; nocase; http_header; content:!"|0D 0A|"; within:2; distance:-19; http_header; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38614; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION mixed case HTTP header evasion attempt"; flow:to_client,established; content:"HTTP/"; depth:5; fast_pattern; nocase; content:!"HTTP/"; within:5; distance:-5; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38602; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Invalid HTTP header format evasion attempt"; flow:to_client,established; content:"HTTP/"; depth:5; nocase; content:"Content-Length:"; nocase; content:!"|0D 0A 0D 0A|"; within:6; pcre:"/^Content-Length:\s*?\d+?\x20*?(\n{2}|\n\r+\n|\r?\n\t|\r?\n\x0b)/im"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38601; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt"; flow:to_client,established; content:"HTTP/1.1 6"; depth:10; nocase; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38600; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Invalid HTTP 100 response followed by 200 evasion attempt"; flow:to_client,established; content:"HTTP/1.1 10"; depth:12; fast_pattern; nocase; content:"HTTP/1.1 20"; within:200; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38599; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION invalid HTTP header evasion attempt"; flow:to_client,established; content:"HTTP|5C|"; depth:5; nocase; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38598; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP header null byte evasion attempt"; flow:to_client,established; content:"Transfer"; nocase; http_header; content:"|00|"; within:20; http_header; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38597; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP header null byte evasion attempt"; flow:to_client,established; content:"Content"; nocase; http_header; content:"|00|"; within:20; http_header; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38596; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Mixed case encoding type evasion attempt"; flow:to_client,established; content:"Content-Encoding"; fast_pattern; nocase; http_header; content:"deflate"; within:10; nocase; http_header; content:!"DEFLATE"; within:7; distance:-7; http_header; content:!"deflate"; within:7; distance:-7; http_header; content:!"Deflate"; within:7; distance:-7; http_header; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38667; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt"; flow:to_client,established; content:"HTTP/1."; depth:7; fast_pattern; nocase; content:"|0D 0A|"; http_header; content:"|0D 0A|"; within:40; http_header; content:!"|3A|"; within:30; distance:-30; http_header; pcre:"/\r\n[^:\r\n]{2,}?\r\n(?!\r\n)/iH"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38666; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Invalid HTTP 301 response evasion attempt"; flow:to_client,established; content:"301"; http_stat_code; content:!"Location:"; nocase; http_header; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38642; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Invalid header line evasion attempt"; flow:to_client,established; content:"|0D 0A|"; http_header; content:"|0D 0A|"; within:15; http_header; pcre:"/\r\n[\x20\t]*?[:\x20]+?[\w\d-_]*?\r\n/Hi"; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38641; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt"; flow:to_client,established; content:"HTTP/1.1 "; depth:9; nocase; pcre:"/^HTTP\/1\.1 (?!\d{3}\x20)(([\d\w]+?|\d\d?|\d{4,})\x20)/i"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38637; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP header value without key evasion attempt"; flow:to_client,established; content:"|0D 0A|:"; http_header; content:"|0D 0A|"; within:15; http_header; pcre:"/^:[^\r\n]+?\r\n/imH"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38734; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION non HTTP 1.1 version with 1.1 headers evasion attempt"; flow:to_client,established; content:"HTTP/"; depth:5; content:!"1.1 "; within:4; content:!"1.0 "; within:4; content:"|3A|"; http_header; pcre:"/^[^\r\n:]+?:[^\r\n:]/imH"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38679; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION UTF-8 evasion attempt"; flow:to_client,established; content:"|C2|"; fast_pattern:only; http_header; content:"|C2|"; http_raw_header; byte_test:1,>=,0x80,0,relative; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38678; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION UTF-8 evasion attempt"; flow:to_client,established; content:"|C3|"; fast_pattern:only; http_header; content:"|C3|"; http_raw_header; byte_test:1,>=,0x80,0,relative; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38677; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Brotli encoding evasion attempt"; flow:to_client,established; content:"-encoding"; fast_pattern; nocase; http_header; content:!"Content-Transfer-Encoding"; within:26; distance:-27; nocase; http_header; content:!"Accept-Encoding"; within:15; distance:-16; http_header; content:"br"; within:10; nocase; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:38922; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Gzip encoded with invalid CRC16 evasion attempt"; flow:to_client,established; content:"-encoding"; nocase; http_header; content:"gzip"; within:15; nocase; http_header; content:"|0D 0A 0D 0A 1F 8B 08|"; fast_pattern; byte_test:1,&,2,0,relative; content:"|00 00|"; within:2; distance:7; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:39323; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Gzip encoded with reserved bit set evasion attempt"; flow:to_client,established; content:"-encoding"; fast_pattern; nocase; http_header; content:"gzip"; within:20; nocase; http_header; content:"|0D 0A 0D 0A 1F 8B 08|"; byte_test:1,&,224,0,relative; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:39321; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt"; flow:to_client,established; content:"HTTP/1.1 200"; depth:12; nocase; content:!"OK"; within:3; nocase; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:39320; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack"; flow:to_client,established; content:".fromCharCode"; nocase; pcre:"/\.fromCharCode\s*\x28[^\x29]*,\s*[1-9][^\x29]*,\s*0[^\x29]*,\s*0x/i"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:39490; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack"; flow:to_client,established; file_data; content:".fromCharCode"; nocase; pcre:"/\.fromCharCode\s*\x28[^\x29]*,\s*[1-9][^\x29]*,\s*0[^\x29]*,\s*0x/i"; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:39489; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack"; flow:to_client,established; file_data; content:".fromCharCode"; nocase; content:".fromCharCode"; within:300; nocase; content:".fromCharCode"; within:300; nocase; content:".fromCharCode"; within:300; nocase; content:".fromCharCode"; within:300; nocase; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.cs.ucsb.edu/~marco/blog/3008/10/dom-based-obfuscation-in-malicious-javascript.html; classtype:misc-activity; sid:39488; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Chunked encoding used without HTTP 1.1 evasion attempt."; flow:to_client,established; content:"HTTP/"; depth:5; nocase; content:!"1.1 "; within:4; content:"-Encoding"; nocase; http_header; content:!"Content-Transfer-Encoding"; within:25; distance:-25; nocase; http_header; content:!"Accept-Encoding"; within:15; distance:-15; nocase; http_header; content:"Chunked"; within:30; nocase; http_header; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:40250; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt attempt"; flow:to_client,established; file_data; content:"Content-"; nocase; http_header; content:"rfc822"; within:50; nocase; http_header; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11515; reference:cve,2004-1050; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:41714; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Gzip encoded HTTP response with no Content-Length or chunked Transfer-Encoding header"; flow:to_client,established; content:"Content-Encoding: gzip"; fast_pattern:only; http_header; content:!"Content-Length: "; nocase; http_header; content:!"Transfer-Encoding: "; nocase; http_header; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:non-standard-protocol; sid:42017; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Base64 encoded String.fromCharCode"; flow:to_client,established; file_data; content:"dHJpbmcuZnJvbUNoYXJDb2Rl"; content:"atob|28|"; content:"eval|28|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:42111; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated vbscript detected"; flow:to_client,established; file_data; content:"<script"; content:"type"; within:5; content:"javascript"; within:20; content:"base64decode"; within:30; content:"base64DecodeChars"; within:50; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:43708; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated vbscript detected"; flow:to_client,established; file_data; content:"<script"; content:"type"; within:5; content:"VBScript"; within:20; content:"Encode"; within:20; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:43707; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Rig EK fromCharCode offset 33 obfuscated getElementsByTagName call"; flow:to_client,established; file_data; content:"136.134.149.102.141.134.142.134.143.149.148.99.154.117.130.136.111.130.142.134"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:43256; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION HTTP payload not fully gzip compressed attempt"; flow:to_client,established; pkt_data; content:"|76 D6 34 AF 55 71 F5 74 76 0C D2 05 00 E3 98 C2 BB 22 00 00 00|STANDARD-ANTIVIRUS"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:43216; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION URL encoded vbscript tag obfuscation attempt"; flow:to_client,established; file_data; content:"<script"; nocase; content:"%3Cscript%20type%3D%22text%2Fvbscript%22%3E"; fast_pattern:only; content:"document.write"; nocase; content:"unescape"; nocase; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:42950; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION URL encoded document class name obfuscation attempt"; flow:to_client,established; file_data; content:"unescape"; nocase; content:"%64%6f%63%75%6d%65%6e%74"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:42949; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Hex escaped split function name obfuscation attempt"; flow:to_client,established; file_data; content:"nbencode"; nocase; content:"|5C|x73|5C|x70|5C|x6C|5C|x69|5C|x74"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:42948; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Dridex String.prototype function definition obfuscation attempt"; flow:to_client,established; file_data; content:"function String.prototype.r|28 29|{"; fast_pattern:only; content:".r|28 29|"; content:".r|28 29|"; distance:0; content:".r|28 29|"; distance:0; content:".r|28 29|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.virustotal.com/en/file/2307751251a87df5ae2838e83f79ecb8d3acc74ef25ae06d59ab1ac3ca6589fd/analysis/1495021248/; classtype:misc-activity; sid:42947; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Hex escaped valueOf function name obfuscation attempt"; flow:to_client,established; file_data; content:"|5C|x76|5C|x61|5C|x6C|5C|x75|5C|x65|5C|x4F|5C|x66"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:42946; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION obfuscated javascript regex"; flow:to_client,established; file_data; content:"*/RegExp/*"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:43837; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Adobe Flash file packed with SecureSwf obfuscator"; flow:to_client,established; file_data; content:"_--_--"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-activity; sid:43836; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION RTF obfuscation string"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|7B 5C 7D 5C 5C 5C 2D 5C 2B 5C 25 5C 5C 5C 5C 5C 25 5C 7B 5C 7D 5C 2B 5C 7D 5C 25 5C 2B 5C 7D 7D|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-attack; sid:43990; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION newlines embedded in rtf header"; flow:to_client,established; file_data; flowbits:isset,file.rtf; content:"{|5C|rt|0A 0A 0A|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-attack; sid:43989; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION suspicious dynamic http link creation attempt"; flow:to_client,established; file_data; content:"getXMLHttpRequest"; fast_pattern:only; content:"reverse"; nocase; content:"join"; within:20; nocase; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:44172; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION FOPO obfuscated PHP file upload attempt"; flow:to_server,established; content:"|22 3B 40|eval|28 24|"; fast_pattern:only; http_client_body; pcre:"/^\x24\w+=\x22\x5c(142|x62)\x5c(141|x61)\x5c(163|x73)\x5c(145|x65)\x5c(66|x36)\x5c(64|x34)\x5c(137|x5f)\x5c(144|x64)\x5c(145|x65)\x5c(143|x63)\x5c(157|x6f)\x5c(144|x64)\x5c(145|x65)\x22\x3b\x40eval\x28\x24/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,fopo.com.ar; classtype:misc-attack; sid:44235; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION suspicious javascript deobfuscation calls attempt"; flow:to_client,established; file_data; content:"GetEncoding"; nocase; content:"GetString"; within:100; nocase; content:"FromBase64String"; within:100; nocase; metadata:service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:policy-violation; sid:44615; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt"; flow:to_server,established; file_data; content:"decodeURIComponent"; fast_pattern:only; content:"function"; nocase; content:"function"; within:50; nocase; content:"split"; within:200; content:"charCodeAt"; within:200; content:"push"; within:200; content:"charAt"; within:200; metadata:policy max-detect-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-attack; sid:44693; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt"; flow:to_client,established; file_data; content:"decodeURIComponent"; fast_pattern:only; content:"function"; nocase; content:"function"; within:50; nocase; content:"split"; within:200; content:"charCodeAt"; within:200; content:"push"; within:200; content:"charAt"; within:200; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:misc-attack; sid:44692; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Coinhive cryptocurrency miner obfuscated detected "; flow:to_client,established; content:"|5C|x63|5C|x6F|5C|x69|5C|x6E|5C|x68|5C|x69|5C|x76|5C|x65"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:45810; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Coinhive cryptocurrency miner obfuscated detected "; flow:to_client,established; content:"C|3A|//"; content:"C|3A|//"; within:30; content:"C|3A|//"; within:30; content:"C|3A|//"; within:30; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:45809; rev:1;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION DNS TXT response record tunneling"; flow:to_client; dsize:>300; content:"|00 10 00 01 00 00 00 00 01 00 FF|"; fast_pattern:only; detection_filter:track by_src, count 25, seconds 1; metadata:ruleset community, service dns; reference:url,attack.mitre.org/wiki/Technique/T1048; classtype:misc-activity; sid:47639; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET ![20,21] (msg:"INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt"; flow:to_server,established; content:"STOR "; depth:5; metadata:policy max-detect-ips drop; reference:url,attack.mitre.org/wiki/Technique/T1048; classtype:misc-activity; sid:47402; rev:1;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt"; icode:0; content:"HTTP/"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:url,attack.mitre.org/wiki/Technique/T1048; classtype:misc-activity; sid:47401; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION RTF file objdata hlsrc obfuscation attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objdata"; nocase; content:"|5C|hlsrc"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:48306; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION RTF file objdata hlsrc obfuscation attempt"; flow:to_client, established; flowbits:isset,file.rtf; file_data; content:"|5C|objdata"; nocase; content:"|5C|hlsrc"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:48305; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION RTF file objdata hex-escape obfuscation attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objdata"; nocase; content:"|5C 27|"; within:100; content:"|5C 27|"; within:25; content:"|5C 27|"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:48304; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION RTF file objdata hex-escape obfuscation attempt"; flow:to_client, established; flowbits:isset,file.rtf; file_data; content:"|5C|objdata"; nocase; content:"|5C 27|"; within:100; content:"|5C 27|"; within:25; content:"|5C 27|"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:48303; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt"; flow:to_server,established; file_data; content:"href"; nocase; content:"http"; within:30; nocase; content:"&#820"; within:200; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1192; reference:url,thehackernews.com/2019/01/phishing-zero-width-spaces.html; classtype:misc-activity; sid:48864; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt"; flow:to_client,established; file_data; content:"href"; nocase; content:"http"; within:30; nocase; content:"&#652"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1192; reference:url,thehackernews.com/2019/01/phishing-zero-width-spaces.html; classtype:misc-activity; sid:48863; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt"; flow:to_server,established; file_data; content:"href"; nocase; content:"http"; within:30; nocase; content:"&#652"; within:200; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1192; reference:url,thehackernews.com/2019/01/phishing-zero-width-spaces.html; classtype:misc-activity; sid:48862; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt"; flow:to_client,established; file_data; content:"href"; nocase; content:"http"; within:30; nocase; content:"&#820"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1192; reference:url,thehackernews.com/2019/01/phishing-zero-width-spaces.html; classtype:misc-activity; sid:48861; rev:2;)
--- a/docker/etc/rules/indicator-scan.rules
+++ b/docker/etc/rules/indicator-scan.rules
@@ -0,0 +1,58 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#----------------------
+# INDICATOR-SCAN RULES
+#----------------------
+
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH brute force login attempt"; flow:to_server,established,no_stream; content:"SSH-"; depth:4; detection_filter:track by_src, count 5, seconds 60; metadata:policy max-detect-ips drop, service ssh; reference:cve,2012-6066; reference:cve,2015-5600; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,attack.mitre.org/techniques/T1110; classtype:misc-activity; sid:19559; rev:10;)
+# alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"INDICATOR-SCAN xtacacs failed login response"; flow:to_client; content:"|80 02|"; depth:2; content:"|02|"; distance:4; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:misc-activity; sid:2041; rev:8;)
+# alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"INDICATOR-SCAN isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:misc-activity; sid:2043; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"INDICATOR-SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:616; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:619; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN ipEye SYN scan"; flow:stateless; flags:S; seq:1958810375; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:622; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN synscan portscan"; flow:stateless; flags:SF; id:39426; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:630; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:626; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:627; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"INDICATOR-SCAN Amanda client-version request"; flow:to_server; content:"Amanda"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:634; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"INDICATOR-SCAN XTACACS logout"; flow:to_server; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:bad-unknown; sid:635; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"INDICATOR-SCAN cybercop udp bomb"; flow:to_server; content:"cybercop"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:bad-unknown; sid:636; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN Webtrends Scanner UDP Probe"; flow:to_server; content:"|0A|help|0A|quite|0A|"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,www.netiq.com/products/vsm/default.asp; classtype:attempted-recon; sid:637; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:1638; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:1133; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"INDICATOR-SCAN UPnP service discover attempt"; flow:to_server,established; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:8081; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN Proxyfire.net anonymous proxy scan"; flow:to_server,established; content:"proxyfire.net/fastenv"; nocase; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,www.proxyfire.net/index.php; classtype:network-scan; sid:18179; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN Skipfish scan iPhone agent string"; flow:established,to_server; content:"User-Agent: Mozilla/5.0 (iPhone|3B| U|3B| CPU iPhone OS 4_1 like Mac OS X|3B| en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8B117 Safari/6531.22.7 SF/"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,code.google.com/p/skipfish/; classtype:network-scan; sid:23604; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN Skipfish scan default agent string"; flow:established,to_server; content:"User-Agent: Mozilla/5.0 SF/"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,attack.mitre.org/techniques/T1078; reference:url,code.google.com/p/skipfish/; classtype:network-scan; sid:23601; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN Skipfish scan Firefox agent string"; flow:established,to_server; content:"User-Agent: Mozilla/5.0 (Windows|3B| U|3B| Windows NT 5.1|3B| en-US|3B| rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 SF/"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,code.google.com/p/skipfish/; classtype:network-scan; sid:23602; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN Skipfish scan MSIE agent string"; flow:established,to_server; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B| Trident/4.0|3B| .NET CLR 1.1.4322|3B| InfoPath.1|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729|3B| SF/"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,code.google.com/p/skipfish/; classtype:network-scan; sid:23603; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN L3retriever HTTP Probe"; flow:to_server,established; content:"User-Agent|3A| Java1.2.1|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:web-application-activity; sid:1100; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN Webtrends HTTP probe"; flow:to_server,established; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:web-application-activity; sid:1101; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN DirBuster brute forcing tool detected"; flow:to_server,established; content:"User-Agent|3A| DirBuster"; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,attack.mitre.org/techniques/T1110; reference:url,sourceforge.net/projects/dirbuster/; classtype:web-application-attack; sid:19933; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN sqlmap SQL injection scan attempt"; flow:to_server,established; content:"User-Agent|3A| sqlmap"; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,sqlmap.sourceforge.net; classtype:web-application-activity; sid:19779; rev:7;)
+# alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"INDICATOR-SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:613; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"INDICATOR-SCAN UPnP WANIPConnection"; flow:to_server; content:"M-SEARCH *"; depth:10; content:"MX: 2|0D 0A|"; nocase; content:"ssdp|3A|discover"; nocase; content:"urn:schemas-upnp-org:service:WANIPConnection:1"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:28003; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"INDICATOR-SCAN UPnP WANPPPConnection"; flow:to_server; content:"M-SEARCH *"; depth:10; content:"MX: 2|0D 0A|"; nocase; content:"ssdp|3A|discover"; nocase; content:"urn:schemas-upnp-org:service:WANPPPConnection:1"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:28002; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN User-Agent known malicious user-agent Masscan"; flow:to_server,established; content:"User-Agent|3A| masscan"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,github.com/robertdavidgraham/masscan/blob/master/doc/masscan.8.markdown; classtype:misc-activity; sid:28301; rev:3;)
+# alert udp $EXTERNAL_NET 2425 -> $HOME_NET 2425 (msg:"INDICATOR-SCAN inbound probing for IPTUX messenger port "; flow:to_server; content:"iptux"; depth:5; offset:2; content:"lws|3A|lws"; within:7; distance:9; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,github.com/iptux-src/iptux; classtype:misc-activity; sid:28552; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN User-Agent known malicious user-agent The Mole"; flow:to_server,established; content:"User-Agent: Mozilla/The Mole"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,themole.sourceforge.net/; classtype:misc-activity; sid:29462; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"INDICATOR-SCAN UPnP service discover attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:1917; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt"; flow:to_server,established; file_data; content:"|22|pcap|22 2C 20 22|rar|22 2C 20 22|zip|22 2C 20 22|chls|22 2C 20 22|py|22 2C 20 22|halog|22 2C 20 22|har|22 2C 20 22|hwl|22 2C 20 22|cap|22|"; fast_pattern:only; metadata:service smtp; reference:cve,2016-3351; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-104; classtype:attempted-recon; sid:40095; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt"; flow:to_client,established; file_data; content:"|22|pcap|22 2C 20 22|rar|22 2C 20 22|zip|22 2C 20 22|chls|22 2C 20 22|py|22 2C 20 22|halog|22 2C 20 22|har|22 2C 20 22|hwl|22 2C 20 22|cap|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3351; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-104; classtype:attempted-recon; sid:40094; rev:2;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"INDICATOR-SCAN Cisco Smart Install Protocol scan TFTP response"; flow:to_server; dsize:20; content:"|00 01|random_file|00|octet|00|"; depth:20; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service tftp; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-recon; sid:41793; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN PHP info leak attempt"; flow:to_server,established; content:"/phpinfo.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,secure.php.net/manual/en/function.phpinfo.php; classtype:attempted-recon; sid:42289; rev:2;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET 53 (msg:"INDICATOR-SCAN DNS version.bind string information disclosure attempt"; flow:to_server; content:"versio"; fast_pattern; content:"|00 10 00 03|"; within:260; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-0171; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:42785; rev:4;)
--- a/docker/etc/rules/indicator-shellcode.rules
+++ b/docker/etc/rules/indicator-shellcode.rules
@@ -0,0 +1,356 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#---------------------------
+# INDICATOR-SHELLCODE RULES
+#---------------------------
+
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"retaddress"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:26789; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"hspt"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:26788; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"retaddr"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25643; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"hspt"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25642; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"agent"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25641; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"retaddress"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25638; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"retaddr"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25637; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"return_address"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25635; rev:3;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic avoid_underscore_tolower encoder"; content:"|6A|"; content:"|6B 3C 24 09 60 03 0C 24 6A|"; within:9; distance:1; content:"|03 0C 24 6A 04|"; within:5; distance:1; classtype:shellcode-detect; sid:24114; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case javascript decoder"; flow:established,to_client; file_data; content:"%u5456%u3358%u5630%u3458%u5041%u4130%u4833%u3048%u3041%u4130%u4142%u4241%u4154%u5141%u4132%u3242%u4242%u4230%u5842%u3850%u4341"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:shellcode-detect; sid:23236; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic avoid_utf8_tolower javascript encoder"; flow:to_client,established; file_data; content:"%u3c6b%u0b24%u0360%u240c"; nocase; content:"%u0c03%u6a24"; within:12; distance:6; nocase; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:23217; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Piecemeal exploit and shellcode construction"; flow:to_client,established; file_data; content:"xcode-(shellcode.length"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,labs.m86security.com/2012/01/web-hijacks-with-ajax/; classtype:shellcode-detect; sid:21265; rev:4;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic avoid_utf8_tolower encoder"; content:"|6A|"; content:"|6B 3C 24 0B 60 03 0C 24 6A|"; within:9; distance:1; content:"|03 0C 24 6A 04|"; within:5; distance:1; classtype:shellcode-detect; sid:20990; rev:4;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic single_static_bit encoder"; content:"|80 F9|"; content:"|74|"; within:1; distance:1; content:"|60 83 E9 01 74 06 B3 02 F6 F3 E2|"; within:11; distance:1; content:"|83 E0 01 6B 2F 02 09 E8 AA 61 83 ED FF 83 FD 08 75|"; within:17; distance:1; content:"|83 EF FF 31 ED|"; within:5; distance:1; classtype:shellcode-detect; sid:20989; rev:3;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_railgun_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_railgun_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_railgun_(memread|memwrite|api_multi|api)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20199; rev:3;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter networkpug_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|networkpug_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01networkpug_(start|stop)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20198; rev:3;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter espia_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|espia_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01espia_(video_get_dev_image|audio_get_dev_audio|image_get_dev_screen)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20197; rev:3;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter lanattacks_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|lanattacks_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01lanattacks_(start_dhcp|reset_dhcp|set_dhcp_option|stop_dhcp|dhcp_log|start_tftp|reset_tftp|add_tftp_file|stop_tftp)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20196; rev:3;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter priv_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|priv_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01priv_(elevate_getsystem|passwd_get_sam_hashes|fs_get_file_mace|fs_set_file_mace|fs_set_file_mace_from_file|fs_blank_file_mace|fs_blank_directory_mace)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20195; rev:3;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter sniffer_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|sniffer_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01sniffer_(interfaces|capture_start|capture_stop|capture_stats|capture_dump|capture_dump_read)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20194; rev:3;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter webcam_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|webcam_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01webcam_(list|start|get_frame|stop|audio_record)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20193; rev:3;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter incognito_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|incognito_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01incognito_(list_tokens|impersonate_token|add_user|add_group_user|add_localgroup_user|snarf_hashes)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20192; rev:3;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_registry_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_registry_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_registry_(load_key|unload_key|open_key|open_remote_key|create_key|delete_key|close_key|enum_key|set_value|query_value|delete_value|query_class|enum_value)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20190; rev:3;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_ui_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_ui_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_ui_(enable_keyboard|enable_mouse|get_idle_time|desktop_enum|desktop_get|desktop_set|desktop_screenshot|unlock_desktop|start_keyscan|stop_keyscan|get_keys)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20189; rev:3;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_sys_eventlog_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_sys_eventlog_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_sys_eventlog_(open|numrecords|read|oldest|clear|close)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20187; rev:3;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_sys_process_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_sys_process_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_sys_process_(thread_open|thread_create|thread_get_threads|image_load|image_get_proc_address|image_unload|image_get_images|memory_allocate|memory_free|memory_read|memory_write|memory_query|memory_protect|memory_lock|memory_unlock|attach|execute|kill|getpid|get_processes|close|wait|get_info|thread_suspend|thread_resume|thread_terminate|thread_query_regs|thread_set_regs|thread_close)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20186; rev:3;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_fs_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_fs_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_fs_(separator|search|file_expand_path|md5|sha1|delete_file|stat|ls|chdir|mkdir|getwd|delete_dir)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20185; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SHELLCODE Metasploit php meterpreter stub .php file upload"; flow:established,to_server; content:"|24|GLOBALS|5B 27|msgsock_type|27 5D| = |24|s_type|3B 0A|eval"; fast_pattern:only; metadata:service http; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20184; rev:4;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder unescaped"; content:"unescape"; content:"%ud9ee%u2474%u"; content:"%uf4e2"; distance:18; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17323; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"INDICATOR-SHELLCODE x86 PoC CVE-2003-0605"; flow:established,to_server; content:"|05 00 06 01 00 00 00 00|11111111111111111111111111111111|00 00 00 00 00 00 00 00|"; fast_pattern:only; reference:cve,2003-0605; classtype:attempted-user; sid:15903; rev:5;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE base64 x86 NOOP"; content:"RERERERERERERERERERERERERERERERER"; classtype:shellcode-detect; sid:12801; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"/shh//bi"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1899; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"/shh//bi"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1898; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|FF FF|KADM0.0A|00 00 FB 03|"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1897; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|FF FF|KADM0.0A|00 00 FB 03|"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1896; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1895; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:nessus,15015; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1894; rev:14;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 inc ecx NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; metadata:ruleset community; classtype:shellcode-detect; sid:1394; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; reference:nessus,10607; classtype:shellcode-detect; sid:1327; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; metadata:ruleset community; classtype:attempted-user; sid:694; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; metadata:ruleset community; classtype:shellcode-detect; sid:693; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:692; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:691; rev:9;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:652; rev:15;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; fast_pattern:only; metadata:ruleset community; classtype:system-call-detect; sid:650; rev:14;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; fast_pattern:only; metadata:ruleset community; classtype:system-call-detect; sid:649; rev:14;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Oracle sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:system-call-detect; sid:647; rev:15;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:646; rev:11;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:645; rev:11;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:644; rev:11;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:643; rev:13;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:642; rev:12;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:641; rev:12;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:640; rev:11;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:639; rev:11;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:638; rev:11;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit windows/shell stage transfer attempt"; flow:established; content:"|FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61 7C 02 2C 20 C1 CF 0D 01 C7 E2 F0 52 57|"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30229; rev:1;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit windows/shell stage transfer attempt"; flow:established; content:"|0B 01 00 00|"; depth:4; content:"|D9 74 24 F4|"; within:4; distance:7; content:"|C9 B1 3D|"; within:3; distance:2; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30228; rev:1;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit windows/reverse_tcp stager transfer attempt"; flow:established; content:"|FC E8 86 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61 7C 02 2C 20 C1 CF 0D 01 C7 E2 F0 52 57|"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30227; rev:1;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit windows/meterpreter stage transfer attempt"; flow:established; content:"METERPRETER_USERNAME_PROXY"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30226; rev:1;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE possible /bin/sh shellcode transfer attempt"; flow:established; content:"Rh//shh/bin"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30225; rev:1;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit shellcode linux/x86/shell_reverse_tcp single stage transfer attempt"; flow:established; content:"|31 DB F7 E3 53 43 53 6A 02 89 E1 B0 66 CD 80 93 59 B0 3F CD 80 49 79 F9 68 C0 A8 1E 01 68 02 00 11 5C 89 E1 B0 66 50 51 53 B3 03 89 E1 CD 80 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 B0 0B CD 80|"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30224; rev:1;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit shellcode linux/x86/shell stage transfer attempt"; flow:established; content:"|89 FB 6A 02 59 6A 3F 58 CD 80 49 79 F8 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80|"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30223; rev:1;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit shellcode linux/x86/meterpreter stage transfer attempt"; flow:established; content:"|6A 04 5A 89 E1 89 FB 6A 03 58 CD 80 57 B8 C0 00 00 00 BB 00 00 04 20 8B 4C 24 04 6A 07 5A 6A 32 5E 31 FF 89 FD 4F CD 80 3D 7F|"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30222; rev:1;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit linux/x86 reverse_tcp stager transfer attempt"; flow:established; content:"|31 DB F7 E3 53 43 53 6A 02 B0 66 89 E1 CD 80 97 5B 68|"; content:"|89 E1 6A 66 58 50 51 57 89 E1 43 CD 80 B2 07 B9 00 10 00 00 89 E3 C1 EB 0C C1 E3 0C B0 7D CD 80 5B 89 E1 99 B6 0C B0 03 CD 80 FF E1|"; within:44; distance:9; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30221; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_x64_meterpreter_reverse_https"; content:"|FC 48 83 E4 F0 E8 C8 00 00 00 41 51 41 50 52 51 56 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0|"; fast_pattern:only; classtype:shellcode-detect; sid:30480; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_x64_exec"; content:"|FC 48 83 E4 F0 E8 C0 00 00 00 41 51 41 50 52 51 56 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0|"; fast_pattern:only; classtype:shellcode-detect; sid:30479; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_speak_pwned"; content:"|66 81 E4 FC FF 31 F6 64 8B 76 30 8B 76 0C 8B 76 1C 56 66 BE AA 1A 5F 8B 6F 08 FF 37 8B 5D 3C 8B 5C 1D 78 01 EB 8B 4B 18 67 E3 EB 8B 7B 20 01 EF|"; fast_pattern:only; classtype:shellcode-detect; sid:30478; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_shell_bind_tcp_xpfw"; content:"|E8 56 00 00 00 53 55 56 57 8B 6C 24 18 8B 45 3C 8B 54 05 78 01 EA 8B 4A 18 8B 5A 20 01 EB E3 32 49 8B 34 8B 01 EE 31 FF FC 31 C0 AC 38 E0 74 07|"; fast_pattern:only; classtype:shellcode-detect; sid:30477; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_meterpreter_reverse_ord_tcp"; content:"|FC 31 DB 64 8B 43 30 8B 40 0C 8B 50 1C 8B 12 8B 72 20 AD AD 4E 03 06 3D 32 33 5F 32 75 EF 8B 6A 08 8B 45 3C 8B 4C 05 78 8B 4C 0D 1C 01 E9 8B 41|"; fast_pattern:only; classtype:shellcode-detect; sid:30476; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_meterpreter_find_tag"; content:"|FC 33 FF 64 8B 47 30 8B 40 0C 8B 58 1C 8B 1B 8B 73 20 AD AD 4E 03 06 3D 32 33 5F 32 75 EF 8B 6B 08 8B 45 3C 8B 4C 05 78 8B 4C 0D 1C 8B 5C 29 3C|"; fast_pattern:only; classtype:shellcode-detect; sid:30475; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_meterpreter_bind_tcp"; content:"|FC E8 86 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61 7C 02 2C 20 C1 CF 0D 01 C7 E2 F0 52 57|"; fast_pattern:only; classtype:shellcode-detect; sid:30474; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_meterpreter_bind_nonx_tcp"; content:"|FC 6A EB 47 E8 F9 FF FF FF 60 31 DB 8B 7D 3C 8B 7C 3D 78 01 EF 8B 57 20 01 EA 8B 34 9A 01 EE 31 C0 99 AC C1 CA 0D 01 C2 84 C0 75 F6 43 66 39 CA|"; fast_pattern:only; classtype:shellcode-detect; sid:30473; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_messagebox"; content:"|D9 EB 9B D9 74 24 F4 31 D2 B2 77 31 C9 64 8B 71 30 8B 76 0C 8B 76 1C 8B 46 08 8B 7E 20 8B 36 38 4F 18 75 F3 59 01 D1 FF E1 60 8B 6C 24 24 8B 45|"; fast_pattern:only; classtype:shellcode-detect; sid:30472; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_adduser"; content:"|FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61 7C 02 2C 20 C1 CF 0D 01 C7 E2 F0 52 57|"; fast_pattern:only; classtype:shellcode-detect; sid:30471; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload solaris_x86_shell_reverse_tcp"; content:"|68 FF D8 FF 3C 6A 65 89 E6 F7 56 04 F6 16 68 0A 07 00 2B 66 68 11 5C 66 6A 02 89 E7 6A 02 31 C0 50 50 6A 02 6A 02 B0 E6 FF D6 6A 10 57 50 31 C0|"; fast_pattern:only; classtype:shellcode-detect; sid:30470; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload solaris_x86_shell_find_port"; content:"|31 DB F7 E3 53 89 E7 68 FF D8 FF 3C 6A 65 89 E6 F7 56 04 F6 16 57 B3 91 53 53 54 B7 54 53 50 58 40 50 6A 36 58 FF D6 66|"; fast_pattern:only; classtype:shellcode-detect; sid:30469; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload solaris_x86_shell_bind_tcp"; content:"|68 FF D8 FF 3C 6A 65 89 E6 F7 56 04 F6 16 31 C0 50 68 FF 02 11 5C 89 E7 6A 02 50 50 6A 02 6A 02 B0 E6 FF D6 6A 10 57 50 31 C0 B0 E8 FF D6 5B 50|"; fast_pattern:only; classtype:shellcode-detect; sid:30468; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload solaris_sparc_shell_reverse_tcp"; content:"|9C 2B A0 07 98 10 20 01 96 1A C0 0B 94 1A C0 0B 92 10 20 02 90 10 20 02 82 10 20 E6 91 D0 20 08 D0 23 BF F8 94 10 20 03 92 10 20 09 94 A2 A0 01|"; fast_pattern:only; classtype:shellcode-detect; sid:30467; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload solaris_sparc_shell_find_port"; content:"|9C 2B A0 07 90 1A 80 0A D0 23 BF E8 90 02 20 01 90 0A 2F FF 92 10 20 10 D0 3B BF F8 94 23 A0 04 92 23 A0 18 82 10 20 F3 91 D0 20 08 94 10 20 03|"; fast_pattern:only; classtype:shellcode-detect; sid:30466; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload solaris_sparc_shell_bind_tcp"; content:"|9C 2B A0 07 98 10 20 01 96 1A C0 0B 94 1A C0 0B 92 10 20 02 90 10 20 02 82 10 20 E6 91 D0 20 08 D0 23 BF F8 21 00 00 84 A0 14 21 5C E0 23 BF F0|"; fast_pattern:only; classtype:shellcode-detect; sid:30465; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload ruby_shell_reverse_tcp_ssl"; content:"|63 6F 64 65 20 3D 20 25 28 63 6D 56 78 64 57 6C 79 5A 53 41 6E 63 32 39 6A 61 32 56 30 4A 7A 74 79 5A 58 46 31 61 58 4A 6C 49 43 64 76 63 47 56|"; fast_pattern:only; classtype:shellcode-detect; sid:30464; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload ruby_shell_reverse_tcp"; content:"|63 6F 64 65 20 3D 20 25 28 63 6D 56 78 64 57 6C 79 5A 53 41 6E 63 32 39 6A 61 32 56 30 4A 7A 74 6A 50 56 52 44 55 46 4E 76 59 32 74 6C 64 43 35|"; fast_pattern:only; classtype:shellcode-detect; sid:30463; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload ruby_shell_bind_tcp"; content:"|63 6F 64 65 20 3D 20 25 28 63 6D 56 78 64 57 6C 79 5A 53 41 6E 63 32 39 6A 61 32 56 30 4A 7A 74 7A 50 56 52 44 55 46 4E 6C 63 6E 5A 6C 63 69 35|"; fast_pattern:only; classtype:shellcode-detect; sid:30462; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload python_shell_reverse_tcp_ssl"; content:"|65 78 65 63 28 27 61 57 31 77 62 33 4A 30 49 48 4E 76 59 32 74 6C 64 43 78 7A 64 57 4A 77 63 6D 39 6A 5A 58 4E 7A 4C 47 39 7A 4C 48 4E 7A 62 41|"; fast_pattern:only; classtype:shellcode-detect; sid:30461; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload python_meterpreter_bind_tcp"; content:"|69 6D 70 6F 72 74 20 62 61 73 65 36 34 3B 20 65 78 65 63 28 62 61 73 65 36 34 2E 62 36 34 64 65 63 6F 64 65 28 27 61 57 31 77 62 33 4A 30 49 48|"; fast_pattern:only; classtype:shellcode-detect; sid:30460; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_shell_findsock"; content:"|65 72 72 6F 72 5F 72 65 70 6F 72 74 69 6E 67 28 30 29 3B 0A 70 72 69 6E 74 28 22 3C 68 74 6D 6C 3E 3C 62 6F 64 79 3E 22 29 3B 0A 66 6C 75 73 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30459; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_reverse_php"; content:"|20 65 6C 73 65 20 69 66 20 28 73 75 62 73 74 72 28 24 63 2C 30 2C 34 29 20 3D 3D 20 27 71 75 69 74 27 20 7C 7C 20 73 75 62 73 74 72 28 24 63 2C|"; fast_pattern:only; classtype:shellcode-detect; sid:30458; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_reverse_perl"; content:"|62 61 73 65 36 34 5F 64 65 63 6F 64 65 28 27 63 47 56 79 62 43 41 74 54 55 6C 50 49 43 31 6C 49 43 63 6B 63 44 31 6D 62 33 4A 72 4F 32 56 34 61|"; fast_pattern:only; classtype:shellcode-detect; sid:30457; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_meterpreter_reverse_tcp"; content:"|69 66 20 28 21 69 73 73 65 74 28 24 47 4C 4F 42 41 4C 53 5B 27 63 68 61 6E 6E 65 6C 73 27 5D 29 29 20 7B 20 24 47 4C 4F 42 41 4C 53 5B 27 63 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30456; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_meterpreter_bind_tcp"; content:"|23 3C 3F 70 68 70 0A 0A 23 20 54 68 65 20 70 61 79 6C 6F 61 64 20 68 61 6E 64 6C 65 72 20 6F 76 65 72 77 72 69 74 65 73 20 74 68 69 73 20 77 69|"; fast_pattern:only; classtype:shellcode-detect; sid:30455; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_exec"; content:"|24 63 20 3D 20 62 61 73 65 36 34 5F 64 65 63 6F 64 65 28 22 4C 32 4A 70 62 69 39 7A 61 41 3D 3D 22 29 3B 20 40 73 65 74 5F 74 69 6D 65 5F 6C 69|"; fast_pattern:only; classtype:shellcode-detect; sid:30454; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_download_exec"; content:"|20 20 20 20 69 66 20 28 21 66 75 6E 63 74 69 6F 6E 5F 65 78 69 73 74 73 28 27 73 79 73 5F 67 65 74 5F 74 65 6D 70 5F 64 69 72 27 29 29 20 7B 0A|"; fast_pattern:only; classtype:shellcode-detect; sid:30453; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_bind_perl"; content:"|73 79 73 74 65 6D 28 62 61 73 65 36 34 5F 64 65 63 6F 64 65 28 27 63 47 56 79 62 43 41 74 54 55 6C 50 49 43 31 6C 49 43 63 6B 63 44 31 6D 62 33|"; fast_pattern:only; classtype:shellcode-detect; sid:30452; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x86_vforkshell_reverse_tcp"; content:"|31 C0 99 50 40 50 40 50 52 B0 61 CD 80 72 6D 89 C7 52 52 68 0A 07 00 2B 68 00 02 11 5C 89 E3 6A 10 53 57 52 B0 62 CD 80 72 52 31 DB 83 EB 01 43|"; fast_pattern:only; classtype:shellcode-detect; sid:30451; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x86_vforkshell_bind_tcp"; content:"|31 C0 99 50 40 50 40 50 52 B0 61 CD 80 0F 82 7E 00 00 00 89 C6 52 52 52 68 00 02 11 5C 89 E3 6A 10 53 56 52 B0 68 CD 80 72 67 52 56 52 B0 6A CD|"; fast_pattern:only; classtype:shellcode-detect; sid:30450; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x86_shell_find_port"; content:"|50 6A 5A 58 CD 80 FF 4F F0 79 F6 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 50 54 54 53 50 B0 3B CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30449; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x86_isight_reverse_tcp"; content:"|31 C0 99 50 40 50 40 50 52 B0 61 CD 80 72 6C 89 C7 52 52 68 0A 07 00 2B 68 00 02 11 5C 89 E3 6A 10 53 57 52 B0 62 CD 80 72 51 89 E5 83 EC 08 31|"; fast_pattern:only; classtype:shellcode-detect; sid:30448; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x86_isight_bind_tcp"; content:"|31 C0 99 50 40 50 40 50 52 B0 61 CD 80 0F 82 7D 00 00 00 89 C6 52 52 52 68 00 02 11 5C 89 E3 6A 10 53 56 52 B0 68 CD 80 72 66 52 56 52 B0 6A CD|"; fast_pattern:only; classtype:shellcode-detect; sid:30447; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x86_exec"; content:"|31 C0 E8 08 00 00 00 2F 62 69 6E 2F 73 68 00 5B 50 50 53 B0 3B 50 CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30446; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x64_shell_reverse_tcp"; content:"|B8 61 00 00 02 6A 02 5F 6A 01 5E 48 31 D2 0F 05 49 89 C4 48 89 C7 B8 62 00 00 02 48 31 F6 56 48 BE 00 02 11 5C 0A 07 00 2B 56 48 89 E6 6A 10 5A|"; fast_pattern:only; classtype:shellcode-detect; sid:30445; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x64_shell_find_tag"; content:"|48 31 FF 57 48 89 E6 6A 04 5A 48 8D 4A FE 4D 31 C0 4D 31 C9 48 FF CF 48 FF C7 B8 1D 00 00 02 0F 05 81 3C 24 4E 45 4D 4F 75 ED 48 31 C9 B8 1D 00|"; fast_pattern:only; classtype:shellcode-detect; sid:30444; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x64_say"; content:"|48 31 C0 B8 3B 00 00 02 E8 14 00 00 00 2F 75 73 72 2F 62 69 6E 2F 73 61 79 00 48 65 6C 6C 6F 21 00 48 8B 3C 24 4C 8D 57 0D 48 31 D2 52 41 52 57|"; fast_pattern:only; classtype:shellcode-detect; sid:30443; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x64_exec"; content:"|48 31 D2 E8 08 00 00 00 2F 62 69 6E 2F 73 68 00 5F 52 57 48 89 E6 48 C7 C0 3B 00 00 02 0F 05|"; fast_pattern:only; classtype:shellcode-detect; sid:30442; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x64_dupandexecve_reverse_tcp"; content:"|B8 61 00 00 02 6A 02 5F 6A 01 5E 48 31 D2 0F 05 49 89 C5 48 89 C7 B8 62 00 00 02 48 31 F6 56 48 BE 00 02 11 5C 0A 07 00 2B 56 48 89 E6 6A 10 5A|"; fast_pattern:only; classtype:shellcode-detect; sid:30441; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x64_dupandexecve_bind_tcp"; content:"|B8 61 00 00 02 6A 02 5F 6A 01 5E 48 31 D2 0F 05 48 89 C7 B8 68 00 00 02 48 31 F6 56 BE 00 02 11 5C 56 48 89 E6 6A 10 5A 0F 05 B8 6A 00 00 02 48|"; fast_pattern:only; classtype:shellcode-detect; sid:30440; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_ppc_shell_reverse_tcp"; content:"|38 60 00 02 38 80 00 01 38 A0 00 06 38 00 00 61 44 00 00 02 7C 00 02 78 7C 7E 1B 78 48 00 00 0D 00 02 11 5C 0A 07 00 2B 7C 88 02 A6 38 A0 00 10|"; fast_pattern:only; classtype:shellcode-detect; sid:30439; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_ppc_shell_find_tag"; content:"|3B A0 0F FF 3B C0 0F FF 37 9D F0 02 7F DC F0 51 41 80 FF F0 38 1D F0 67 7F C3 F3 78 38 81 EF F8 38 A0 0F FF 38 DD F0 81 44 FF FF 02 7C C6 32 79|"; fast_pattern:only; classtype:shellcode-detect; sid:30438; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_ppc_shell_bind_tcp"; content:"|38 60 00 02 38 80 00 01 38 A0 00 06 38 00 00 61 44 00 00 02 7C 00 02 78 7C 7E 1B 78 48 00 00 0D 00 02 11 5C 00 00 00 00 7C 88 02 A6 38 A0 00 10|"; fast_pattern:only; classtype:shellcode-detect; sid:30437; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_armle_vibrate"; content:"|20 08 A0 E1 04 F0 1F E5 74 F9 9E 31 44 44 EA 03|"; fast_pattern:only; classtype:shellcode-detect; sid:30436; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_armle_shell_reverse_tcp"; content:"|02 00 A0 E3 01 10 A0 E3 06 20 A0 E3 61 C0 A0 E3 80 00 00 EF 00 A0 A0 E1 01 00 00 EB 00 02 11 5C 0A 07 00 2B 0A 00 A0 E1 0E 10 A0 E1 10 20 A0 E3|"; fast_pattern:only; classtype:shellcode-detect; sid:30435; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_armle_shell_bind_tcp"; content:"|02 00 A0 E3 01 10 A0 E3 06 20 A0 E3 61 C0 A0 E3 80 00 00 EF 00 A0 A0 E1 01 00 00 EB 00 02 11 5C 00 00 00 00 0A 00 A0 E1 0E 10 A0 E1 10 20 A0 E3|"; fast_pattern:only; classtype:shellcode-detect; sid:30434; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload nodejs_shell_bind_tcp"; content:"|20 28 66 75 6E 63 74 69 6F 6E 28 29 7B 20 76 61 72 20 72 65 71 75 69 72 65 20 3D 20 67 6C 6F 62 61 6C 2E 72 65 71 75 69 72 65 20 7C 7C 20 67 6C|"; fast_pattern:only; classtype:shellcode-detect; sid:30433; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload netware_shell_reverse_tcp"; content:"|EB 41 57 51 31 FF 8B 54 BD 00 85 D2 74 24 31 F6 8B 5A 08 8A 03 84 C0 74 0D 43 0F B6 0B C1 CE 0D 01 CE FE C8 EB EF 3B 74 24 0C 74 11 8B 12 85 D2|"; fast_pattern:only; classtype:shellcode-detect; sid:30432; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_shell_reverse_tcp2"; content:"|31 DB 53 43 53 6A 02 6A 66 58 89 E1 CD 80 93 59 B0 3F CD 80 49 79 F9 5B 5A 68 0A 07 00 2B 66 68 11 5C 43 66 53 89 E1 B0 66 50 51 53 89 E1 43 CD|"; fast_pattern:only; classtype:shellcode-detect; sid:30431; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_shell_reverse_tcp"; content:"|31 DB F7 E3 53 43 53 6A 02 89 E1 B0 66 CD 80 93 59 B0 3F CD 80 49 79 F9 68 0A 07 00 2B 68 02 00 11 5C 89 E1 B0 66 50 51 53 B3 03 89 E1 CD 80 52|"; fast_pattern:only; classtype:shellcode-detect; sid:30430; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_shell_find_port"; content:"|75 F1 5B 6A 02 59 B0 3F CD 80 49 79 F9 50 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 50 53 89 E1 99 B0 0B CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30429; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_shell_bind_tcp_random_port"; content:"|31 DB F7 E3 B0 66 43 52 53 6A 02 89 E1 CD 80 52 50 89 E1 B0 66 B3 04 CD 80 B0 66 43 CD 80 59 93 6A 3F 58 CD 80 49 79 F8 B0 0B 68 2F 2F 73 68 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30428; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_shell_bind_tcp"; content:"|31 DB F7 E3 53 43 53 6A 02 89 E1 B0 66 CD 80 5B 5E 52 68 02 00 11 5C 6A 10 51 50 89 E1 6A 66 58 CD 80 89 41 04 B3 04 B0 66 CD 80 43 B0 66 CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30427; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_shell_bind_ipv6_tcp"; content:"|31 DB 53 43 53 6A 0A 89 E1 6A 66 58 CD 80 96 99 52 52 52 52 52 52 66 68 11 5C 66 68 0A 00 89 E1 6A 1C 51 56 89 E1 43 6A 66 58 CD 80 B0 66 B3 04|"; fast_pattern:only; classtype:shellcode-detect; sid:30426; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_reverse_tcp"; content:"|31 DB F7 E3 53 43 53 6A 02 B0 66 89 E1 CD 80 97 5B 68 0A 07 00 2B 68 02 00 11 5C 89 E1 6A 66 58 50 51 57 89 E1 43 CD 80 B2 07 B9 00 10 00 00 89|"; fast_pattern:only; classtype:shellcode-detect; sid:30425; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_reverse_nonx_tcp"; content:"|31 DB 53 43 53 6A 02 6A 66 58 89 E1 CD 80 97 5B 68 0A 07 00 2B 66 68 11 5C 66 53 89 E1 6A 66 58 50 51 57 89 E1 43 CD 80 5B 99 B6 0C B0 03 CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30424; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_reverse_ipv6_tcp"; content:"|31 DB 53 43 53 6A 0A 89 E1 6A 66 58 CD 80 96 99 68 00 00 00 00 68 0A 07 00 2B 68 00 00 5E FE 68 00 00 00 00 68 FE 80 00 00 52 66 68 11 5C 66 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30423; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_find_tag"; content:"|31 DB 53 89 E6 6A 40 B7 0A 53 56 53 89 E1 86 FB 66 FF 01 6A 66 58 CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30422; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_bind_tcp"; content:"|6A 7D 58 99 B2 07 B9 00 10 00 00 89 E3 66 81 E3 00 F0 CD 80 31 DB F7 E3 53 43 53 6A 02 89 E1 B0 66 CD 80 5B 5E 52 68 02 00 11 5C 6A 10 51 50 89|"; fast_pattern:only; classtype:shellcode-detect; sid:30421; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_bind_nonx_tcp"; content:"|31 DB 53 43 53 6A 02 6A 66 58 99 89 E1 CD 80 96 43 52 66 68 11 5C 66 53 89 E1 6A 66 58 50 51 56 89 E1 CD 80 B0 66 D1 E3 CD 80 52 52 56 43 89 E1|"; fast_pattern:only; classtype:shellcode-detect; sid:30420; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_bind_ipv6_tcp"; content:"|6A 7D 58 99 B2 07 B9 00 10 00 00 89 E3 66 81 E3 00 F0 CD 80 31 DB F7 E3 11 5C 53 6A 0A 89 E1 B0 66 CD 80 43 52 52 52 52 52 52 68 0A 00 BF BF 89|"; fast_pattern:only; classtype:shellcode-detect; sid:30419; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_exec"; content:"|6A 0B 58 99 52 66 68 2D 63 89 E7 68 2F 73 68 00 68 2F 62 69 6E 89 E3 52 E8 08 00 00 00 2F 62 69 6E 2F 73 68 00 57 53 89 E1 CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30418; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_chmod"; content:"|99 6A 0F 58 52 E8 0C 00 00 00 2F 65 74 63 2F 73 68 61 64 6F 77 00 5B 68 B6 01 00 00 59 CD 80 6A 01 58 CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30417; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_adduser"; content:"|31 C9 89 CB 6A 46 58 CD 80 6A 05 58 31 C9 51 68 73 73 77 64 68 2F 2F 70 61 68 2F 65 74 63 89 E3 41 B5 04 CD 80 93 E8 28 00 00 00 6D 65 74 61 73|"; fast_pattern:only; classtype:shellcode-detect; sid:30416; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x64_shell_reverse_tcp"; content:"|6A 29 58 99 6A 02 5F 6A 01 5E 0F 05 48 97 48 B9 02 00 11 5C 0A 07 00 2B 51 48 89 E6 6A 10 5A 6A 2A 58 0F 05 6A 03 5E 48 FF CE 6A 21 58 0F 05 75|"; fast_pattern:only; classtype:shellcode-detect; sid:30415; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x64_shell_find_port"; content:"|48 31 FF 48 31 DB B3 14 48 29 DC 48 8D 14 24 48 8D 74 24 04 6A 34 58 0F 05 48 FF C7 66 81 7E 02|"; fast_pattern:only; classtype:shellcode-detect; sid:30414; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x64_shell_bind_tcp_random_port"; content:"|48 31 F6 48 F7 E6 FF C6 6A 02 5F B0 29 0F 05 52 5E 50 5F B0 32 0F 05 B0 2B 0F 05 57 5E 48 97 FF CE B0 21 0F 05 75 F8 52 48 BF 2F 2F 62 69 6E 2F|"; fast_pattern:only; classtype:shellcode-detect; sid:30413; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x64_shell_bind_tcp"; content:"|6A 29 58 99 6A 02 5F 6A 01 5E 0F 05 48 97 52 C7 04 24 02 00 11 5C 48 89 E6 6A 10 5A 6A 31 58 0F 05 6A 32 58 0F 05 48 31 F6 6A 2B 58 0F 05 48 97|"; fast_pattern:only; classtype:shellcode-detect; sid:30412; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x64_exec"; content:"|6A 3B 58 99 48 BB 2F 62 69 6E 2F 73 68 00 53 48 89 E7 68 2D 63 00 00 48 89 E6 52 E8 08 00 00 00 2F 62 69 6E 2F 73 68 00 56 57 48 89 E6 0F 05|"; fast_pattern:only; classtype:shellcode-detect; sid:30411; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_ppc_shell_find_port"; content:"|7F FF FA 78 3B A0 01 FF 97 E1 FF FC 7C 3C 0B 78 3B 7D FE 11 97 61 FF FC 7C 3A 0B 78 97 41 FF FC 97 81 FF FC 97 E1 FF FC 3B FF 01 FF 3B FF FE 02|"; fast_pattern:only; classtype:shellcode-detect; sid:30410; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_ppc_shell_bind_tcp"; content:"|7F FF FA 78 3B A0 01 FF 3B 9D FE 02 3B 7D FE 03 97 E1 FF FC 97 81 FF FC 97 61 FF FC 7C 24 0B 78 38 7D FE 02 38 1D FE 67 44 FF FF 02 7C 7A 1B 78|"; fast_pattern:only; classtype:shellcode-detect; sid:30409; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_ppc64_shell_find_port"; content:"|7F FF FA 78 3B A0 01 FF 97 E1 FF FC 7C 3C 0B 78 3B 7D FE 11 97 61 FF FC 7C 3A 0B 78 FB 41 FF F9 FB 81 FF F9 FB E1 FF F9 3B FF 01 FF 3B FF FE 02|"; fast_pattern:only; classtype:shellcode-detect; sid:30408; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_ppc64_shell_bind_tcp"; content:"|7F FF FA 78 3B A0 01 FF 3B 9D FE 02 3B 7D FE 03 FB E1 FF F9 FB 81 FF F9 FB 61 FF F9 7C 24 0B 78 38 7D FE 02 38 1D FE 67 44 FF FF 02 7C 7A 1B 78|"; fast_pattern:only; classtype:shellcode-detect; sid:30407; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_mipsle_shell_reverse_tcp"; content:"|FA FF 0F 24 27 78 E0 01 FD FF E4 21 FD FF E5 21 FF FF 06 28 57 10 02 24 0C 01 01 01 FF FF A2 AF FF FF A4 8F FD FF 0F 34 27 78 E0 01 E2 FF AF AF|"; fast_pattern:only; classtype:shellcode-detect; sid:30406; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_mipsle_shell_bind_tcp"; content:"|E0 FF BD 27 FD FF 0E 24 27 20 C0 01 27 28 C0 01 FF FF 06 28 57 10 02 24 0C 01 01 01 FF FF 50 30 EF FF 0E 24 27 70 C0 01 11 5C 0D 24 04 68 CD 01|"; fast_pattern:only; classtype:shellcode-detect; sid:30405; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_mipsle_reboot"; content:"|21 43 06 3C DC FE C6 34 12 28 05 3C 69 19 A5 34 E1 FE 04 3C AD DE 84 34 F8 0F 02 24 0C 01 01 01|"; fast_pattern:only; classtype:shellcode-detect; sid:30404; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_mipsbe_shell_reverse_tcp"; content:"|24 0F FF FA 01 E0 78 27 21 E4 FF FD 21 E5 FF FD 28 06 FF FF 24 02 10 57 01 01 01 0C AF A2 FF FF 8F A4 FF FF 34 0F FF FD 01 E0 78 27 AF AF FF E0|"; fast_pattern:only; classtype:shellcode-detect; sid:30403; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_mipsbe_shell_bind_tcp"; content:"|27 BD FF E0 24 0E FF FD 01 C0 20 27 01 C0 28 27 28 06 FF FF 24 02 10 57 01 01 01 0C 30 50 FF FF 24 0E FF EF 01 C0 70 27 24 0D FF FD 01 A0 68 27|"; fast_pattern:only; classtype:shellcode-detect; sid:30402; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_armle_shell_reverse_tcp"; content:"|02 00 A0 E3 01 10 A0 E3 05 20 81 E2 8C 70 A0 E3 8D 70 87 E2 00 00 00 EF 00 60 A0 E1 84 10 8F E2 10 20 A0 E3 8D 70 A0 E3 8E 70 87 E2 00 00 00 EF|"; fast_pattern:only; classtype:shellcode-detect; sid:30401; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_armle_shell_bind_tcp"; content:"|02 00 A0 E3 01 10 A0 E3 06 20 A0 E3 01 70 A0 E3 07 74 A0 E1 19 70 87 E2 00 00 00 EF 00 60 A0 E1 A4 10 8F E2 10 20 A0 E3 01 70 A0 E3 07 74 A0 E1|"; fast_pattern:only; classtype:shellcode-detect; sid:30400; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_armle_exec"; content:"|01 30 8F E2 13 FF 2F E1 78 46 0A 30 01 90 01 A9 92 1A 0B 27 01 DF 2F 62 69 6E 2F 73 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30399; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_armle_adduser"; content:"|05 50 45 E0 01 50 8F E2 15 FF 2F E1 78 46 5C 30 FF 21 FF 31 FF 31 FF 31 45 31 DC 22 C8 32 05 27 01 DF 80 46 41 46 08 1C 79 46 18 31 C0 46 28 22|"; fast_pattern:only; classtype:shellcode-detect; sid:30398; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload java_shell_reverse_tcp"; content:"|24 00 00 18 00 00 00 6D 65 74 61 73 70 6C 6F 69 74 2F 50 61 79 6C 6F 61 64 2E 63 6C 61 73 73 95 59 09 7C 14 E5 15 7F EF DB 63 66 27 43 12 06 16|"; fast_pattern:only; classtype:shellcode-detect; sid:30397; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload java_jsp_shell_bind_tcp"; content:"|67 65 74 52 75 6E 74 69 6D 65 28 29 2E 65 78 65 63 28 20 22 63 6D 64 2E 65 78 65 22 20 29 3B 0A 20 20 20 20 28 20 6E 65 77 20 53 74 72 65 61 6D|"; fast_pattern:only; classtype:shellcode-detect; sid:30396; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload firefox_shell_bind_tcp"; content:"|73 68 2E 69 6E 69 74 57 69 74 68 50 61 74 68 28 22 43 3A 5C 5C 57 69 6E 64 6F 77 73 5C 5C 53 79 73 74 65 6D 33 32 5C 5C 77 73 63 72 69 70 74 2E|"; fast_pattern:only; classtype:shellcode-detect; sid:30395; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload firefox_exec"; content:"|73 68 2E 69 6E 69 74 57 69 74 68 50 61 74 68 28 22 43 3A 5C 5C 57 69 6E 64 6F 77 73 5C 5C 53 79 73 74 65 6D 33 32 5C 5C 63 6D 64 2E 65 78 65 22|"; fast_pattern:only; classtype:shellcode-detect; sid:30394; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_reverse_ruby"; content:"|5C 22 34 34 34 34 5C 22 29 3B 77 68 69 6C 65 28 63 6D 64 3D 63 2E 67 65 74 73 29 3B 49 4F 2E 70 6F 70 65 6E 28 63 6D 64 2C 5C 22 72 5C 22 29 7B|"; fast_pattern:only; classtype:shellcode-detect; sid:30393; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_reverse_powershell"; content:"|70 6F 77 65 72 73 68 65 6C 6C 20 2D 77 20 68 69 64 64 65 6E 20 2D 6E 6F 70 20 2D 63 20 66 75 6E 63 74 69 6F 6E 20 52 53 43 7B 69 66 20 28 24 63|"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1086; classtype:shellcode-detect; sid:30392; rev:2;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_reverse_perl"; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 22 24 70 3D 66 6F 72 6B 3B 65 78 69 74 2C 69 66 28 24 70 29 3B 24 63 3D 6E 65 77 20 49 4F 3A 3A 53 6F 63|"; fast_pattern:only; classtype:shellcode-detect; sid:30391; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_download_exec_vbs"; content:"|2E 65 78 65 22 2C 32 3A 43 72 65 61 74 65 4F 62 6A 65 63 74 28 22 57 53 63 72 69 70 74 2E 53 68 65 6C 6C 22 29 2E 52 75 6E 20 22|"; fast_pattern:only; classtype:shellcode-detect; sid:30390; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_bind_ruby"; content:"|72 75 62 79 20 2D 72 73 6F 63 6B 65 74 20 2D 65 20 22 73 3D 54 43 50 53 65 72 76 65 72 2E 6E 65 77 28 5C 22 34 34 34 34 5C 22 29 3B 77 68 69 6C|"; fast_pattern:only; classtype:shellcode-detect; sid:30389; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_bind_perl_ipv6"; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 22 77 68 69 6C 65 28 24 63 3D 6E 65 77 20 49 4F 3A 3A 53 6F 63 6B 65 74 3A 3A 49 4E 45 54 36 28 4C 6F 63|"; fast_pattern:only; classtype:shellcode-detect; sid:30388; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_bind_perl"; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 22 77 68 69 6C 65 28 24 63 3D 6E 65 77 20 49 4F 3A 3A 53 6F 63 6B 65 74 3A 3A 49 4E 45 54 28 4C 6F 63 61|"; fast_pattern:only; classtype:shellcode-detect; sid:30387; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_adduser"; content:"|63 6D 64 2E 65 78 65 20 2F 63 20 6E 65 74 20 75 73 65 72 20 6D 65 74 61 73 70 6C 6F 69 74 20 4D 65 74 61 73 70 6C 6F 69 74 24 31 20 2F 41 44 44|"; fast_pattern:only; classtype:shellcode-detect; sid:30386; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_zsh"; content:"|20 34 34 34 34 3B 77 68 69 6C 65 20 72 65 61 64 20 2D 72 20 63 6D 64 20 3C 26 24 52 45 50 4C 59 3B 64 6F 20 65 76 61 6C 20 24 7B 63 6D 64 7D 20|"; fast_pattern:only; classtype:shellcode-detect; sid:30385; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_ruby_ssl"; content:"|72 75 62 79 20 2D 72 73 6F 63 6B 65 74 20 2D 72 6F 70 65 6E 73 73 6C 20 2D 65 20 27 65 78 69 74 20 69 66 20 66 6F 72 6B 3B 63 3D 4F 70 65 6E 53|"; fast_pattern:only; classtype:shellcode-detect; sid:30384; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_ruby"; content:"|72 75 62 79 20 2D 72 73 6F 63 6B 65 74 20 2D 65 20 27 65 78 69 74 20 69 66 20 66 6F 72 6B 3B 63 3D 54 43 50 53 6F 63 6B 65 74 2E 6E 65 77 28 22|"; fast_pattern:only; classtype:shellcode-detect; sid:30383; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_python"; content:"|70 79 74 68 6F 6E 20 2D 63 20 22 65 78 65 63 28 27 61 57 31 77 62 33 4A 30 49 48 4E 76 59 32 74|"; fast_pattern:only; classtype:shellcode-detect; sid:30382; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_php_ssl"; content:"|6F 29 3B 24 6F 3D 69 6D 70 6C 6F 64 65 28 22 5C 6E 22 2C 24 6F 29 3B 24 6F 2E 3D 22 5C 6E 22 3B 66 70 75 74 73 28 24 73 2C 24 6F 29 3B 7D 27 26|"; fast_pattern:only; classtype:shellcode-detect; sid:30381; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_perl_ssl"; content:"|70 65 72 6C 20 2D 65 20 27 75 73 65 20 49 4F 3A 3A 53 6F 63 6B 65 74 3A 3A 53 53 4C 3B 24 70 3D 66 6F 72 6B 3B 65 78 69 74 2C 69 66 28 24 70 29|"; fast_pattern:only; classtype:shellcode-detect; sid:30380; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_perl"; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 27 24 70 3D 66 6F 72 6B 3B 65 78 69 74 2C 69 66 28 24 70 29 3B 66 6F 72 65 61 63 68 20 6D 79 20 24 6B 65|"; fast_pattern:only; classtype:shellcode-detect; sid:30379; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_openssl"; content:"|3A 34 34 34 34 7C 77 68 69 6C 65 20 3A 20 3B 20 64 6F 20 73 68 20 26 26 20 62 72 65 61 6B 3B 20 64 6F 6E 65 20 32 3E 26 31 7C 6F 70 65 6E 73 73|"; fast_pattern:only; classtype:shellcode-detect; sid:30378; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_lua"; content:"|6C 75 61 20 2D 65 20 22 6C 6F 63 61 6C 20 73 3D 72 65 71 75 69 72 65 28 27 73 6F 63 6B 65 74 27 29 3B 6C 6F 63 61 6C 20 74 3D 61 73 73 65 72 74|"; fast_pattern:only; classtype:shellcode-detect; sid:30377; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_awk"; content:"|2F 34 34 34 34 22 3B 66 6F 72 28 3B 73 7C 26 67 65 74 6C 69 6E 65 20 63 3B 63 6C 6F 73 65 28 63 29 29 77 68 69 6C 65 28 63 7C 67 65 74 6C 69 6E|"; fast_pattern:only; classtype:shellcode-detect; sid:30376; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse"; content:"|20 34 34 34 34 7C 77 68 69 6C 65 20 3A 20 3B 20 64 6F 20 73 68 20 26 26 20 62 72 65 61 6B 3B 20 64 6F 6E 65 20 32 3E 26 31 7C 74 65 6C 6E 65 74|"; fast_pattern:only; classtype:shellcode-detect; sid:30375; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_zsh"; content:"|7A 6D 6F 64 6C 6F 61 64 20 7A 73 68 2F 6E 65 74 2F 74 63 70 3B 7A 74 63 70 20 2D 6C 20 34 34 34 34 3B 7A 74 63 70 20 2D 61 20 24 52 45 50 4C 59|"; fast_pattern:only; classtype:shellcode-detect; sid:30374; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_ruby"; content:"|72 75 62 79 20 2D 72 73 6F 63 6B 65 74 20 2D 65 20 27 65 78 69 74 20 69 66 20 66 6F 72 6B 3B 73 3D 54 43 50 53 65 72 76 65 72 2E 6E 65 77 28 22|"; fast_pattern:only; classtype:shellcode-detect; sid:30373; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_perl_ipv6"; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 27 24 70 3D 66 6F 72 6B 28 29 3B 65 78 69 74 2C 69 66 24 70 3B 24 63 3D 6E 65 77 20 49 4F 3A 3A 53 6F 63|"; fast_pattern:only; classtype:shellcode-detect; sid:30372; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_perl"; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 27 24 70 3D 66 6F 72 6B 28 29 3B 65 78 69 74 2C 69 66 24 70 3B 66 6F 72 65 61 63 68 20 6D 79 20 24 6B 65|"; fast_pattern:only; classtype:shellcode-detect; sid:30371; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_nodejs"; content:"|6E 6F 64 65 20 2D 65 20 27 65 76 61 6C 28 22 5C 78 32 30 5C 78 32 38 5C 78 36 36 5C 78 37 35 5C 78 36 65 5C 78 36 33 5C 78 37 34 5C 78 36 39 5C|"; fast_pattern:only; classtype:shellcode-detect; sid:30370; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_netcat_gaping_ipv6"; content:"|6E 63 20 2D 36 20 2D 6C 70 20 34 34 34 34 20 2D 65 20 2F 62 69 6E 2F 73 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30369; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_netcat_gaping"; content:"|6E 63 20 2D 6C 20 2D 70 20 34 34 34 34 20 2D 65 20 2F 62 69 6E 2F 73 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30368; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_netcat"; content:"|20 28 6E 63 20 2D 6C 20 2D 70 20 34 34 34 34 20 7C 7C 6E 63 20 2D 6C 20 34 34 34 34 29 30 3C 2F 74 6D 70 2F|"; fast_pattern:only; classtype:shellcode-detect; sid:30367; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_lua"; content:"|6C 75 61 20 2D 65 20 22 6C 6F 63 61 6C 20 73 3D 72 65 71 75 69 72 65 28 27 73 6F 63 6B 65 74 27 29 3B 6C 6F 63 61 6C 20 73 3D 61 73 73 65 72 74|"; fast_pattern:only; classtype:shellcode-detect; sid:30366; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_inetd"; content:"|20 73 74 72 65 61 6D 20 74 63 70 20 6E 6F 77 61 69 74 20 72 6F 6F 74 20 2F 62 69 6E 2F 73 68 20 73 68 3E 2F 74 6D 70|"; fast_pattern:only; classtype:shellcode-detect; sid:30365; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_awk"; content:"|61 77 6B 20 27 42 45 47 49 4E 7B 73 3D 22 2F 69 6E 65 74 2F 74 63 70 2F 34 34 34 34 2F 30 2F 30 22 3B 66 6F 72 28 3B 73 7C 26 67 65 74 6C 69 6E|"; fast_pattern:only; classtype:shellcode-detect; sid:30364; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsdi_x86_shell_find_port"; content:"|50 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 50 54 53|"; fast_pattern:only; classtype:shellcode-detect; sid:30363; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_x86_shell_reverse_tcp"; content:"|68 0A 07 00 2B 68 FF 02 11 5C 89 E7 31 C0 50 6A 01 6A 02 6A 10 B0 61 CD 80 57 50 50 6A 62 58 CD 80 50 6A 5A 58 CD 80 FF 4F E8 79 F6 68 2F 2F 73|"; fast_pattern:only; classtype:shellcode-detect; sid:30362; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_x86_shell_reverse_ipv6_tcp"; content:"|31 C0 50 40 50 6A 1C 6A 61 58 50 CD 80 EB 0E 59 6A 1C 51 50 97 6A 62 58 50 CD 80 EB 21 E8 ED FF FF FF 1C 1C 11 5C 00 00 00 00 FE 80 00 00 00 00|"; fast_pattern:only; classtype:shellcode-detect; sid:30361; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_x86_shell_find_port"; content:"|EE 50 6A 5A 58 CD 80 FF 4F F0 79 F6 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 50 54 53 50 B0 3B CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30360; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_x86_shell_bind_tcp"; content:"|31 C0 50 68 FF 02 11 5C 89 E7 50 6A 01 6A 02 6A 10 B0 61 CD 80 57 50 50 6A 68 58 CD 80 89 47 EC B0 6A CD 80 B0 1E CD 80 50 50 6A 5A 58 CD 80 FF|"; fast_pattern:only; classtype:shellcode-detect; sid:30359; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_x86_shell_bind_ipv6_tcp"; content:"|31 C0 50 40 50 6A 1C 6A 61 58 50 CD 80 89 C3 31 D2 52 52 52 52 52 52 68 1C 1C 11 5C 89 E1 6A 1C 51 50 6A 68 58 50 CD 80 B0 6A CD 80 52 53 B6 10|"; fast_pattern:only; classtype:shellcode-detect; sid:30358; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_x86_exec"; content:"|6A 3B 58 99 52 68 2D 63 00 00 89 E7 52 68 6E 2F 73 68 68 2F 2F 62 69 89 E3 52 E8 08 00 00 00 2F 62 69 6E 2F 73 68 00 57 53 89 E1 52 51 53 50 CD|"; fast_pattern:only; classtype:shellcode-detect; sid:30357; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_sparc_shell_reverse_tcp"; content:"|9C 2B A0 07 94 1A C0 0B 92 10 20 01 90 10 20 02 82 10 20 61 91 D0 20 08 D0 23 BF F8 92 10 20 03 92 A2 60 01 82 10 20 5A 91 D0 20 08 12 BF FF FD|"; fast_pattern:only; classtype:shellcode-detect; sid:30356; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_sparc_shell_bind_tcp"; content:"|9C 2B A0 07 94 1A C0 0B 92 10 20 01 90 10 20 02 82 10 20 61 91 D0 20 08 D0 23 BF F8 21 3F C0 80 E0 23 BF F0 C0 23 BF F4 92 23 A0 10 94 10 20 10|"; fast_pattern:only; classtype:shellcode-detect; sid:30355; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload android_shell_reverse_tcp"; content:"|BB F5 F2 DF 82 54 99 5E 7C A7 92 76 3F 1B F0 EF 72 B4 B4 5B 07 FF 7E 8C 7F 19 1D 92 DF 97 F1 2F 93 98 FC 0D EA BF 50 4B 03 04 14 00 00 00 08 00|"; fast_pattern:only; classtype:shellcode-detect; sid:30354; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload aix_ppc_shell_reverse_tcp"; content:"|7C A5 2A 79 40 82 FF FD 7F C8 02 A6 3B DE 01 FF 3B DE FE 25 7F C9 03 A6 4E 80 04 20 FF 02 11 5C 0A 07 00 2B 4C C6 33 42 44 FF FF 02 3B DE FF F8|"; fast_pattern:only; classtype:shellcode-detect; sid:30353; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload aix_ppc_shell_interact"; content:"|7C A5 2A 79 40 82 FF FD 7F E8 02 A6 3B FF 01 20 38 7F FF 08 38 9F FF 10 90 7F FF 10 90 BF FF 14 88 5F FF 0F 98 BF FF 0F 4C C6 33 42 44 FF FF 02|"; fast_pattern:only; classtype:shellcode-detect; sid:30352; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload aix_ppc_shell_find_port"; content:"|7F FF FA 79 40 82 FF FD 7F C8 02 A6 3B DE 01 FF 3B DE FE 1D 7F C9 03 A6 4E 80 04 20 4C C6 33 42 44 FF FF 02 3B DE FF F8 3B A0 07 FF 97 E1 FF FC|"; fast_pattern:only; classtype:shellcode-detect; sid:30351; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload aix_ppc_shell_bind_tcp"; content:"|7F FF FA 79 40 82 FF FD 7F C8 02 A6 3B DE 01 FF 3B DE FE 1D 7F C9 03 A6 4E 80 04 20 4C C6 33 42 44 FF FF 02 3B DE FF F8 3B A0 07 FF 7C A5 2A 78|"; fast_pattern:only; classtype:shellcode-detect; sid:30350; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE ASCII heapspray characters detected"; flow:to_client,established; file_data; content:"0d0d0d0d"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,sf-freedom.blogspot.com/2006/07/heap-spraying-internet-exploiter.html; classtype:attempted-user; sid:33339; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-SHELLCODE percent encoded heapspray detected"; flow:to_server,established; file_data; content:"%68%65%61%70%73%70%72%61%79"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:shellcode-detect; sid:34019; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE percent encoded heapspray detected"; flow:to_client,established; file_data; content:"%68%65%61%70%73%70%72%61%79"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:34018; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_perl"; flow:to_server,established; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 27 24 70 3D 66 6F 72 6B 3B 65 78 69 74 2C 69 66 28 24 70 29 3B 66 6F 72 65 61 63 68 20 6D 79 20 24 6B 65|"; fast_pattern:only; http_uri; classtype:shellcode-detect; sid:34224; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"spray"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:26791; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"shellcode"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:26790; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"block"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:26787; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"agent"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:26786; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"payload"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25640; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"block"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25639; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"shellcode"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25636; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoder shellcode"; flow:to_client,established; content:"unescape"; content:"spray"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25634; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE heapspray characters detected - hexadecimal encoding"; flow:to_client,established; file_data; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:23862; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE heapspray characters detected - ASCII"; flow:to_client,established; file_data; content:"0c0c0c0c0c0c0c0c"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:23860; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-SHELLCODE heapspray characters detected - hexadecimal encoding"; flow:to_server,established; file_data; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:23859; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-SHELLCODE heapspray characters detected - ASCII"; flow:to_server,established; file_data; content:"0c0c0c0c0c0c0c0c"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:23857; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Feng-Shui heap grooming using Oleaut32"; flow:to_client, established; file_data; content:"Oleaut32"; fast_pattern:only; content:"CollectGarbage"; nocase; content:"heapLib"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.phreedom.org/research/heap-feng-shui/; classtype:shellcode-detect; sid:21258; rev:9;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_net_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_net_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_net_(config_get_interfaces|config_get_routes|config_add_route|config_remove_route|udp_client|tcp_server|tcp_client|socket_tcp_shutdown)/"; metadata:policy max-detect-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20191; rev:7;)
+# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_sys_config_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_sys_config_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_sys_config_(getuid|sysinfo|rev2self|steal_token|drop_token|getprivs)/"; metadata:policy max-detect-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20188; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode tolower encoder"; content:"|6A|"; content:"|6B 3C 24 0B 60 03 0C 24 6A|"; within:9; distance:1; fast_pattern; content:"|03 0C 24 6A 04|"; within:5; distance:1; content:"|5F 29 39 03 0C 24|"; distance:0; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19288; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode mixed encoder"; content:"YAZBABABABABkMAGB9u4JB"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19287; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode uppercase encoder"; content:"1AYAZBABABABAB30APB944JB"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19286; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic non-alpha/non-upper encoder"; content:"|66 B9 FF FF EB 19 5E 8B FE 83 C7|"; fast_pattern; content:"|8B D7 3B F2 7D 0B B0 7B F2 AE FF|"; within:11; distance:1; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19285; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic time-based context keyed encoder"; content:"|31 DB 8D 43 0D CD 80 66 31 C0|"; fast_pattern; content:"|D9 74 24 F4|"; distance:0; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19284; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic stat-based context keyed encoder"; content:"|D9 EE D9 74 24 F4 5B|"; fast_pattern; byte_jump:1,1,relative; content:"|83 C3 09 8D 53|"; within:5; content:"|31 C0 88 02 8D 4C 24 A8|"; within:8; distance:1; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19283; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic cpuid-based context keyed encoder"; content:"|31 F6 31 FF 89 F8 31 C9 0F A2 31 C6 39 F0 75 03 8D 78 01 31|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19282; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic single-byte xor countodwn encoder"; content:"|E8 FF FF FF FF C1 5E 30 4C 0E 07 E2 FA|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19281; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Possible generic javascript heap spray attempt"; flow:to_client,established; content:"%u4141%u4141"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35660; reference:cve,2009-2477; classtype:attempted-user; sid:18168; rev:14;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Possible generic javascript heap spray attempt"; flow:to_client,established; content:"%u9090%u9090"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35660; reference:cve,2009-2477; classtype:attempted-user; sid:18167; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE JavaScript var heapspray"; flow:to_client,established; file_data; content:" heapspray"; nocase; pcre:"/var\s+heapspray[A-Z\d_\s]*=/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:17393; rev:12;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE JavaScript var shellcode"; flow:to_client,established; file_data; content:" shellcode"; nocase; pcre:"/var\s+shellcode\s*=/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:17392; rev:11;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic dword additive feedback decoder"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17345; rev:8;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic xor dword decoder"; content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|83 EE FC E2 F4|"; distance:4; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17344; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode upper case decoder"; content:"Q|00|A|00|T|00|A|00|X|00|A|00|Z|00|A|00|P|00|U|00|3|00|Q|00|A|00|D|00|A|00|Z|00|A|00|B|00|"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17343; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode mixed case decoder"; content:"j|00|X|00|A|00|Q|00|A|00|D|00|A|00|Z|00|A|00|B|00|A|00|R|00|A|00|L|00|A|00|Y|00|A|00|I|00|A|00|"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17342; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha UTF8 tolower avoidance decoder"; content:"|6A|"; content:"|6B 3C 24 0B 60 03 0C 24 6A|"; distance:1; content:"03 0c 24 6a 04"; distance:1; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17341; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case decoder"; content:"VTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8A"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17340; rev:9;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 generic OS alpha numeric mixed case decoder"; content:"jAXP0A0AkAAQ2AB2BB0BBABXP8ABu"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17339; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 Microsoft Windows 32-bit SEH get EIP technique"; content:"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17338; rev:8;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 Microsoft Win32 export table enumeration variant"; content:"|8B 6C 24 24 8B 45 3C 8B 7C 05 78 01 EF 8B 4F 18 8B 5F 20 01 EB 49 8B 34 8B|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17337; rev:9;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic call geteip byte xor decoder"; content:"|EB 10|"; content:"|31 C9 66 81 E9|"; distance:1; content:"|E2 FA EB 05 E8 EB FF FF FF|"; distance:5; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17336; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip byte xor decoder"; content:"|D9 E1 D9 34 24|"; content:"|E7 31 C9 66 81 E9|"; distance:6; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17335; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case decoder variant"; content:"VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17325; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 Linux reverse connect shellcode"; content:"|31 DB 53 43 53 6A 02 6A 66 58 89 E1 CD 80|"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17324; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder"; content:"|D9 EE D9 74 24 F4|"; content:"|81|"; distance:1; content:"|13|"; distance:1; content:"|83|"; distance:1; content:"|FC E2 F4|"; distance:1; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17322; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"INDICATOR-SHELLCODE x86 win2k-2k3 decoder base shellcode"; flow:to_server,established; content:"|C7 0B|GGGG|81|7"; content:"u|F4|"; within:2; distance:4; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,19409; reference:cve,2006-3439; classtype:attempted-user; sid:15902; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Possible generic javascript heap spray attempt"; flow:to_client,established; content:"%u0c0c%u0c0c"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35660; reference:cve,2009-2477; classtype:attempted-user; sid:15698; rev:15;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 fldz get eip shellcode"; content:"|D9 EE D9|t|24 F4|X"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:14986; rev:10;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE base64 x86 NOOP"; content:"kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:12802; rev:10;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE base64 x86 NOOP"; content:"Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0ND"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:12800; rev:10;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE base64 x86 NOOP"; content:"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:12799; rev:10;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE base64 x86 NOOP"; content:"QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:12798; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape unicode encoded shellcode"; flow:to_client,established; content:"u|00|n|00|e|00|s|00|c|00|a|00|p|00|e|00|"; fast_pattern:only; pcre:"/(s\x00p\x00r\x00a\x00y\x00|r\x00e\x00t\x00u\x00r\x00n\x00_\x00a\x00d\x00d\x00r\x00e\x00s\x00s\x00|p\x00a\x00y\x00l\x00o\x00a\x00d\x00c\x00o\x00d\x00e\x00|s\x00h\x00e\x00l\x00l\x00c\x00o\x00d\x00e\x00|r\x00e\x00t\x00a\x00d\x00d\x00r\x00|r\x00e\x00t\x00a\x00d\x00d\x00r\x00e\x00s\x00s\x00|b\x00l\x00o\x00c\x00k\x00|p\x00a\x00y\x00l\x00o\x00a\x00d\x00|a\x00g\x00e\x00n\x00t\x00|h\x00s\x00p\x00t\x00)/smi"; pcre:"/u\x00n\x00e\x00s\x00c\x00a\x00p\x00e\x00\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:12630; rev:11;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"payload"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:10505; rev:14;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"return_address"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:10504; rev:12;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; metadata:policy max-detect-ips drop, ruleset community; classtype:shellcode-detect; sid:1390; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:14;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:shellcode-detect; sid:648; rev:18;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Javascript 0xCCCC unicode unescape"; flow:to_client,established; file_data; content:"unescape|28|"; nocase; content:"%ucccc"; within:200; fast_pattern; nocase; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:37583; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-SHELLCODE x86 OS agnostic dword additive feedback decoder"; flow:to_server,established; file_data; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:shellcode-detect; sid:40279; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic dword additive feedback decoder"; flow:to_client,established; file_data; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:40278; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 decoder"; content:"|EB 03 59 EB 05 E8 F8 FF FF FF 49 49 49 49 49 49 49 49 49 49 37 49 49 49 49 49 49 49 51 5A 6A 49 58 30 42 30 50 42 6B 42 41 59 42 41 32 42 41 32 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41297; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 decoder"; content:"|7C A5 2A 79 40 82 FF FD 7F E8 02 A6 3B FF 07 FA 38 A5 F8 4A 3C C0 EB 83 60 C6 F8 1C 38 85 07 EE 7C 89 03 A6 80 9F F8 4A 7C 84 32 78 90 9F F8 4A 7C 05|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41296; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 decoder"; content:"|7C 63 1A 79 40 82 FF FD 7D A8 02 A6 38 C3 E1 35 39 80 01 18 39 AD 1F FF 81 CD E1 39 81 ED E1 35 7D EF 72 78 91 ED E1 35 7C 06 68 AC 7C 01 04 AC 7C 06|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41295; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 decoder"; content:"|29 C9 B8 71 16 14 7D B1 51 DA D8 D9 74 24 F4 5B 31 43 0E 83 EB FC 03 32 1C F6 88 48 4A 1D 3F 58 72 1E 3F 67 E5 6A AC B3 C2 E7 68 87 81 84 77 8F 94 9B|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41294; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 decoder"; content:"|23 24 EF B4 A2 14 62 78 20 BF FF FF 20 BF FF FF 7F FF FF FF EA 03 E0 20 AA 9D 40 11 EA 23 E0 20 A2 04 40 15 81 DB E0 20 12 BF FF FB 9E 03 E0 04 0F 95|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41293; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Windows x86 PassiveX stage"; content:"|FC E8 8E 00 00 00 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 49 6E|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41292; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Windows x86 EMET disable"; content:"|58 94 C3 66 58 C3 E8 27 B7 67 FF 20 66 5B C3 66 BB 3C 00 00 00 66 01 C3 C3 66 31 ED C3 66 01 C5 C3 66 67 03 03 C3 66 5B C3 66 BB 28 00 00 00 66 01 C3|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41291; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Windows x86 download execute"; content:"|EB 10 5A 4A 33 C9 66 B9 3C 01 80 34 0A 99 E2 FA EB 05 E8 EB FF FF FF 70 4C 99 99 99 C3 FD 38 A9 99 99 99 12 D9 95 12 E9 85 34 12 D9 91 12 41 12 EA A5|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41290; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Windows x86 add user"; content:"|FC E8 44 00 00 00 8B 45 3C 8B 7C 05 78 01 EF 8B 4F 18 8B 5F 20 01 EB 49 8B 34 8B 01 EE 31 C0 99 AC 84 C0 74 07 C1 CA 0D 01 C2 EB F4 3B 54 24 04 75 E5|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41289; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Solaris x86 reverse connect shell"; content:"|B8 FF F8 FF 3C F7 D0 50 31 C0 B0 9A 50 89 E5 31 C9 51 41 41 51 51 B0 E6 FF D5 31 D2 89 C7 68 66 68 93 93 66 51 10 E1 6A 10 56 57 B0 EB FF D5 31 D2 B2|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41288; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Solaris x86 FindSock shell"; content:"|56 5F 83 EF 7C 57 8D 4F 10 B0 91 AB AB 91 AB 95 B5 54 51 66 B9 01 01 51 33 C0 B0 36 FF D6 59 33 DB 3B C3 75 0A 66 BB 00 00 66 39 5D 02 74 02 E2 E6 6A|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41287; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Solaris x86 bind shell"; content:"|B8 FF F8 FF 3C F7 D0 50 31 C0 B0 9A 50 89 E5 31 C9 51 41 41 51 51 B0 E6 FF D5 31 D2 89 C7 52 66 68 11 5C 66 51 89 E6 6A 10 56 57 B0 E8 FF D5 B0 E9 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41286; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE SCO OpenServer x86 shell"; content:"|31 C9 89 E3 68 D0 8C 97 FF 68 D0 9D 96 91 89 E2 68 FF F8 FF 6F 68 9A FF FF FF 80 F1 10 F6 13 4B E2 FB 91 50 54 52 50 34 3B FF E3|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41285; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE OpenBSD x86 bind shell"; content:"|41 51 C9 31 51 51 41 51 61 B0 C0 31 07 89 80 CD 4F 88 C9 31 05 47 C6 04 08 4F 89 02 06 47 C7 66 10 6A 39 1B 50 04 47 8D 50 50 07 8B 68 B0 C0 31 01 6A|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41284; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE OpenBSD x86 add user"; content:"|EB 2B 5E 31 C0 88 46 0B 88 46 29 50 B0 09 50 31 C0 56 50 B0 05 CD 80 89 C3 6A 1D 8D 46 0C 50 53 50 31 C0 B0 04 CD 80 31 C0 B0 01 CD 80 E8 D0 FF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41283; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE NetBSD x86 shell"; content:"|EB 23 5E 8D 1E 89 5E 0B 31 D2 89 56 07 89 56 0F 89 56 14 88 56 19 31 C0 B0 3B 8D 4E 0B 89 CA 52 51 53 50 EB 18 E8 D8 FF FF FF 2F 62 69 6E 2F 73 68 01|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41282; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE NetBSD x86 shell"; content:"|99 52 52 52 6A 7E 58 CD 80 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 54 53 52 34 3B CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41281; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE NetBSD x86 shell"; content:"|31 C0 50 50 50 34 7E CD 80 58 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 50 54 53 50 34 3B CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41280; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE NetBSD x86 reverse connect shell"; content:"|31 C0 31 C9 50 40 50 40 50 50 B0 61 CD 80 89 C3 89 E2 49 51 51 41 68 F5 FF FF FD 68 FF FD E5 F5 B1 10 51 F6 12 4A E2 FB F6 12 52 50 50 B0 62 CD 80 B1|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41279; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Multi-OS shell - solaris/linux/irix"; content:"|37 37 EB 2F 30 80 00 12 04 10 FF FF 24 02 03 F3 23 FF 02 14 23 E4 FE 08 23 E5 FE 10 AF E4 FE 10 AF E0 FE 14 A3 E0 FE 0F 03 FF FF CC 2F 62 69 6E 2F 73|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41278; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Multi-OS shell - solaris/linux"; content:"|90 90 EB 34 21 0B D8 9A A0 14 21 6E 23 0B CB DC A2 14 63 68 E0 3B BF F0 C0 23 BF F8 90 23 A0 10 C0 23 BF EC D0 23 BF E8 92 23 A0 18 94 22 80 0A 82 10|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41277; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Multi-OS shell - osx x86/ppc"; content:"|5F 90 EB 48 7C A5 2A 79 40 82 FF FD 7D 68 02 A6 3B EB 01 70 39 40 01 70 39 1F FE CF 7C A8 29 AE 38 7F FE C8 90 61 FF F8 90 A1 FF FC 38 81 FF F8 38 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41276; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Multi-OS shell - linux x86/ppc"; content:"|5F 90 EB 48 69 69 69 69 69 69 69 69 69 69 69 69 7C 3F 0B 78 7C A5 2A 79 42 40 FF F9 7F 08 02 A6 3B 18 01 34 98 B8 FE FB 38 78 FE F4 90 61 FF F8 38 81|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41275; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC Xterm execution"; content:"|7C A5 2A 79 40 82 FF FD 7F E8 02 A6 39 5F 01 70 39 0A FE FC 7C A8 29 AE 39 0A FF 05 7C A8 29 AE 39 0A FF 14 7C A8 29 AE 38 6A FF 06 90 61 FF F8 38 6A|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41274; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC shell setuid"; content:"|7C 63 1A 79 40 82 FF FD 7D 68 02 A6 3B EB 01 70 39 40 01 70 39 1F FE DF 7C 68 19 AE 38 0A FE A7 44 FF FF 02 60 60 60 60 7C A5 2A 79 38 7F FE D8 90 61|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41273; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC shell"; content:"|7C A5 2A 79 40 82 FF FD 7D 68 02 A6 3B EB 01 70 39 40 01 70 39 1F FE CF 7C A8 29 AE 38 7F FE C8 90 61 FF F8 90 A1 FF FC 38 81 FF F8 38 0A FE CB 44 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41272; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC reverse stage null free"; content:"|3B 60 30 91 38 1B CF D0 38 7B CF 71 38 9B CF 70 38 BB CF 75 44 FF FF 02 7C A5 2A 78 7C 7E 1B 78 3B 20 11 E0 6B 39 01 01 3B BB CF 71 57 BD 80 1E 7F BD|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41271; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC reverse stage"; content:"|38 60 00 02 38 80 00 01 38 A0 00 06 38 00 00 61 44 00 00 02 7C 00 02 78 7C 7E 1B 78 48 00 00 0D 00 02 10 E1 7F 00 00 01 7C 88 02 A6 38 A0 00 10 38 00|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41270; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC reverse shell"; content:"|38 60 00 02 38 80 00 01 38 A0 00 06 38 00 00 61 44 00 00 02 7C 00 02 78 7C 7E 1B 78 48 00 00 0D 00 02 10 E1 7C 88 02 A6 38 A0 00 10 38 00 00 62 7F C3|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41269; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC reboot"; content:"|7C 63 1A 79 39 40 01 70 38 0A FE B4 44 FF FF 02 60 60 60 60 38 0A FE C7 44 FF FF 02|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41268; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC INETD backdoor"; content:"|7C A5 2A 79 40 82 FF FD 7D 48 02 A6 3B EA 01 70 39 60 01 70 39 1F FF 1B 7C A8 29 AE 39 1F FF 65 7C A8 29 AE 38 7F FF 0C 38 8B FE 99 38 A0 FF FF 38 0B|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41267; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC create setuid"; content:"|7C A5 2A 79 40 82 FF FD 7F E8 02 A6 39 1F 01 71 39 08 FE F4 7C A8 29 AE 38 7F 01 68 38 63 FE F4 38 80 02 01 38 A0 FF FF 39 40 01 70 38 0A FE 95 44 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41266; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC add user"; content:"|7C A5 2A 79 40 82 FF FD 7D 48 02 A6 3B EA 01 70 39 60 01 70 39 1F FF 0D 7C A8 29 AE 38 7F FF 04 38 80 02 01 38 A0 FF FF 38 0B FE 95 44 FF FF 02 60 60|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41265; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux x86 reverse connect UDP shell"; content:"|31 DB 53 6A 02 6A 02 43 6A 66 58 89 E1 CD 80 93 59 B0 3F CD 80 49 79 F9 5B 5A 68 66 68 10 E1 66 53 89 E1 6A 10 51 53 89 E1 43 B0 66 CD 80 6A 0B 58 52|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41264; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux x86 FindSock shell"; content:"|31 D2 52 89 E5 6A 07 5B 6A 10 54 55 52 89 E1 FF 01 6A 66 58 CD 80 66 81 7D 02 00 00 75 F1 5B 6A 02 59 B0 3F CD 80 49 79 F9 52 68 2F 2F 73 68 68 2F 62|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41263; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux x86 execute"; content:"|6A 0B 58 99 52 66 68 2D 63 89 E7 68 2F 73 68 00 68 2F 62 69 6E 89 E3 52 E8 09 00 00 00 69 66 63 6F 6E 66 69 67 00 57 53 89 E1 CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41262; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux SPARC reverse connect shell"; content:"|9D E3 BF 80 90 10 20 02 D0 37 BF E0 90 10 29 09 D0 37 BF E2 13 30 2A 19 90 12 60 01 D0 27 BF E4 90 10 20 02 92 10 20 01 94 22 60 01 D0 23 A0 44 D2 23|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41261; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux SPARC reverse connect shell"; content:"|9C 2B A0 07 90 10 20 01 A0 10 20 02 E0 23 BF F4 D0 23 BF F8 C0 23 BF FC 92 23 A0 0C 82 10 20 CE 91 D0 20 10 A4 23 A0 20 A6 10 20 10 D0 23 BF F4 E6 3B|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41260; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux SPARC FindSock shell"; content:"|AC 10 20 00 9C 2B A0 07 90 1A 80 0A D0 23 BF E0 90 02 20 01 90 0A 2F FF 96 10 20 10 94 23 A0 04 92 23 A0 20 D0 3B BF F0 D4 3B BF F8 92 23 A0 10 90 10|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41259; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux SPARC bind shell"; content:"|9D E3 BF 78 90 10 20 02 92 10 20 01 94 22 80 0A D0 23 A0 44 D2 23 A0 48 D4 23 A0 4C 90 10 20 01 92 03 A0 44 82 10 20 CE 91 D0 20 10 D0 27 BF F4 90 10|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41258; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux SPARC bind shell"; content:"|9C 2B A0 07 A0 10 20 02 90 10 20 01 E0 23 BF F4 D0 23 BF F8 C0 23 BF FC 92 23 A0 0C 82 10 20 CE 91 D0 20 10 A4 23 A0 20 A6 10 20 10 D0 23 BF F4 E6 3B|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41257; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux PPC shell"; content:"|7C C6 32 78 2F 86 7F FF 41 BC 00 54 7C 68 02 A6 B0 C3 FF F9 B0 C3 FF F1 38 86 7F F0 38 A6 7F F4 38 E6 7F F3 7C A5 22 78 7C E7 22 78 7C 85 3A 14 7C C4|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41256; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux PPC shell"; content:"|7C 3F 0B 78 7C A5 2A 79 42 40 FF F9 7F 08 02 A6 3B 18 01 34 98 B8 FE FB 38 78 FE F4 90 61 FF F8 38 81 FF F8 90 A1 FF FC 3B C0 01 60 7F C0 2E 70 44 DE|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41255; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux PPC reverse connect shell"; content:"|7C 3F 0B 78 3B 40 01 0E 3B 5A FE F4 7F 43 D3 78 3B 60 01 0D 3B 7B FE F4 7F 64 DB 78 7C A5 2A 78 7C 3C 0B 78 3B 9C 01 0C 90 7C FF 08 90 9C FF 0C 90 BC|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41254; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux PPC read execute"; content:"|7C 63 1A 79 38 A0 04 04 30 05 FB FF 7C 24 0B 78 44 DE AD F2 69 69 69 69 7C 29 03 A6 4E 80 04 21|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41253; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux MIPS shell"; content:"|FF FF 10 04 AB 0F 02 24 55 F0 46 20 66 06 FF 23 C2 F9 EC 23 66 06 BD 23 9A F9 AC AF 9E F9 A6 AF 9A F9 BD 23 21 20 80 01 21 28 A0 03 CC CD 44 03 2F 62|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41252; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE IRIX MIPS shell"; content:"|04 10 FF FF 24 02 03 F3 23 FF 01 14 23 E4 FF 08 23 E5 FF 10 AF E4 FF 10 AF E0 FF 14 A3 E0 FF 0F 03 FF FF CC 2F 62 69 6E 2F 73 68|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41251; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE HP-UX PA-RISC shell"; content:"|E8 3F 1F FD 08 21 02 80 34 02 01 02 08 41 04 02 60 40 01 62 B4 5A 01 54 0B 39 02 99 0B 18 02 98 34 16 04 BE 20 20 08 01 E4 20 E0 08 96 D6 05 34 DE AD|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41250; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE freeBSD x86 shell"; content:"|EB 17 5B 31 C0 88 43 07 89 5B 08 89 43 0C 50 8D 53 08 52 53 B0 3B 50 CD 80 E8 E4 FF FF FF 2F 62 69 6E 2F 73 68|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41249; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE freeBSD x86 shell"; content:"|99 52 68 6E 2F 73 68 68 2F 2F 62 69 89 E3 51 52 53 53 6A 3B 58 CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41248; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE freeBSD x86 shell - chown/chmod/exec"; content:"|31 C0 50 68 2F 2F 73 68 68 2F 74 6D 70 89 E3 50 50 53 50 B0 10 CD 80 31 C0 66 0D ED 0D 50 53 50 31 C0 B0 0F CD 80 B0 01 50 50 CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41247; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE freeBSD x86 kldload"; content:"|EB 2C 5E 31 C0 B0 17 50 CD 80 31 C0 50 68 6E 2F 73 68 68 2F 2F 62 69 89 E3 50 66 68 2D 63 89 E7 50 56 57 53 89 E7 50 57 53 50 B0 3B CD 80 E8 CF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41246; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 shell - evade"; content:"|EB 1B 5E 31 C0 6A 1A 6A 17 59 49 5B 8A 04 0E F6 D3 30 D8 88 04 0E 50 85 C9 75 EF EB 05 E8 E0 FF FF FF 0E 6F C7 F9 BE A3 E4 FF B8 FF B2 F4 1F 95 4C FB|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41245; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 shell - evade"; content:"|EB 0E 5E 31 C9 B1 1C FE 04 0E E2 FB FE 06 56 C3 E8 ED FF FF FF EA 0D 5D 30 BF 87 45 06 4F 53 55 AF 3A 4F CC 7F E7 EC FE FE FE 2E 61 68 6D 2E 72 67|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41244; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 shell"; content:"|EB 0D 5F 31 C0 50 89 E2 52 57 54 B0 3B CD 80 E8 EE FF FF FF 2F 62 69 6E 2F 73 68|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41243; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 setuid shell"; content:"|31 C0 50 B0 17 50 CD 80 50 68 6E 2F 73 68 68 2F 2F 62 69 89 E3 50 54 53 50 B0 3B CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41242; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 reverse stage"; content:"|6A 61 58 99 52 42 52 42 52 68 7F 00 00 01 CD 80 68 10 02 10 E1 89 E1 6A 10 51 50 51 97 6A 62 58 CD 80 B0 03 C6 41 FD 10 CD 80 C3|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41241; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 reverse connect shell"; content:"|EB 68 5E 31 C0 31 DB B3 06 53 B3 01 53 B3 02 53 53 B0 61 CD 80 89 C2 C6 46 01 02 66 C7 46 02 69 7A B3 10 53 8D 1E 53 50 50 B0 62 CD 80 31 DB 53 52 B0|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41240; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 reverse connect shell"; content:"|EB 56 5E 31 C0 C6 46 01 02 66 C7 46 02 AE 08 C7 46 04 C3 2E 40 28 6A 06 6A 01 6A 02 B0 61 50 CD 80 89 C2 6A 10 8D 06 50 52 31 C0 B0 62 50 CD 80 B1 03|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41239; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 mail passwd"; content:"|EB 25 59 31 C0 50 68 6E 2F 73 68 68 2F 2F 62 69 89 E3 50 66 68 2D 63 89 E7 50 51 57 53 89 E7 50 57 53 50 B0 3B CD 80 E8 D6 FF FF FF 2F 62 69 6E 2F 63|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41238; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 FindSock shell"; content:"|31 FF 57 89 E5 47 89 EC 6A 10 54 55 57 6A 1F 58 6A 02 CD 80 66 81 7D 02 00 00 75 E9 59 51 57 6A 5A 58 51 CD 80 49 79 F5 68 2F 2F 73 68 68 2F 62 69 6E|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41237; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 FindRecv stage"; content:"|31 D2 52 89 E6 52 52 B2 80 52 B6 0C 52 56 52 52 66 FF 46 E8 6A 1D 58 CD 80 81 3E 6D 73 66 21 75 EF FC AD 5A 5F 5A FF E6|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41236; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 execute"; content:"|6A 3B 58 99 52 66 68 2D 63 89 E7 52 68 6E 2F 73 68 68 2F 2F 62 69 89 E3 52 E8 09 00 00 00 69 66 63 6F 6E 66 69 67 00 57 53 89 E1 52 51 53 50 CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41235; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 chroot"; content:"|68 62 2E 2E 2E 89 E7 33 C0 88 47 03 57 B0 88 50 CD 80 57 B0 3D 50 CD 80 47 33 C9 B1 FF 57 50 B0 0C CD 80 E2 FA 47 57 B0 3D 50 CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41234; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 bind stage"; content:"|6A 61 58 99 52 68 10 02 11 5C 89 E1 52 42 52 42 52 6A 10 CD 80 99 93 51 53 52 6A 68 58 CD 80 B0 6A CD 80 52 53 B6 10 52 B0 1E CD 80 51 50 51 97 6A 03|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41233; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD SPARC bind shell"; content:"|9C 2B A0 07 94 1A C0 0B 92 10 20 01 90 10 20 02 82 10 20 61 91 D0 20 08 D0 23 BF F8 21 3F C0 84 A0 14 21 5C E0 23 BF F0 C0 23 BF F4 92 23 A0 10 94 10|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41232; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD PPC shell"; content:"|7C C6 32 78 2F 86 7F FF 41 BC 00 5C 7C 68 02 A6 B0 C3 FF F9 B0 C3 FF F1 38 86 7F F0 38 A6 7F F4 38 E6 7F F3 7C A5 22 78 7C E7 22 78 7C 85 3A 14 7C C4|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41231; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSDi x86 shell toupper"; content:"|EB 57 5E 31 DB 83 C3 08 83 C3 02 88 5E 26 31 DB 83 C3 23 83 C3 23 88 5E A8 31 DB 83 C3 26 83 C3 30 88 5E C2 31 C0 88 46 0B 89 F3 83 C0 05 31 C9 83 C1|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41230; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSDi x86 shell"; content:"|EB 1F 5E 31 C0 89 46 F5 88 46 FA 89 46 0C 89 76 08 50 8D 5E 08 53 56 56 B0 3B 9A FF FF FF FF 07 FF E8 DC FF FF FF 2F 62 69 6E 2F 73 68 00|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41229; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSDi x86 reverse connect stage"; content:"|89 E5 68 00 07 00 C3 B8 9A 00 00 00 99 50 89 E6 52 42 52 42 52 6A 61 58 FF D6 97 68 7F 00 00 01 68 10 02 10 E1 89 E3 6A 10 53 57 6A 62 58 FF D6 B0 03|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41228; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSDi x86 bind stage"; content:"|89 E5 68 00 07 00 C3 B8 9A 00 00 00 99 50 89 E6 31 C0 50 40 50 40 50 B0 61 FF D6 52 68 10 02 11 5C 89 E3 6A 10 53 50 6A 68 58 FF D6 B0 6A FF D6 59 52|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41227; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE AIX /bin/sh"; content:"|7C 08 02 A6 94 21 FB B0 90 01 04 58 3C 60 F0 19 60 63 2C 48 90 61 04 40 3C 60 D0 02 60 63 4C 0C 90 61 04 44 3C 60 2F 62 60 63 69 6E 90 61 04 38 3C 60|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41226; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE single byte x86 xor decryption routine"; flow:to_client,established; file_data; content:"EB125831C966B96D0549803408"; content:"85C975F7FFE0E8E9FFFFFF"; within:22; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:43255; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE KUSER_SHARED_DATA NtMajorVersion and NtMinorVersion offsets"; flow:to_client,established; content:"0x7ffe026c"; content:"0x7ffe0270"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:43254; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-SHELLCODE KernelFuzzer system call 64 bit"; flow:to_server,established; file_data; content:"|8B 4D 50 51 48 8B 4D 48 51 48 8B 4D 40 51 48 8B 4D 38 51 4C 8B 4D 30 49 8B CA 0F 05 48 8B E5 5D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:shellcode-detect; sid:49691; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE KernelFuzzer system call 64 bit"; flow:to_client,established; file_data; content:"|8B 4D 50 51 48 8B 4D 48 51 48 8B 4D 40 51 48 8B 4D 38 51 4C 8B 4D 30 49 8B CA 0F 05 48 8B E5 5D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:49690; rev:1;)
--- a/docker/etc/rules/info.rules
+++ b/docker/etc/rules/info.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#------------
+# INFO RULES
+#------------
+
--- a/docker/etc/rules/local.rules
+++ b/docker/etc/rules/local.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-------------
+# LOCAL RULES
+#-------------
+
--- a/docker/etc/rules/malware-backdoor.rules
+++ b/docker/etc/rules/malware-backdoor.rules
@@ -0,0 +1,812 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#------------------------
+# MALWARE-BACKDOOR RULES
+#------------------------
+
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Unix.Backdoor.Cdorked backdoor command attempt"; flow:to_server,established; content:"SECID="; fast_pattern:only; content:"SECID="; depth:6; http_cookie; content:"POST"; http_method; pcre:"/^Cookie\x3a\s?SECID=[^\x3b]+?$/mD"; pcre:"/\?[a-f0-9]{4}$/miU"; metadata:impact_flag red, service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26529; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Boda Malware Checkin"; flow:to_server,established; content:"macName="; depth:60; http_client_body; content:"&macOS="; within:100; http_client_body; content:"&macMac="; within:200; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26842; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Backdoor.Win32.Neshgai.A runtime detection"; flow:to_server,established; content:".asp?"; nocase; http_uri; content:"SystemInfo-"; fast_pattern:only; http_uri; content:"hostid="; nocase; http_uri; content:"hostname="; nocase; http_uri; content:"hostip="; nocase; http_uri; content:"filename="; nocase; http_uri; content:"filetext="; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/fdbae1ccf6aa82e601584e09b4098dc3874d40d858654e9903628d55c98b07b9/analysis; classtype:trojan-activity; sid:26823; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Trojan.Midwgif.A runtime detection"; flow:to_server,established; content:"loginmid="; fast_pattern; nocase; http_client_body; content:"&nickid="; distance:0; nocase; http_client_body; pcre:"/loginmid=[0-9a-f]{24}&nickid=[^&]+&s=/iP"; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/2c7b0b235c04f9f9392418ebced21b7efeb19550f5e29aee5a13d9f884a31da9/analysis/; classtype:trojan-activity; sid:26773; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.PCRat data upload"; flow:to_server,established; content:"PCRatd"; depth:6; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/669DF9DED24D56997D7B1EA6249BB704226DADA09230DC285AE66CA0C9B7247B/analysis/; classtype:misc-activity; sid:26655; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-BACKDOOR Win.Backdoor.Dulevco.A runtime detection"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"/index.php"; nocase; content:"COMPNAME_END"; nocase; content:"COMPNAME"; within:8; distance:4; nocase; content:"CODE_START"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/B91D64E9FE35C0B2164239E751F353CCCE861A718FAEF5E4D4887DB7BAD0BAEC/analysis/; classtype:trojan-activity; sid:26611; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Dulevco.A runtime detection"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"/index.php"; nocase; content:"COMPNAME_END"; nocase; content:"COMPNAME"; within:8; distance:4; nocase; content:"CODE_START"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/B91D64E9FE35C0B2164239E751F353CCCE861A718FAEF5E4D4887DB7BAD0BAEC/analysis/; classtype:trojan-activity; sid:26610; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Jokra dropper download"; flow:to_client,established; content:"|05 C4 89 84 24 70 1A 30 5B 82 44 8D 79 22 75 04 67 09 4E 33 7B|"; fast_pattern:only; file_data; content:"|93 4C C8 83 0C B8 72 42 06 39 F4 02 84 DB 02 F8 CE 80 1C|"; nocase; content:"UPX!"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/422c767682bee719d85298554af5c59cf7e48cf57daaf1c5bdd87c5d1aab40cc/analysis/; classtype:trojan-activity; sid:26332; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Windows vernot download"; flow:to_client,established; content:"|2F|res|2F 7C|1|7C|2|7C|3|7C|4|7C|5|7C|5|7C|5|7C|6|7C|5|7C|7|7C|8|7C|9|7C|10|7C|1|7C|5|7C|11|7C|12|7C|700|7C|"; fast_pattern:only; file_data; content:"|7C 5B|Z/1413617015|7C|com.evernote.edam.type.NoteAttributes/3819593128|7C 5B|B/3308590456|7C|"; content:"&targetUrl=%2FHome.action&targetUrl=%2FHome.action&login=%E7%99%BB%E5%BD%95&_sourcePage="; content:"$_$Today is a very important day for me.$"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/e21921abd435f1523f41a040b8423f123487c1d9e8e5443ee219589ad8235e63/analysis/; classtype:trojan-activity; sid:26328; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR DarkSeoul related wiper"; flow:to_client,established; content:"JO840112-CRAS8468-11150923-PCI8273V"; fast_pattern:only; file_data; content:"|5F 0F 94 C0 5E C9 C3 53 56 8B 74 24 0C 33 DB 57 39 1E 7E 19 8D BE 78 01 00 00 FF 37 56 FF 96 A0|"; content:"taskkill /F /IM pasvc.exe"; content:"GIt%"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/510f83af3c41f9892040a8a80b4f3a4736eebee2ec4a7d4bfee63dbe44d7ecff/analysis/; classtype:trojan-activity; sid:26326; rev:2;)
+# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"MALWARE-BACKDOOR possible Htran setup command - tran"; flow:to_client,established; content:"|2D 00 74 00 72 00 61 00 6E 00|"; fast_pattern:only; pcre:"/\x2D\x00\x74\x00\x72\x00\x61\x00\x6E\x00(\x20\x00){1,3}([0-9]\x00){1,5}(\x20\x00){1,3}([a-z0-9\x2D\x2E]\x00){2,256}(\x20\x00){1,3}([0-9]\x00){1,5}/i"; metadata:impact_flag red, policy security-ips drop, service netbios-ssn; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/htran/; classtype:trojan-activity; sid:25284; rev:2;)
+# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"MALWARE-BACKDOOR possible Htran setup command - slave"; flow:to_client,established; content:"|2D 00 73 00 6C 00 61 00 76 00 65 00|"; fast_pattern:only; pcre:"/\x2D\x00\x73\x00\x6C\x00\x61\x00\x76\x00\x65\x00(\x20\x00){1,3}([a-z0-9\x2D\x2E]\x00){2,256}(\x20\x00){1,3}([0-9]\x00){1,5}(\x20\x00){1,3}([a-z0-9\x2D\x2E]\x00){2,256}(\x20\x00){1,3}([0-9]\x00){1,5}/i"; metadata:impact_flag red, policy security-ips drop, service netbios-ssn; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/htran/; classtype:trojan-activity; sid:25283; rev:2;)
+# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"MALWARE-BACKDOOR possible Htran setup command - listen"; flow:to_client,established; content:"-|00|l|00|i|00|s|00|t|00|e|00|n"; fast_pattern:only; pcre:"/-\x00l\x00i\x00s\x00t\x00e\x00n\x00(\x20\x00){1,3}([0-9]\x00){1,5}\x20\x00([0-9]\x00){1,5}\x20\x00/i"; metadata:impact_flag red, policy security-ips drop, service netbios-ssn; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/htran/; classtype:trojan-activity; sid:25282; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Htran banner"; flow:to_client,established; content:"===== HUC Packet Transmit Tool"; fast_pattern:only; metadata:policy security-ips drop, service ircd; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/htran/; classtype:trojan-activity; sid:25281; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR possible Htran setup command - tran"; flow:to_server,established; content:"|20|-tran"; fast_pattern:only; pcre:"/\x20{1,3}\x2dtran\x20{1,3}\d{1,5}\x20{1,3}[a-z0-9\-\.]{1,128}\x20{1,3}\d{1,5}/i"; metadata:impact_flag red, policy security-ips drop; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/htran/; classtype:trojan-activity; sid:25280; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR possible Htran setup command - slave"; flow:to_server,established; content:"|20|-slave"; fast_pattern:only; pcre:"/\x20{1,3}\x2dslave\x20{1,3}[a-z0-9\-\.]{1,128}\x20{1,3}\d{1,5}/i"; metadata:impact_flag red, policy security-ips drop; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/htran/; classtype:trojan-activity; sid:25279; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR possible Htran setup command - listen"; flow:to_server,established; content:"|20|-listen"; fast_pattern:only; pcre:"/\x20\x2dlisten\x20{1,3}\d{1,5}\x20{1,3}\d{1,5}/i"; metadata:impact_flag red, policy security-ips drop; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/htran/; classtype:trojan-activity; sid:25278; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [6666:7000] (msg:"MALWARE-BACKDOOR UnrealIRCd backdoor command execution attempt"; flow:to_server,established; isdataat:!200; content:"AB|3B|"; depth:3; metadata:impact_flag red, service irc; reference:bugtraq,40820; reference:cve,2010-2075; reference:url,attack.mitre.org/techniques/T1065; reference:url,www.unrealircd.com/txt/unrealsecadvisory.20100612.txt; classtype:attempted-admin; sid:25106; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"MALWARE-BACKDOOR Arucer backdoor traffic - NOP command attempt"; flow:to_server,established; content:"|C2 E5 E5 E5 9E D2 DD D6 A0 A4 A6 A7 A3 C8 A0 A3 DD A7 C8 D1 DC DD 80 C8 A4 D5 D0 DC C8 A3 D5 A7 D0 A7 A1 D4 D7 D3 D1 D4 A0 98 E5|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:cve,2010-0103; reference:url,www.virustotal.com/#/file/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf/detection; classtype:trojan-activity; sid:25015; rev:2;)
+# alert tcp $HOME_NET 6116 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR am remote client runtime detection - client response"; flow:to_client,established; flowbits:isset,AM_Remote_Client; content:"|35 01 02|"; depth:3; content:"|01 02|Internet Explorer|01 02|"; fast_pattern:only; metadata:impact_flag red; reference:url,www.megasecurity.org/trojans/a/amrc/Amrc1.1.html; classtype:trojan-activity; sid:24545; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Trojan.Spy.Heur variant outbound connection attempt"; flow:to_server,established; content:"bot.php"; nocase; http_uri; content:"User-Agent|3A| Opera/9.80|0D 0A|"; fast_pattern:only; http_header; pcre:"/bot\.php.*?[?&](keep=newkeep|log=\*)/iU"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/3030d86899568e13bbddca7aced8a3edb0dd891b70962a81007da3f8a5eadb47/analysis/; classtype:trojan-activity; sid:24540; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Trojan.Ransomlock runtime detection"; flow:to_server,established; content:"?id="; http_uri; content:"&cmd=img"; within:8; distance:20; http_uri; pcre:"/\?id=[A-Z0-9]{20}&cmd=img/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/f9aafe67d4afe9526c1033fbfc861484105be3f09bdef92d911311f96ed05e4b/analysis; classtype:trojan-activity; sid:24530; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-BACKDOOR Trojan.KDV.QLO runtime detection"; flow:to_server,established; content:"|7C|Disponible"; fast_pattern:only; pcre:"/\d{1,8}\x7c.+ \x5b\d{1,2}(\x3a\d{1,2}){2} [AP]M\x2d(\d{1,2}\x2f){2}\d{4}\x5d\x7cDisponible/m"; metadata:impact_flag red; reference:url,www.virustotal.com/file/58828c6582c57e995dc3ce4b561f6b9727a117b5f13aba772dfb6fe9e86ab4ed/analysis/; classtype:trojan-activity; sid:24404; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-BACKDOOR Trojan.KDV.QLO runtime detection"; flow:to_server,established; content:"|7C|Inactivo"; fast_pattern:only; pcre:"/\d{1,8}\x7c.+ \x5b\d{1,2}(\x3a\d{1,2}){2} [AP]M\x2d(\d{1,2}\x2f){2}\d{4}\x5d\x7cInactivo/m"; metadata:impact_flag red; reference:url,www.virustotal.com/file/58828c6582c57e995dc3ce4b561f6b9727a117b5f13aba772dfb6fe9e86ab4ed/analysis/; classtype:trojan-activity; sid:24403; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-BACKDOOR Trojan.KDV.QLO install time detection"; flow:to_server,established; content:"|7C|FrogRAT"; depth:32; pcre:"/^.{1,32}\|.{1,32}\|.{1,64}@.{1,64}\|.{1,32}\|.{1,5}\|/msR"; metadata:impact_flag red; reference:url,www.virustotal.com/file/58828c6582c57e995dc3ce4b561f6b9727a117b5f13aba772dfb6fe9e86ab4ed/analysis/; classtype:trojan-activity; sid:24402; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-BACKDOOR Backdoor.Win32.Protos.A runtime detection"; flow:to_server,established; content:"|78 DA 72 0E 0F 0E 08 F2 0F 31 32 E0 E5 02 00 00 00 FF FF|"; depth:19; metadata:impact_flag red; reference:url,www.virustotal.com/file/694944854cbac0d6c3db19f29431a32b8eb53767ab81fdba63db45bc69f48ed0/analysis/; classtype:trojan-activity; sid:24400; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Trojan.FakeAV.FakeAlert runtime detection"; flow:to_server,established; content:"?0="; http_uri; content:"&1="; distance:0; http_uri; content:"&2=1"; distance:0; http_uri; content:"&3="; distance:0; http_uri; pcre:"/0=\d+&1=\d&2=1&3=\d+&4=i&5=\d+&6=\d+&7=\d+&8=\S{0,16}&9=\d+&10=\S+&11=1111&12=\S{10}&14=\d/iU"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/19eb78edb2aa13959a5a621744168bdb8e29b2ba4b7c91efe0f7e34060eabc4e/analysis/; classtype:trojan-activity; sid:24377; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Trojan.Delf.KDV runtime detection"; flow:to_server,established; content:"=eNoLD4n38XePd3f1AwAR1gMm&"; fast_pattern:only; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/e72ad87d53790bee9e7e59eed134443e89 51b713750873528699e303e195dfd9/analysis/; classtype:trojan-activity; sid:24376; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Trojan-Downloader.Win32.Doneltart.A runtime detection"; flow:to_server,established; content:!"User-Agent|3A|"; http_header; content:"open="; nocase; http_uri; content:"myid"; distance:0; nocase; http_uri; pcre:"/\?open=((stage|myid)|[^&]+&myid=)/iU"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/3e28f52647637fd98779e50677ed56ca536ac1659816f15b489aafe39bcbf2f9/analysis/; classtype:trojan-activity; sid:24173; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Virus.Win32.Xpaj.A variant outbound connection"; flow:to_server,established; content:"Accept-Encoding|3A|"; nocase; http_header; content:"deflate"; distance:0; nocase; http_header; pcre:"/\x2F[0-9a-zA-Z]{4,9}\x3F[0-9a-zA-Z]{10,40}\x3D[0-9a-zA-Z]{10,40}([\x26\x3D][0-9a-zA-Z]{10,40}){0,10}/iU"; content:"filename="; fast_pattern:only; http_client_body; pcre:"/^filename=[a-z]{3,7}\x2E[a-z]{3}\x26data\x3D.{0,32}[^\x20-\x7E]/iP"; metadata:service http; reference:url,www.virustotal.com/#/file/d5c12fcfeebbe63f74026601cd7f39b2/detection; classtype:trojan-activity; sid:24123; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET"; depth:3; nocase; content:"/DES"; within:4; distance:1; fast_pattern; nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24122; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/DES"; fast_pattern; nocase; http_uri; pcre:"/\/DES\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24121; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET"; depth:3; nocase; content:"/SUS"; within:4; distance:1; fast_pattern; nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24120; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/SUS"; fast_pattern; nocase; http_uri; pcre:"/\/SUS\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24119; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET"; depth:3; nocase; content:"/ZES"; within:4; distance:1; fast_pattern; nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24118; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/ZES"; fast_pattern; nocase; http_uri; pcre:"/\/ZES\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24117; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET"; depth:3; nocase; content:"/AES"; within:4; distance:1; fast_pattern; nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24116; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/AES"; fast_pattern; nocase; http_uri; pcre:"/\/AES\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24115; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Georbot file download"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|55 89 E5 83 EC 1C 80 3D F7 B7 40 00 00 74 0B 68 95 0E 41 00|"; fast_pattern:only; content:"|FF 15 EC 90 40 00 FF 75 08 FF 15 34 91 40 00 89 45 F4 83 C0|"; content:"|3C 8B 00 03 45 F4 89 45 F0 8B 45 F0 8B 40 78 03 45 F4 8B 58|"; within:20; content:"|20 03 5D F4 89 5D E4 8B 40 18 89 45 EC 8B 45 F0 8B 40 78 03|"; within:20; content:"|45 F4 8B 58 1C 03 5D F4 89 5D E8 8B 45 F0 8B 40 78 03 45 F4|"; within:20; content:"|8B 58 24 03 5D F4 89 5D F8 6A 00 C1 C9 04 59 C6 05 72 9C 40|"; within:20; content:"|00 00|"; within:2; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/d7551c07bce29757996b35bdd3bfcecdb3f10aa6807b22a95bea41f6c92e4f1a/analysis/; classtype:trojan-activity; sid:23483; rev:7;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET [53,443,9000] (msg:"MALWARE-BACKDOOR Win.Trojan.Thoper.C runtime detection"; flow:to_server,no_stream; content:"|30 00|"; depth:2; content:"|00 00|"; within:2; distance:2; content:"|C0 A8 02 85 00 04 00 00 00 10 00 00 32 00 00 00|"; within:16; distance:2; detection_filter:track by_src, count 5, seconds 60; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fThoper.C; classtype:trojan-activity; sid:23381; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-BACKDOOR Win.Backdoor.Tinrot.A runtime detection"; flow:to_server,established; content:"|A0 00 00 00|"; depth:4; content:"|98 00 00 00|"; within:4; distance:4; isdataat:163; isdataat:!164; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.virustotal.com/#/file/e181424c4fb8bcde4aae154bf3ecb14d/detection; classtype:trojan-activity; sid:23341; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"MALWARE-BACKDOOR Spindest.A runtime detection - initial connection"; flow:to_server,established; content:"|00 01 2A 02 00 08 0C 12 14|AKAAA|02 00 0A|"; depth:17; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSpindest.A; classtype:trojan-activity; sid:23338; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Agent variant outbound connection"; flow:to_server,established; content:"Extra-Data-Bind|3A|"; nocase; http_header; content:"Extra-Data-Space|3A|"; nocase; http_header; content:"Extra-Data|3A|"; nocase; http_header; pcre:"/^\/\d+$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/4d6c4f5f0525d07b1454283ee1f1a166528f1edc208d10de9d3ce80d021c8fa3/analysis/; classtype:trojan-activity; sid:22095; rev:5;)
+# alert tcp $EXTERNAL_NET 5447 -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Nervos variant inbound connection"; flow:to_client,established; flowbits:isset,trojan.nervos; content:"|02 00 65 00 00 00 44 76|"; depth:8; content:"|55 4B 59 62 08 30 F0|"; distance:0; metadata:impact_flag red; classtype:trojan-activity; sid:21979; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5447 (msg:"MALWARE-BACKDOOR Win.Backdoor.Nervos variant outbound connection"; flow:to_server,established; content:"|01 01|"; depth:2; content:"|00 00|"; depth:2; offset:62; pcre:"/^((\x82\x01)|(\xe6\x01)|(\x4a\x02)|(\x98\x08)|(\xd8\x21))\x00\x00/R"; flowbits:set,trojan.nervos; metadata:impact_flag red; classtype:trojan-activity; sid:21978; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Pinit variant outbound connection"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/gate/r.php"; nocase; http_uri; pcre:"/^\??s=[^\r\n]*q[^\r\n]*d\d+l\d+t\d+/Pi"; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=43a6f707cdc2a0f2e567308c7c6494c5; classtype:trojan-activity; sid:21977; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.ZZSlash runtime detection"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"GH0STC"; content:"GH0STC"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/11906a9c342f840ffa01e1aeb411cf1a/detection; classtype:trojan-activity; sid:21973; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 6040 (msg:"MALWARE-BACKDOOR Win.Backdoor.ZZSlash variant outbound connection"; flow:to_server,established; dsize:>19; content:"|14 00 00 00|"; depth:4; content:"|00 01|"; within:2; distance:14; reference:url,www.virustotal.com/#/file/11906a9c342f840ffa01e1aeb411cf1a/detection; classtype:trojan-activity; sid:21972; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Zlob.P variant inbound connection"; flow:to_client,established; flowbits:isset,trojan.zlob; file_data; content:"|2F 25 28|"; depth:3; metadata:service http; reference:url,www.virustotal.com/#/file/c751fd8e35b46c8a6d570b928774573b/detection; classtype:trojan-activity; sid:21971; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Zlob.P variant outbound connection"; flow:to_server,established; content:"/bsfb.php"; nocase; http_uri; content:"%##+t"; depth:5; http_client_body; flowbits:set,trojan.zlob; metadata:service http; reference:url,www.virustotal.com/#/file/c751fd8e35b46c8a6d570b928774573b/detection; classtype:trojan-activity; sid:21970; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET [82,1087] (msg:"MALWARE-BACKDOOR Win.Backdoor.Rebhip.A variant outbound connection type B"; flow:to_server,established; content:"|70 C0 E4 28 02 26 11 3C 63 2F 8F 76 B4 55 DA 05|"; fast_pattern:only; metadata:impact_flag red; classtype:trojan-activity; sid:21969; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET [82,1087] (msg:"MALWARE-BACKDOOR Win.Backdoor.Rebhip.A variant outbound connection type A"; flow:to_server,established; content:"32|7C 0A|"; depth:4; metadata:impact_flag red; classtype:trojan-activity; sid:21968; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Rebhip.A runtime detection"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|5F 78 5F 58 5F 42 4C 4F 43 4B 4D 4F 55 53 45 5F 58 5F 78 5F|"; fast_pattern:only; content:"|5F 78 5F 58 5F 55 50 44 41 54 45 5F 58 5F 78 5F|"; content:"|5F 78 5F 58 5F 50 41 53 53 57 4F 52 44 4C 49 53 54 5F 58 5F 78 5F|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/d3ef727eb86c4bdde8e64800e600d3f4/detection; classtype:trojan-activity; sid:21967; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR ToolsPack PHP Backdoor access"; flow:to_server,established; content:"plugins/ToolsPack/ToolsPack.php"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html; classtype:web-application-attack; sid:21550; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 1160 (msg:"MALWARE-BACKDOOR Win.Backdoor.Zegost.B runtime detection"; flow:to_server,established; content:"cb1st"; depth:5; nocase; reference:url,www.virustotal.com/file/28c970dc4fb40e7da843c7ceb0475b995b827ce451283b1377f18528f66982ad/analysis/; classtype:trojan-activity; sid:21512; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2008 (msg:"MALWARE-BACKDOOR BRX Rat 0.02 inbound connection"; flow:to_server,established; content:"informacoes"; depth:11; nocase; reference:url,www.virustotal.com/en/file/bfa9a810230949bfbd12a41f7da826d432694fab5f8b81ed6f083d4b4c56a6e5/analysis/; classtype:trojan-activity; sid:19930; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2008 (msg:"MALWARE-BACKDOOR BRX Rat 0.02 inbound connection"; flow:to_server,established; content:"<GETDRIVERS>"; depth:12; nocase; reference:url,www.virustotal.com/en/file/bfa9a810230949bfbd12a41f7da826d432694fab5f8b81ed6f083d4b4c56a6e5/analysis/; classtype:trojan-activity; sid:19929; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2008 (msg:"MALWARE-BACKDOOR BRX Rat 0.02 inbound connection"; flow:to_server,established; content:"<LISTPROCE>"; depth:11; nocase; reference:url,www.virustotal.com/en/file/bfa9a810230949bfbd12a41f7da826d432694fab5f8b81ed6f083d4b4c56a6e5/analysis/; classtype:trojan-activity; sid:19928; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2008 (msg:"MALWARE-BACKDOOR BRX Rat 0.02 inbound connection"; flow:to_server,established; content:"keylogger_on"; depth:12; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/bfa9a810230949bfbd12a41f7da826d432694fab5f8b81ed6f083d4b4c56a6e5/analysis/; classtype:trojan-activity; sid:19927; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Trojan.GGDoor.22 variant outbound connection"; flow:to_server,established; content:"/appsvc/appmsg4.asp?fmnumber="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/050df1a6cfafab164c7d8c10dd38c6a72145bedde19551a34ae02c0cdde607f1/analysis/; classtype:trojan-activity; sid:19747; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Trojan.Agent.bhxn variant outbound connection"; flow:to_server,established; dsize:780; content:"C601"; depth:7; offset:16; fast_pattern; nocase; content:"|9C 00 00 00|"; within:4; distance:28; content:"|00 00 00|"; within:3; distance:1; metadata:impact_flag red, service http; reference:url,www.securelist.com/en/descriptions/10329508/Win.Backdoor.Agent.bhxn; classtype:trojan-activity; sid:19354; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Trojan.Buterat Checkin"; flow:to_server,established; content:"User-Agent|3A| Explorer|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.malware-control.com/statics-pages/7d27068f2b9106b74ca11d537ae2b3de.php; reference:url,www.totalmalwareinfo.com/eng/Win.Backdoor.Buterat.afj; classtype:trojan-activity; sid:19135; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"MALWARE-BACKDOOR Arucer backdoor traffic - write file attempt"; flow:to_server,established; content:"|C2 E5 E5 E5 9E DC DD A1 DC D0 DD A3 A6 C8 A1 D5 A4 D7 C8 D1 83 D4 86 C8 A7 DD D1 D4 C8 D7 D6 D7 A4 A7 D6 D0 D2 A0 D2 A6 DD 98 E5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2010-0103; reference:url,www.virustotal.com/#/file/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf/detection; classtype:trojan-activity; sid:16488; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"MALWARE-BACKDOOR Arucer backdoor traffic - yes command attempt"; flow:to_server,established; content:"|C2 E5 E5 E5 9E A0 D7 A4 A6 D0 D5 DD DC C8 D6 DD D7 D5 C8 D1 D6 83 80 C8 DD A4 D1 A1 C8 A4 D2 D5 D7 DD A3 A4 A1 DD A6 D7 DD 98 E5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2010-0103; reference:url,www.virustotal.com/#/file/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf/detection; classtype:trojan-activity; sid:16487; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"MALWARE-BACKDOOR Arucer backdoor traffic - command execution attempt"; flow:to_server,established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:cve,2010-0103; reference:url,www.virustotal.com/#/file/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf/detection; classtype:trojan-activity; sid:16486; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Trojan.delf.jwh runtime detection"; flow:to_server,established; content:"/wm.php"; nocase; content:"ver="; distance:0; nocase; content:"MAX_EXECUTE_TIME="; distance:0; nocase; content:"RELOAD_JOBS="; distance:0; nocase; content:"BROWSER_DELAY="; distance:0; nocase; content:"CONTROL_PAGE="; distance:0; nocase; content:"lastlogcount="; distance:0; nocase; content:"REPORTS_PAGE="; distance:0; nocase; content:"TICKETS_PAGE="; distance:0; nocase; content:"botid="; distance:0; nocase; content:"REG_NAME="; distance:0; nocase; content:"botlogin="; distance:0; nocase; metadata:service http; reference:url,www.emsisoft.com/en/malware/?Win.Backdoor.Delf.jwh; classtype:trojan-activity; sid:16092; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR evilotus 1.3.2 runtime detection - init connection"; flow:to_client,established; flowbits:set,Evilotus_detection; content:"|0C|~|7F D8 13 00 00 00|d|C8 00 00 0B 00 00 00 07 00 00 00 80 E7 03 0C|~|7F D8|"; depth:27; flowbits:noalert; classtype:trojan-activity; sid:13506; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR yuri 1.2 runtime detection - init connection"; flow:to_client,established; content:"Req_Conn"; depth:8; nocase; flowbits:set,Yuri_1_2_detection; flowbits:noalert; classtype:trojan-activity; sid:13247; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR troya 1.4 inbound connection"; flow:to_client,established; content:"Welcome to Troya"; fast_pattern:only; pcre:"/\x3Ctitle\x3ETroya\s+\x2D\s+by\s+Sma\s+Soft\x3C\x2Ftitle\x3E/smi"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Troya&threatid=41533; classtype:trojan-activity; sid:13246; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bandook 1.35 runtime detection"; flow:to_client,established; flowbits:isset,Bandook135_detection; content:"|CF AB A8 A7 AE CF|"; depth:6; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; classtype:trojan-activity; sid:12727; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bandook 1.35 runtime detection"; flow:to_server,established; content:"|CF 8F 80 9B 9A 9D CF C9 CA C9 D9 8D C9|"; depth:13; flowbits:set,Bandook135_detection; flowbits:noalert; classtype:trojan-activity; sid:12726; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dark moon 4.11 runtime detection"; flow:to_server,established; flowbits:isset,DarkMoon411_detection; content:"1bsrCwE93uxp"; depth:12; reference:url,www.spywareguide.com/spydet_2745_dark_moon.html; classtype:trojan-activity; sid:12725; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dark moon 4.11 runtime detection"; flow:to_client,established; content:"1DbsLbE3i/MBQu9Z"; depth:16; flowbits:set,DarkMoon411_detection; flowbits:noalert; classtype:trojan-activity; sid:12724; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR poison ivy 2.3.0 runtime detection - init connection"; flow:to_server,established; flowbits:isset,PoisonIvy2.3.0_initDetection; content:"|E0 F5|=|C1 F0 EA 15 DB|C>e|F8 9B E2 14 BA|"; depth:16; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PoisonIvy&threatid=43179; classtype:trojan-activity; sid:12700; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR poison ivy 2.3.0 runtime detection - init connection"; flow:to_client,established; content:"|B9 E1 A5|~|C7 B7 82|n|22|n|0B CB FD|w|ED|I"; depth:16; flowbits:set,PoisonIvy2.3.0_initDetection; flowbits:noalert; classtype:trojan-activity; sid:12699; rev:5;)
+# alert tcp $HOME_NET 7323 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Sygate Remote Administration Engine"; flow:established,to_client; content:"SyGate |0A|"; depth:8; nocase; reference:bugtraq,952; reference:cve,2000-0113; reference:url,marc.info/?l=bugtraq&m=94934808714972&w=2; classtype:misc-activity; sid:12684; rev:4;)
+# alert tcp $HOME_NET 10110 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Versi TheTheef Detection"; flow:established,to_server; content:"VERSI |28|TheTheef|29|"; depth:16; nocase; classtype:misc-activity; sid:12675; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR shark 2.3.2 runtime detection"; flow:to_client,established; flowbits:isset,sharK_2.3.2_detection; content:"F|15 1D|K|80|?|03 00 01 09|5"; depth:11; reference:url,www.2-spyware.com/remove-shark-trojan.html; reference:url,www.megasecurity.org/trojans/s/shark/Shark0.5.html; reference:url,www.spywaredb.com/remove-shark-trojan/; classtype:trojan-activity; sid:12378; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR shark 2.3.2 runtime detection"; flow:to_server,established; content:"F|15 1D|"; depth:3; flowbits:set,sharK_2.3.2_detection; flowbits:noalert; classtype:trojan-activity; sid:12377; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR radmin 3.0 runtime detection - login & remote control"; flow:to_client,established; flowbits:isset,Radmin3.0_login_detection; content:"|01 00 00 00 05 00 00 00|''|00 00 00 00|"; depth:14; reference:url,www.econsultant.com/spyware-database/r/radmin-3-0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096740; classtype:trojan-activity; sid:12376; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR radmin 3.0 runtime detection - login & remote control"; flow:to_server,established; content:"|01 00 00 00 05 00 00 02|''|02 00 00 00|"; depth:14; flowbits:set,Radmin3.0_login_detection; flowbits:noalert; classtype:trojan-activity; sid:12375; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR radmin 3.0 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,Radmin3.0_conn_detection; content:"|01 00 00 00|%|00 00 02 12 08 02 00 00 0A 00 00|"; depth:16; reference:url,www.econsultant.com/spyware-database/r/radmin-3-0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096740; classtype:trojan-activity; sid:12374; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR radmin 3.0 runtime detection - initial connection"; flow:to_server,established; content:"|01 00 00 00 01 00 00 00 08 08|"; depth:10; flowbits:set,Radmin3.0_conn_detection; flowbits:noalert; classtype:trojan-activity; sid:12373; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR bifrost v1.2.1 runtime detection"; flow:to_server,established; flowbits:isset,Bifrost_v1.2.1_detection; content:"|00 00 00 9B|O|B0|h|FE|j|9A 1C|"; depth:11; offset:1; reference:url,www.spywareguide.com/spydet_1464_bifrose.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453114444; classtype:trojan-activity; sid:12298; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bifrost v1.2.1 runtime detection"; flow:to_client,established; content:"|05 00 00 00 BC|"; depth:5; content:"|CC|"; within:1; distance:3; flowbits:set,Bifrost_v1.2.1_detection; flowbits:noalert; classtype:trojan-activity; sid:12297; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR furax 1.0 b3 runtime detection"; flow:to_client,established; content:"|03 00 1C 00 00 00 00 00 01|Furax"; depth:14; nocase; content:"1.0b3"; distance:0; nocase; content:"Server|00|"; distance:0; nocase; pcre:"/^\x03\x00\x1c\x00\x00\x00\x00\x00\x01Furax\s+1\x2E0b3\s+Server\x00/smi"; reference:url,www.megasecurity.org/trojans/f/furax/Furax1.0b3.html; classtype:trojan-activity; sid:12245; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR itadem trojan 3.0 runtime detection"; flow:to_client,established; file_data; content:"<title>ItAdEm Trojan Server</title>"; fast_pattern:only; metadata:service http; reference:url,www.antispyware.com/glossary_details.php?ID=2059; reference:url,www.megasecurity.org/trojans/i/itadem/Itadem3.0.html; classtype:trojan-activity; sid:12244; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hotmail hacker log edition 5.0 runtime detection - init connection"; flow:to_client,established; flowbits:isset,HotmailHackerLogEdition5.0_detection; content:"|C0|STATUS|C0|Server"; depth:14; nocase; content:"Keylogging"; distance:0; nocase; content:"Started!"; distance:0; nocase; pcre:"/^\xc0STATUS\xc0Server\s\x3A\sKeylogging\sStarted\!$/smi"; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453075158; reference:url,www.spywareguide.com/spydet_935_hotmail_hacker_x_edition.html; classtype:trojan-activity; sid:12243; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR hotmail hacker log edition 5.0 runtime detection - init connection"; flow:to_server,established; content:"Start"; depth:5; nocase; pcre:"/^Start$/smi"; flowbits:set,HotmailHackerLogEdition5.0_detection; flowbits:noalert; classtype:trojan-activity; sid:12242; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR genie 1.7 runtime detection - init connection"; flow:to_client,established; flowbits:isset,Genie1.7_detection; content:"|1B|[2J|0D 0A| "; depth:7; content:"Genie"; distance:0; nocase; content:"v1.7"; distance:0; nocase; reference:url,www.megasecurity.org/trojans/g/genie/Genie1.7.html; classtype:trojan-activity; sid:12241; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR genie 1.7 runtime detection - init connection"; flow:to_client,established; content:"|1B|[2J|0D 0A| "; depth:7; content:"Hello"; nocase; content:"my"; distance:0; nocase; content:"master"; distance:0; nocase; content:"waiting"; distance:0; nocase; content:"for"; distance:0; nocase; content:"your"; distance:0; nocase; content:"commands"; distance:0; nocase; flowbits:set,Genie1.7_detection; flowbits:noalert; classtype:trojan-activity; sid:12240; rev:3;)
+# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection"; flow:to_client,established; file_data; content:"Web Center|3A|"; nocase; http_header; content:"Nom de l ordinateur|3A|"; nocase; http_header; metadata:service http; reference:url,www.megasecurity.org/trojans/w/webcenter/Webcenter1.0.html; classtype:trojan-activity; sid:12239; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR theef 2.10 runtime detection - ftp"; flow:to_server,established; flowbits:isset,Theef210_TheefFTP; content:"Theef2.10_"; reference:url,www.spywareguide.com/product_show.php?id=859; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-071209-4425-99; classtype:trojan-activity; sid:12238; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR theef 2.10 runtime detection - ftp"; flow:to_client,established; content:"Theef2"; content:"FTP"; distance:0; content:"Server"; distance:0; pcre:"/Theef2\s+FTP\s+Server\x3A/"; flowbits:set,Theef210_TheefFTP; flowbits:noalert; classtype:trojan-activity; sid:12237; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR theef 2.10 runtime detection - connect with password"; flow:to_server,established; flowbits:isset,Theef210_Connectionwithpassword; content:"|FA CB D9 D9 EB DE DE D6|"; depth:8; reference:url,www.spywareguide.com/product_show.php?id=859; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-071209-4425-99; classtype:trojan-activity; sid:12236; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR theef 2.10 runtime detection - connect with password"; flow:to_client,established; content:"|FA CB D9 D9 DD C5 D8 CE D6|"; depth:9; flowbits:set,Theef210_Connectionwithpassword; flowbits:noalert; classtype:trojan-activity; sid:12235; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR theef 2.10 runtime detection - connect with no password"; flow:to_client,established; flowbits:isset,Theef210_Connectionwithnopassword; content:"|FC CF D8 D6 98 84 9B 9A|"; depth:8; reference:url,www.spywareguide.com/product_show.php?id=859; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-071209-4425-99; classtype:trojan-activity; sid:12234; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR theef 2.10 runtime detection - connect with no password"; flow:to_client,established; content:"|FA CB D9 D9 E5 E1 D6|"; depth:7; flowbits:set,Theef210_Connectionwithnopassword; flowbits:noalert; classtype:trojan-activity; sid:12233; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1357 (msg:"MALWARE-BACKDOOR cobra uploader 1.0 runtime detection"; flow:to_server,established; flowbits:isset,CobraUploader1.0_detection; content:"filebhejdai|7C|"; depth:12; reference:url,www.megasecurity.org/trojans/b/blackcobra/Blackcobra_uploader1.0.html; classtype:trojan-activity; sid:12164; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1357 (msg:"MALWARE-BACKDOOR cobra uploader 1.0 runtime detection"; flow:to_server,established; content:"DIR"; depth:3; offset:3; pcre:"/^(SYS|WIN)DIR$/sm"; flowbits:set,CobraUploader1.0_detection; flowbits:noalert; classtype:trojan-activity; sid:12163; rev:3;)
+# alert tcp $HOME_NET 503 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - screen capturing"; flow:to_client,established; flowbits:isset,OptixPROv1.32Screencapture_detection2; content:"SizeIs|AC|"; depth:11; reference:url,www.spywareguide.com/product_show.php?id=1189; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768; classtype:trojan-activity; sid:12162; rev:5;)
+# alert tcp $HOME_NET 503 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - screen capturing"; flow:to_client,established; flowbits:isset,OptixPROv1.32Screencapture_detection1; content:" |0D 0A|"; depth:3; flowbits:set,OptixPROv1.32Screencapture_detection2; flowbits:noalert; classtype:trojan-activity; sid:12161; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 503 (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - screen capturing"; flow:to_server,established; content:"SendACap|AC|"; depth:9; flowbits:set,OptixPROv1.32Screencapture_detection1; flowbits:noalert; classtype:trojan-activity; sid:12160; rev:3;)
+# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - keylogging"; flow:to_client,established; content:"inc|AC|"; depth:4; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=1189; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768; classtype:trojan-activity; sid:12159; rev:6;)
+# alert tcp $HOME_NET 501 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - upload file"; flow:to_client,established; flowbits:isset,OptixPROv1.32Upload_detection2; content:"FileSizeIs|AC|"; depth:11; reference:url,www.spywareguide.com/product_show.php?id=1189; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768; classtype:trojan-activity; sid:12158; rev:4;)
+# alert tcp $HOME_NET 501 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - upload file"; flow:to_client,established; flowbits:isset,OptixPROv1.32Upload_detection1; content:" |0D 0A|"; depth:3; flowbits:set,OptixPROv1.32Upload_detection2; flowbits:noalert; classtype:trojan-activity; sid:12157; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 501 (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - upload file"; flow:to_server,established; content:"InfoOn|AC|"; depth:7; flowbits:set,OptixPROv1.32Upload_detection1; flowbits:noalert; classtype:trojan-activity; sid:12156; rev:3;)
+# alert tcp $HOME_NET 500 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - download file"; flow:to_client,established; flowbits:isset,OptixPROv1.32Download_detection2; content:"+OK RCVD|0D 0A|"; depth:10; reference:url,www.spywareguide.com/product_show.php?id=1189; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768; classtype:trojan-activity; sid:12155; rev:4;)
+# alert tcp $HOME_NET 500 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - download file"; flow:to_client,established; flowbits:isset,OptixPROv1.32Download_detection1; content:"+OK REDY|0D 0A|"; depth:10; flowbits:set,OptixPROv1.32Download_detection2; flowbits:noalert; classtype:trojan-activity; sid:12154; rev:4;)
+# alert tcp $HOME_NET 500 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - download file"; flow:to_client,established; content:" |0D 0A|"; depth:3; flowbits:set,OptixPROv1.32Download_detection1; flowbits:noalert; classtype:trojan-activity; sid:12153; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - init connection"; flow:to_client,established; content:"001|AC|Optix"; depth:9; nocase; content:"Pro"; distance:0; nocase; content:"v1.32"; distance:0; nocase; content:"Connected"; distance:0; nocase; content:"Successfully!|0D 0A|"; distance:0; nocase; reference:url,www.spywareguide.com/product_show.php?id=1189; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768; classtype:trojan-activity; sid:12152; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cafeini 1.0 runtime detection"; flow:to_client,established; flowbits:isset,CAFEiNi_detection; content:"INIPACK"; depth:7; nocase; reference:url,www.spywareguide.com/spydet_904_cafeini.html; classtype:trojan-activity; sid:12151; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cafeini 1.0 runtime detection - init connection"; flow:to_client,established; content:"|FF FD 03 FF FD 18 FF FD 1F|"; depth:9; flowbits:set,CAFEiNi_detection; flowbits:noalert; classtype:trojan-activity; sid:12150; rev:3;)
+# alert tcp $HOME_NET 54320 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR back orifice 2006 - v1.1.5 runtime detection - init connection"; flow:to_client,established; flowbits:isset,BackOrifice2006_1.1.5_detection; content:"|00 00 00|"; depth:3; content:"|CD C3 13|7|04|"; within:5; distance:1; reference:url,www.salama.tn/backorifice.htm; reference:url,www.spywareguide.com/product_show.php?id=1945; classtype:trojan-activity; sid:12149; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 54320 (msg:"MALWARE-BACKDOOR back orifice 2006 - v1.1.5 runtime detection - init connection"; flow:to_server,established; content:"|00 00 00|"; depth:3; content:"|CD C3 13|7"; within:4; distance:1; flowbits:set,BackOrifice2006_1.1.5_detection; flowbits:noalert; classtype:trojan-activity; sid:12148; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR blue eye 1.0b runtime detection - init connection"; flow:to_client,established; flowbits:isset,BlueEye1.0b_detection; dsize:3; content:"SUC"; reference:url,secunia.com/virus_information/11032/blueye-a/; reference:url,www.spywareguide.com/spydet_816_blue_eye_1_0b.html; classtype:trojan-activity; sid:12147; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR blue eye 1.0b runtime detection - init connection"; flow:to_server,established; content:"AUTH"; depth:4; flowbits:set,BlueEye1.0b_detection; flowbits:noalert; classtype:trojan-activity; sid:12146; rev:3;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-BACKDOOR access remote pc runtime detection - rpc setup"; flow:to_client,established; flowbits:isset,AccessRemotePC_RPCdetection; content:"|99 F3 00 00 00 00 00 00 FF FF FF FF|"; depth:12; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Access%20Remote%20PC&threatid=29373; classtype:trojan-activity; sid:12145; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-BACKDOOR access remote pc runtime detection - rpc setup"; flow:to_server,established; content:"|99 F3 00 00 00 00 00 00 FF FF FF FF|"; depth:12; flowbits:set,AccessRemotePC_RPCdetection; flowbits:noalert; classtype:trojan-activity; sid:12144; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR access remote pc runtime detection - init connection"; flow:to_client,established; flowbits:isset,AccessRemotePC_detection; content:"|99 F3 00 00 00 00 00 00 FF FF FF FF|"; depth:12; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Access%20Remote%20PC&threatid=29373; classtype:trojan-activity; sid:12143; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR access remote pc runtime detection - init connection"; flow:to_server,established; content:"|99 F3 00 00 00 00 00 00 FF FF FF FF|"; depth:12; flowbits:set,AccessRemotePC_detection; flowbits:noalert; classtype:trojan-activity; sid:12142; rev:3;)
+# alert tcp $HOME_NET 58008 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR tron runtime detection - init connection"; flow:to_client,established; flowbits:isset,Tron_Initconnection; content:"<THETIMEIS>"; depth:11; nocase; reference:url,www.megasecurity.org/trojans/t/tron/Tron.html; classtype:trojan-activity; sid:12055; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 58008 (msg:"MALWARE-BACKDOOR tron runtime detection - init connection - flowbit set"; flow:to_server,established; content:"<SYSTMTIME>"; depth:11; nocase; flowbits:set,Tron_Initconnection; flowbits:noalert; classtype:trojan-activity; sid:12054; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR trail of destruction 2.0 runtime detection - get system info"; flow:to_server,established; content:"_Get_Sys_Info_"; depth:14; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076564; classtype:trojan-activity; sid:12053; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR the[x] 1.2 runtime detection - execute command"; flow:to_client,established; content:"000The[X]Server"; depth:15; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074872; classtype:trojan-activity; sid:12052; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR ultimate rat 2.1 runtime detection"; flow:to_client,established; content:"|01 00 00 02|WordUP"; depth:10; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060550; classtype:trojan-activity; sid:12051; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 610 (msg:"MALWARE-BACKDOOR supervisor plus runtime detection"; flow:to_server,established; flowbits:isset,SupervisorPlus_detection; content:"<A "; depth:3; nocase; pcre:"/^\x3c\x41\x20.*\x3b\x5c\x5c.*\x5cSV\x24\x5c\x3e\x3c/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453109596; classtype:trojan-activity; sid:11954; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 610 (msg:"MALWARE-BACKDOOR supervisor plus runtime detection"; flow:to_server,established; content:"L"; depth:1; nocase; content:"|00|"; depth:1; offset:3; pcre:"/^L\d\d\x00/smi"; flowbits:set,SupervisorPlus_detection; flowbits:noalert; classtype:trojan-activity; sid:11953; rev:3;)
+# alert udp $HOME_NET 3262 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR winshadow runtime detection - udp response"; flow:to_client; content:"|03 00 00 00 01 00 02 00 00 00 00 00|"; depth:12; offset:5; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060036; classtype:trojan-activity; sid:11952; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR winshadow runtime detection - init connection request"; flow:to_server,established; content:"@|11 00 00 00 00 00 00 1C 00 00 00 10 00 03 00 00 00 01 00 02 00|"; depth:22; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060036; classtype:trojan-activity; sid:11951; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7896 (msg:"MALWARE-BACKDOOR lame rat v1.0 runtime detection"; flow:established; content:"MESSAGE + "; depth:10; nocase; content:" + windows"; distance:0; nocase; reference:url,www.megasecurity.org/trojans/l/lamerat/Lamerat1.0.html; classtype:trojan-activity; sid:11949; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5712 (msg:"MALWARE-BACKDOOR sohoanywhere runtime detection"; flow:to_server,established; flowbits:isset,Sohoanywhere_Init; content:"RFB 003.004|0A|"; depth:12; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060132; classtype:trojan-activity; sid:11323; rev:5;)
+# alert tcp $HOME_NET 5712 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR sohoanywhere runtime detection"; flow:to_client,established; content:"RFB 003.003|0A|"; depth:12; nocase; flowbits:set,Sohoanywhere_Init; flowbits:noalert; classtype:trojan-activity; sid:11322; rev:5;)
+# alert udp $HOME_NET any -> 255.255.255.255 5053 (msg:"MALWARE-BACKDOOR netwindow runtime detection - udp broadcast"; flow:to_server; content:"NWHOST"; depth:6; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=NetWindow&threatid=43584; classtype:trojan-activity; sid:11321; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5051 (msg:"MALWARE-BACKDOOR netwindow runtime detection - reverse mode init connection request"; flow:to_server,established; content:"NWHOST"; depth:6; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=NetWindow&threatid=43584; classtype:trojan-activity; sid:11320; rev:5;)
+# alert tcp $HOME_NET 5050 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR netwindow runtime detection - init connection request"; flow:to_client,established; content:"|1B 00 00 00|"; depth:4; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=NetWindow&threatid=43584; classtype:trojan-activity; sid:11319; rev:6;)
+# alert tcp $EXTERNAL_NET 19820 -> $HOME_NET any (msg:"MALWARE-BACKDOOR boer runtime detection - init connection"; flow:to_client,established; content:"EMSG0006"; depth:8; nocase; reference:url,soft.myboer.cn; classtype:trojan-activity; sid:11318; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR abremote pro 3.1 runtime detection - init connection"; flow:to_client,established; content:"&&**"; depth:4; dsize:<100; reference:url,www.heibai.net/download/Soft/Soft_6836.htm; classtype:trojan-activity; sid:11317; rev:8;)
+# alert tcp $HOME_NET 1115 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR lurker 1.1 runtime detection - init connection"; flow:to_client,established; content:"|0D|Lurker"; depth:7; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077370; classtype:trojan-activity; sid:11316; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR shadownet remote spy 2.0 runtime detection"; flow:to_client,established; content:"ShadowNet"; nocase; content:"Remote"; distance:0; nocase; content:"Web"; distance:0; nocase; content:"Based"; distance:0; nocase; content:"Spyware"; distance:0; nocase; pcre:"/ShadowNet\s+Remote\s+Web\s+Based\s+Spyware/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453081042; classtype:trojan-activity; sid:11314; rev:6;)
+# alert tcp $HOME_NET 12667 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR winicabras 1.1 runtime detection - explorer"; flow:to_client,established; flowbits:isset,Winicabras_explorer; content:"DRIVE"; depth:5; nocase; reference:url,www.megasecurity.org/trojans/w/winicabras/Winicabras1.1.html; classtype:trojan-activity; sid:10463; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12667 (msg:"MALWARE-BACKDOOR winicabras 1.1 runtime detection - explorer"; flow:to_server,established; content:"DRIVE"; depth:5; nocase; flowbits:set,Winicabras_explorer; flowbits:noalert; classtype:trojan-activity; sid:10462; rev:4;)
+# alert tcp $HOME_NET 3132 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR winicabras 1.1 runtime detection - get system info"; flow:to_client,established; flowbits:isset,Winicabras_getinfo; content:"|0D 0A|==INFORMACION"; depth:15; nocase; reference:url,www.megasecurity.org/trojans/w/winicabras/Winicabras1.1.html; classtype:trojan-activity; sid:10461; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3132 (msg:"MALWARE-BACKDOOR winicabras 1.1 runtime detection - get system info"; flow:to_server,established; content:"000"; depth:3; flowbits:set,Winicabras_getinfo; flowbits:noalert; classtype:trojan-activity; sid:10460; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR wineggdrop shell pro runtime detection - init connection"; flow:to_client,established; content:"WinEggDropShell"; depth:15; offset:28; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077750; classtype:trojan-activity; sid:10459; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5024 (msg:"MALWARE-BACKDOOR [x]-ztoo 1.0 or illusion runtime detection - open file manager"; flow:to_server,established; content:"[LOAD DRIVE DATA]"; depth:17; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084134; classtype:trojan-activity; sid:10458; rev:5;)
+# alert tcp $HOME_NET 5600 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR [x]-ztoo 1.0 runtime detection - start keylogger"; flow:to_client,established; content:"LogStarted"; depth:10; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084134; classtype:trojan-activity; sid:10457; rev:7;)
+# alert tcp $HOME_NET 5600 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR [x]-ztoo 1.0 runtime detection - get system info"; flow:to_client,established; flowbits:isset,XZTOO_Getinfo; content:"Info|3B|"; depth:5; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084134; classtype:trojan-activity; sid:10456; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5600 (msg:"MALWARE-BACKDOOR [x]-ztoo 1.0 runtime detection - get system info"; flow:to_server,established; content:"GetInfo"; depth:7; nocase; flowbits:set,XZTOO_Getinfo; flowbits:noalert; classtype:trojan-activity; sid:10455; rev:4;)
+# alert tcp $HOME_NET 5600 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR [x]-ztoo 1.0 runtime detection - init connection"; flow:to_client,established; content:"Connected"; depth:9; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084134; classtype:trojan-activity; sid:10454; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR zalivator 1.4.2 pro runtime detection - smtp notification"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"|28 29|"; distance:0; nocase; content:"DivXProGainBundle"; nocase; content:"Registration"; distance:0; nocase; pcre:"/^Subject\x3a[^\r\n]*\x28\x29/smi"; pcre:"/DivXProGainBundle\s+registration/smi"; metadata:service smtp; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084203; classtype:trojan-activity; sid:10453; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR only 1 rat runtime detection - control command"; flow:to_server,established; flowbits:isset,Only1RAT_Control; content:"|7C FF 00 FF 00 FF 00 FF 00 FF 00 FF 0D 0A|"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Only%201%20RAT&threatid=40632; classtype:trojan-activity; sid:10451; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR only 1 rat runtime detection - control command"; flow:to_client,established; content:"D41D8CD98F00B204E9800998ECF8427E"; depth:34; flowbits:set,Only1RAT_Control; flowbits:noalert; classtype:trojan-activity; sid:10450; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR acid shivers runtime detection - init telnet connection"; flow:to_client,established; content:"|1B|[2J|1B|[40m|1B|[37mAcid"; depth:18; nocase; content:"Shiver"; distance:0; nocase; content:"System"; distance:0; nocase; content:"Release"; distance:0; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=112; classtype:trojan-activity; sid:10449; rev:6;)
+# alert tcp $HOME_NET 2612 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR acessor 2.0 runtime detection - init connection"; flow:to_client,established; content:"connect_"; depth:8; nocase; reference:url,www.megasecurity.org/trojans/a/acessor/Acessor2.0.html; classtype:trojan-activity; sid:10448; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 32418 (msg:"MALWARE-BACKDOOR acidbattery 1.0 runtime detection - get server info"; flow:to_server,established; content:"SERVER/NFO"; depth:10; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=109; classtype:trojan-activity; sid:10446; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 32418 (msg:"MALWARE-BACKDOOR acidbattery 1.0 runtime detection - get password"; flow:to_server,established; content:"PSWD/GET"; depth:8; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=109; classtype:trojan-activity; sid:10445; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 32418 (msg:"MALWARE-BACKDOOR acidbattery 1.0 runtime detection - open ftp serice"; flow:to_server,established; content:"FTP-ON"; depth:6; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=109; classtype:trojan-activity; sid:10444; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 32418 (msg:"MALWARE-BACKDOOR acidbattery 1.0 runtime detection - sniff info"; flow:to_server,established; content:"SNIFF/"; depth:6; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=109; classtype:trojan-activity; sid:10443; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR nirvana 2.0 runtime detection - explore c drive"; flow:to_server,established; dsize:<20; content:"|AC|kC|3A 5C|"; reference:url,www.megasecurity.org/trojans/n/nirvana/Nirvana2.0.html; classtype:trojan-activity; sid:10442; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Wordpress backdoor theme.php code execution"; flow:to_server,established; content:"wp-includes/theme.php"; nocase; http_uri; content:"iz="; nocase; http_uri; pcre:"/wp-includes\x2Ftheme\x2Ephp\x3F[^\r\n]*iz=/Ui"; metadata:impact_flag red, service http; reference:bugtraq,22797; reference:cve,2007-1277; reference:url,wordpress.org/development/2007/03/upgrade-212/; reference:url,www.securityfocus.com/archive/1/461794; classtype:trojan-activity; sid:10197; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Wordpress backdoor feed.php code execution"; flow:to_server,established; content:"wp-includes/feed.php"; nocase; http_uri; content:"ix="; nocase; http_uri; pcre:"/wp-includes\x2Ffeed\x2Ephp\x3F[^\r\n]*ix=/Ui"; metadata:impact_flag red, service http; reference:bugtraq,22797; reference:cve,2007-1277; reference:url,wordpress.org/development/2007/03/upgrade-212/; reference:url,www.securityfocus.com/archive/1/461794; classtype:trojan-activity; sid:10196; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR x-door runtime detection"; flow:to_server,established; content:"[XShell Backdoor"; nocase; content:"xshell>"; distance:0; nocase; reference:url,www.xfocus.net/tools/200610/1197.html; classtype:trojan-activity; sid:10185; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR wow 23 runtime detection"; flow:to_client,established,no_stream; content:"R|00|23"; depth:4; detection_filter:track by_src, count 3, seconds 300; reference:url,www.megasecurity.org/trojans/0_9/23/23_0.3.html; classtype:trojan-activity; sid:10184; rev:8;)
+# alert udp $EXTERNAL_NET 1275 -> $HOME_NET 1276 (msg:"MALWARE-BACKDOOR matrix 1.03 by mtronic runtime detection - init connection"; content:"RequestConnect"; depth:14; reference:url,www.megasecurity.org/trojans/m/matrix/Matrix1.03.html; classtype:trojan-activity; sid:10169; rev:6;)
+# alert tcp $HOME_NET 201 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR one runtime detection"; flow:to_client,established; content:"OK              "; depth:16; nocase; reference:url,www.megasecurity.org/trojans/o/one/One0.12b.html; classtype:trojan-activity; sid:10168; rev:7;)
+# alert tcp $HOME_NET 8812 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR rix3 1.0 runtime detection - init connection"; flow:to_client,established; content:"connected"; depth:9; nocase; reference:url,www.megasecurity.org/trojans/r/rix3/Rix3_1.0.html; classtype:trojan-activity; sid:10112; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR poison ivy 2.1.2 runtime detection - init connection"; flow:to_client,established; flowbits:isset,PoisonIvy_init; content:"U|8B EC|P|B8 02 00 00 00 81 C4 04 F0 FF FF|"; depth:15; reference:url,www.megasecurity.org/trojans/p/poisonivy/Poisonivy2.1.2.html; classtype:trojan-activity; sid:10111; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR poison ivy 2.1.2 runtime detection"; flow:to_client,established; content:"|F6 13 00 00|"; depth:4; flowbits:set,PoisonIvy_init; flowbits:noalert; classtype:trojan-activity; sid:10110; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR k-msnrat 1.0.0 runtime detection - init connection"; flow:to_client,established; content:"SndInfo"; depth:7; nocase; reference:url,www.megasecurity.org/trojans/k/kmsnrat/Kmsnrat1.0.0.html; classtype:trojan-activity; sid:10109; rev:6;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR icmp cmd 1.0 runtime detection - pskill"; itype:0; content:"pskill"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077250; classtype:trojan-activity; sid:10108; rev:6;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR icmp cmd 1.0 runtime detection - pslist"; itype:0; content:"pslist"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077250; classtype:trojan-activity; sid:10107; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hav-rat 1.1 runtime detection - retrieve pc info"; flow:to_server,established; flowbits:isset,HavRat_pcinfo2; content:"StartPage|3A|"; depth:10; nocase; reference:url,www.megasecurity.org/trojans/h/hav/Havrat1.0.html; classtype:trojan-activity; sid:10105; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hav-rat 1.1 runtime detection"; flow:to_server,established; flowbits:isset,HavRat_pcinfo1; content:"User|3A|"; depth:5; nocase; flowbits:set,HavRat_pcinfo2; flowbits:noalert; classtype:trojan-activity; sid:10104; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR hav-rat 1.1 runtime detection"; flow:to_client,established; content:"getinfo"; depth:7; nocase; flowbits:set,HavRat_pcinfo1; flowbits:noalert; classtype:trojan-activity; sid:10103; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"MALWARE-BACKDOOR crossfires trojan 3.0 runtime detection - chat with victim"; flow:to_server,established; content:"chat|7C|"; depth:5; nocase; reference:url,www.megasecurity.org/trojans/c/crossfires/Crossfires.html; classtype:trojan-activity; sid:10102; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"MALWARE-BACKDOOR crossfires trojan 3.0 runtime detection - delete file"; flow:to_server,established; content:"delete|7C|"; depth:7; nocase; reference:url,www.megasecurity.org/trojans/c/crossfires/Crossfires.html; classtype:trojan-activity; sid:10101; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR sun shadow 1.70 runtime detection - keep alive"; flow:to_server,established; content:"|FF 01 03 03 00 00 00 00|"; depth:8; nocase; reference:url,www.megasecurity.org/trojans/s/sunshadow/Sunshadow1.7.0.html; classtype:trojan-activity; sid:9839; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR sun shadow 1.70 runtime detection - init connection"; flow:to_client,established; flowbits:isset,Backdoor.SunShadow.Init; content:"|FF 01 01 03 00 00 00 00|"; depth:8; nocase; reference:url,www.megasecurity.org/trojans/s/sunshadow/Sunshadow1.7.0.html; classtype:trojan-activity; sid:9838; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR sun shadow 1.70 runtime detection - init connection"; flow:to_server,established; content:"|FF 01 01 01 80 00 00 00|"; depth:8; nocase; flowbits:set,Backdoor.SunShadow.Init; flowbits:noalert; classtype:trojan-activity; sid:9837; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1254 (msg:"MALWARE-BACKDOOR ieva 1.0 runtime detection - crazy mouse"; flow:to_server,established; content:"MOUSE"; depth:5; nocase; reference:url,www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html; classtype:trojan-activity; sid:9836; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1254 (msg:"MALWARE-BACKDOOR ieva 1.0 runtime detection - swap mouse"; flow:to_server,established; content:"OTHER"; depth:5; nocase; reference:url,www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html; classtype:trojan-activity; sid:9835; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1254 (msg:"MALWARE-BACKDOOR ieva 1.0 runtime detection - black screen"; flow:to_server,established; content:"BLACK"; depth:5; nocase; reference:url,www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html; classtype:trojan-activity; sid:9834; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1254 (msg:"MALWARE-BACKDOOR ieva 1.0 runtime detection - fake delete harddisk message"; flow:to_server,established; content:"DELEHARD"; depth:8; nocase; reference:url,www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html; classtype:trojan-activity; sid:9833; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1254 (msg:"MALWARE-BACKDOOR ieva 1.0 runtime detection - send message"; flow:to_server,established; content:"ASKGAY"; depth:6; nocase; reference:url,www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html; classtype:trojan-activity; sid:9832; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 16454 (msg:"MALWARE-BACKDOOR superra runtime detection - issue remote control command"; flow:to_server,established; content:"|05 00 00|"; depth:3; offset:1; classtype:trojan-activity; sid:9667; rev:6;)
+# alert tcp $HOME_NET 16454 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR superra runtime detection - success init connection"; flow:to_client,established; content:"{|05 00 00|"; depth:4; classtype:trojan-activity; sid:9666; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR crossbow 1.12 runtime detection - init connection"; flow:to_server,established; flowbits:isset,Backdoor.Crossbow.Init; content:"SrvDtl|7C|"; depth:7; nocase; reference:url,www.megasecurity.org/trojans/c/crossbow/Crossbow1.12.html; classtype:trojan-activity; sid:9665; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR crossbow 1.12 runtime detection"; flow:to_client,established; content:"SrvDtl"; depth:6; nocase; flowbits:set,Backdoor.Crossbow.Init; flowbits:noalert; classtype:trojan-activity; sid:9664; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bersek 1.0 runtime detection - start remote shell"; flow:to_server,established; flowbits:isset,Backdoor.Bersek.Remoteshell; content:"|23|[shellrs]"; depth:10; nocase; reference:url,www.megasecurity.org/trojans/b/bersek/Bersek1.0.html; classtype:trojan-activity; sid:9663; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR bersek 1.0 runtime detection"; flow:to_client,established; content:"|24|[shellgo]"; depth:10; nocase; flowbits:set,Backdoor.Bersek.Remoteshell; flowbits:noalert; classtype:trojan-activity; sid:9662; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bersek 1.0 runtime detection - show processes"; flow:to_server,established; flowbits:isset,Backdoor.Bersek.Showprocesses; content:"|23|[shwproc]"; depth:10; nocase; reference:url,www.megasecurity.org/trojans/b/bersek/Bersek1.0.html; classtype:trojan-activity; sid:9661; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR bersek 1.0 runtime detection"; flow:to_client,established; content:"|24|[proclst]"; depth:10; nocase; flowbits:set,Backdoor.Bersek.Showprocesses; flowbits:noalert; classtype:trojan-activity; sid:9660; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bersek 1.0 runtime detection - file manage"; flow:to_server,established; flowbits:isset,Backdoor.Bersek.Filemanager; content:"|23|[showuni]"; depth:10; nocase; reference:url,www.megasecurity.org/trojans/b/bersek/Bersek1.0.html; classtype:trojan-activity; sid:9659; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR bersek 1.0 runtime detection"; flow:to_client,established; content:"|24|[showuni]"; depth:10; nocase; flowbits:set,Backdoor.Bersek.Filemanager; flowbits:noalert; classtype:trojan-activity; sid:9658; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bersek 1.0 runtime detection - init connection"; flow:to_server,established; flowbits:isset,Backdoor.Bersek.Init; content:"|23|[version]1.0"; depth:13; nocase; reference:url,www.megasecurity.org/trojans/b/bersek/Bersek1.0.html; classtype:trojan-activity; sid:9657; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR bersek 1.0 runtime detection"; flow:to_client,established; content:"|24|[version]"; depth:10; nocase; flowbits:set,Backdoor.Bersek.Init; flowbits:noalert; classtype:trojan-activity; sid:9656; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR apofis 1.0 runtime detection - remote controlling"; flow:to_client,established; flowbits:isset,Backdoor.Apofis.Remotecontrol; content:"Troyano"; nocase; content:"Apofis"; distance:0; nocase; pcre:"/Troyano\s+Apofis\s+1\x2E0/smi"; reference:url,www.megasecurity.org/trojans/a/apofis/Apofis1.0.html; classtype:trojan-activity; sid:9655; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR apofis 1.0 runtime detection - remote controlling"; flow:to_server,established; content:"?&sesion="; nocase; flowbits:set,Backdoor.Apofis.Remotecontrol; flowbits:noalert; classtype:trojan-activity; sid:9654; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR zxshell runtime detection - setting information retrieve"; flow:to_client,established; file_data; content:"[zxconfig]"; nocase; content:"MyIP="; nocase; content:"Port="; nocase; content:"Password="; nocase; content:"Banner="; nocase; content:"BackConnect="; nocase; content:"ServerID="; nocase; content:"LocalPort="; nocase; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453081617; classtype:trojan-activity; sid:8549; rev:10;)
+# alert tcp $HOME_NET 4000 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR zzmm 2.0 runtime detection - init connection"; flow:to_client,established; flowbits:isset,Backdoor.ZZMM.InitConnect; content:"Attached"; nocase; content:"through"; distance:0; nocase; content:"port"; distance:0; nocase; pcre:"/^Attached\s+through\s+port\x3a/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453054345; classtype:trojan-activity; sid:8548; rev:6;)
+# alert tcp $HOME_NET 4000 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR zzmm 2.0 runtime detection - init connection"; flow:to_client,established; content:"Connected"; depth:9; nocase; content:"to"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"at"; distance:0; nocase; pcre:"/^Connected\s+to\s+Server\s+at\x3a/smi"; flowbits:set,Backdoor.ZZMM.InitConnect; flowbits:noalert; classtype:trojan-activity; sid:8547; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR black curse 4.0 runtime detection - normal init connection"; flow:to_server,established; dsize:<50; content:"|7C|48|7C|0|7C|0|7C|"; depth:8; nocase; reference:url,www.megasecurity.org/trojans/b/blackcurse/Blackcurse4.0.html; classtype:trojan-activity; sid:8362; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR black curse 4.0 runtime detection - inverse init connection"; flow:to_client,established; dsize:<50; content:"0^0^0^"; depth:6; nocase; reference:url,www.megasecurity.org/trojans/b/blackcurse/Blackcurse4.0.html; classtype:trojan-activity; sid:8361; rev:7;)
+# alert tcp $HOME_NET 2421 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR x2a runtime detection - init connection"; flow:to_client,established; content:"connected"; depth:9; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084136; classtype:trojan-activity; sid:8079; rev:6;)
+# alert tcp $HOME_NET 1327 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR mithril runtime detection - get process list"; flow:to_client,established; flowbits:isset,Mithril_GetProcessList; content:"|BD F8 B3 CC|ID|BA C5 A3 BA|          "; depth:20; nocase; reference:url,www.megasecurity.org/trojans/m/mithril/Mithril1.45.html; classtype:trojan-activity; sid:8078; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1327 (msg:"MALWARE-BACKDOOR mithril runtime detection - get process list"; flow:to_server,established; content:"pslist|0A|"; depth:7; nocase; flowbits:set,Mithril_GetProcessList; flowbits:noalert; reference:url,www.megasecurity.org/trojans/m/mithril/Mithril1.45.html; classtype:trojan-activity; sid:8077; rev:4;)
+# alert tcp $HOME_NET 1327 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR mithril runtime detection - get system information"; flow:to_client,established; flowbits:isset,Mithril_GetSystemInformation; content:"|BC C6 CB E3 BB FA C3 FB A3 BA|"; depth:10; nocase; reference:url,www.megasecurity.org/trojans/m/mithril/Mithril1.45.html; classtype:trojan-activity; sid:8076; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1327 (msg:"MALWARE-BACKDOOR mithril runtime detection - get system information"; flow:to_server,established; content:"sysinfo|0A|"; depth:8; nocase; flowbits:set,Mithril_GetSystemInformation; flowbits:noalert; reference:url,www.megasecurity.org/trojans/m/mithril/Mithril1.45.html; classtype:trojan-activity; sid:8075; rev:4;)
+# alert tcp $HOME_NET 1327 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR mithril runtime detection - init connection"; flow:to_client,established; content:"|CE DE B7 A8 B4 F2 BF AA B5 BD D6 F7 BB FA B5 C4 C1 AC BD D3| |D4 DA B6 CB BF DA| 1327 |3A| |C1 AC BD D3 CA A7 B0 DC|"; depth:43; nocase; reference:url,www.megasecurity.org/trojans/m/mithril/Mithril1.45.html; classtype:trojan-activity; sid:8074; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 1111 (msg:"MALWARE-BACKDOOR xbkdr runtime detection"; flow:to_server,established; content:"|7C|"; depth:1; offset:3; pcre:"/^(?=[abchimoprswx])(acs|bin|c(ap|ls)|h(di|ms|tb)|iex|m(oo|tx|ws)|opn|pwr|rst|s(h[di]|ms|tb|wm)|wrd|xls)\x7C/smi"; reference:url,www.megasecurity.org/trojans/x/x-bkdr/X-bkdr1.4.html; classtype:trojan-activity; sid:7822; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR nightcreature beta 0.01 runtime detection"; flow:to_client,established; content:"<consol>---------------------------------------------<consol>Connected to NightCreature server"; nocase; reference:url,opensc.ws/showthread.php?t=31; classtype:trojan-activity; sid:7821; rev:5;)
+# alert tcp $HOME_NET 146 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR infector v1.0 runtime detection - init conn"; flow:to_client,established; flowbits:isset,back.infector.v1.0.conn.1; content:"FC'S TROJAN"; depth:11; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075657; classtype:trojan-activity; sid:7818; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 146 (msg:"MALWARE-BACKDOOR infector v1.0 runtime detection - init conn"; flow:to_server,established; content:"FC "; depth:3; nocase; flowbits:set,back.infector.v1.0.conn.1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075657; classtype:trojan-activity; sid:7817; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR darkmoon reverse connection detection - cts"; flow:to_server,established; flowbits:isset,darkmoon_reverse_stc; content:"DmInf"; depth:5; nocase; pcre:"/^DmInf\x5E[^\r\n]*\d+\x2E\d+\x2E\d+\x2E\d+\x5E/smi"; reference:url,research.sunbelt-software.com/threat_display.cfm?name=Trojan.Backdoor.Darkmoon&threatid=41348; reference:url,securityresponse.symantec.com/avcenter/venc/auto/index/indexD.html; classtype:trojan-activity; sid:7816; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR darkmoon reverse connection detection - stc"; flow:to_client,established; content:"0^0^0^"; depth:6; flowbits:set,darkmoon_reverse_stc; flowbits:noalert; reference:url,research.sunbelt-software.com/threat_display.cfm?name=Trojan.Backdoor.Darkmoon&threatid=41348; reference:url,securityresponse.symantec.com/avcenter/venc/auto/index/indexD.html; classtype:trojan-activity; sid:7815; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR darkmoon initial connection detection - stc"; flow:to_client,established; flowbits:isset,darkmoon_initial_cts; content:"|7C|Connected"; depth:10; nocase; content:"with|3A|"; distance:0; nocase; pcre:"/^\x7CConnected with\x3A\s+\d+\x2E\d+.\d+.\d+/smi"; reference:url,research.sunbelt-software.com/threat_display.cfm?name=Trojan.Backdoor.Darkmoon&threatid=41348; reference:url,securityresponse.symantec.com/avcenter/venc/auto/index/indexD.html; classtype:trojan-activity; sid:7814; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR darkmoon initial connection detection - cts"; flow:to_server,established; content:"|7C|55|7C|0|7C|0|7C 7C|"; depth:9; flowbits:set,darkmoon_initial_cts; flowbits:noalert; reference:url,research.sunbelt-software.com/threat_display.cfm?name=Trojan.Backdoor.Darkmoon&threatid=41348; reference:url,securityresponse.symantec.com/avcenter/venc/auto/index/indexD.html; classtype:trojan-activity; sid:7813; rev:4;)
+# alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR abacab runtime detection - banner"; flow:to_client,established; flowbits:isset,Abacab; content:"|00|  |23 23 23|    |23 23 23|         |23|   __...--''     ___...--_..'  .|3B|.' |3B 0D 0A|"; nocase; content:"CONNECTION|3A 0D 0A| |0D 0A|Veuillez entrer le mot de passe|0D 0A 00|"; distance:0; nocase; reference:url,megasecurity.org/trojans/a/abacab/Abacab0.9beta.html; classtype:trojan-activity; sid:7812; rev:6;)
+# alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR abacab runtime detection - telnet initial"; flow:to_client,established; content:" |0D 0A|Vous etes connecte a|3A 0D 0A 0D 0A 00|"; flowbits:set,Abacab; flowbits:noalert; reference:url,megasecurity.org/trojans/a/abacab/Abacab0.9beta.html; classtype:trojan-activity; sid:7811; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR nuclear uploader 1.0 runtime detection"; flow:to_client,established; content:"libManager.dll"; nocase; content:"get"; distance:0; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079457; classtype:trojan-activity; sid:7810; rev:5;)
+# alert tcp $HOME_NET 6666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fatal wound 1.0 runtime detection - upload"; flow:to_client,established; flowbits:isset,fatalwound_upload; content:"Send File -~-"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077104; classtype:trojan-activity; sid:7809; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"MALWARE-BACKDOOR fatal wound 1.0 runtime detection - upload"; flow:to_server,established; content:"File Name -~-"; nocase; flowbits:set,fatalwound_upload; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1065; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077104; classtype:trojan-activity; sid:7808; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"MALWARE-BACKDOOR fatal wound 1.0 runtime detection - execute file"; flow:to_server,established; content:"Execute -~-"; nocase; reference:url,attack.mitre.org/techniques/T1065; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077104; classtype:trojan-activity; sid:7807; rev:6;)
+# alert tcp $HOME_NET 6666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fatal wound 1.0 runtime detection - initial connection"; flow:to_client,established; content:"00000"; nocase; content:"-~-"; distance:0; nocase; pcre:"/^00000\s+-~-\s+/smi"; reference:url,attack.mitre.org/techniques/T1065; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077104; classtype:trojan-activity; sid:7806; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4201 (msg:"MALWARE-BACKDOOR war trojan ver1.0 runtime detection - disable ctrl+alt+del"; flow:to_server,established; content:"disablectrlaltdel"; depth:17; reference:url,www.symantec.com/avcenter/attack_sigs/s20290.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075746; classtype:trojan-activity; sid:7804; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4201 (msg:"MALWARE-BACKDOOR war trojan ver1.0 runtime detection - send messages"; flow:to_server,established; content:"text|3A|"; depth:5; reference:url,www.symantec.com/avcenter/attack_sigs/s20290.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075746; classtype:trojan-activity; sid:7803; rev:5;)
+# alert udp $HOME_NET 10167 -> $EXTERNAL_NET 10220 (msg:"MALWARE-BACKDOOR portal of doom runtime detection - udp stc"; flow:to_client; content:"KeepAlive"; depth:9; nocase; reference:url,megasecurity.org/trojans/p/portalofdoom/Portalofdoom3.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4684; classtype:trojan-activity; sid:7802; rev:7;)
+# alert udp $EXTERNAL_NET 10220 -> $HOME_NET 10167 (msg:"MALWARE-BACKDOOR portal of doom runtime detection - udp cts"; flow:to_server; content:"pod"; depth:3; nocase; reference:url,megasecurity.org/trojans/p/portalofdoom/Portalofdoom3.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4684; classtype:trojan-activity; sid:7801; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 9401 (msg:"MALWARE-BACKDOOR incommand 1.7 runtime detection - file manage 2"; flow:to_server,established; flowbits:isset,InCommand_17_FileManager_2; content:"PASS InClientMainPassword"; depth:25; reference:url,www.spywareguide.com/product_show.php?id=1637; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44730; classtype:trojan-activity; sid:7800; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 9401 (msg:"MALWARE-BACKDOOR incommand 1.7 runtime detection - file manage 2"; flow:to_server,established; content:"USER inc"; depth:8; flowbits:set,InCommand_17_FileManager_2; flowbits:noalert; classtype:trojan-activity; sid:7799; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 148 (msg:"MALWARE-BACKDOOR incommand 1.7 runtime detection - file manage 1"; flow:to_server,established; flowbits:isset,InCommand_17_FileManager_1; content:"PASS InClientMainPassword"; depth:25; reference:url,www.spywareguide.com/product_show.php?id=1637; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44730; classtype:trojan-activity; sid:7798; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 148 (msg:"MALWARE-BACKDOOR incommand 1.7 runtime detection - file manage 1"; flow:to_server,established; content:"USER inc"; depth:8; flowbits:set,InCommand_17_FileManager_1; flowbits:noalert; classtype:trojan-activity; sid:7797; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR incommand 1.7 runtime detection - init connection"; flow:to_client,established; flowbits:isset,InCommand_17_InitConnection; content:"PASSOK"; reference:url,www.spywareguide.com/product_show.php?id=1637; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44730; classtype:trojan-activity; sid:7796; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR incommand 1.7 runtime detection - init connection"; flow:to_server,established; content:"ACS "; depth:4; flowbits:set,InCommand_17_InitConnection; flowbits:noalert; classtype:trojan-activity; sid:7795; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR fraggle rock 2.0 lite runtime detection - pc info - flowbit set"; flow:to_server,established; content:"updateinfo"; depth:10; nocase; flowbits:set,backdoor.fraggle.rock.2.0.lite.pc.info; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077120; classtype:trojan-activity; sid:7794; rev:4;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR remote anything 5.11.22 runtime detection - chat with attacker"; content:"RA Chat|00 00|"; depth:9; reference:url,www.spywareguide.com/product_show.php?id=1567; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076440; classtype:trojan-activity; sid:7793; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR remote anything 5.11.22 runtime detection - chat with victim"; content:"RA Chat|00 00|"; depth:9; reference:url,www.spywareguide.com/product_show.php?id=1567; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076440; classtype:trojan-activity; sid:7792; rev:5;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR remote anything 5.11.22 runtime detection - victim response"; content:"RA Broadcast|00|"; depth:13; reference:url,www.spywareguide.com/product_show.php?id=1567; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076440; classtype:trojan-activity; sid:7791; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR forced control uploader runtime detection directory listing - server to client"; flow:to_client,established; dsize:6; content:"KSPDIR"; depth:6; classtype:trojan-activity; sid:7789; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR forced control uploader runtime detection directory listing - client to server"; flow:to_server,established; dsize:4; content:"KRP0"; depth:4; classtype:trojan-activity; sid:7788; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR forced control uploader runtime detection - connection with password"; flow:to_client,established; dsize:5; content:"PWDok"; depth:5; classtype:trojan-activity; sid:7785; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR netdevil runtime detection - file manager"; flow:to_client,established; flowbits:isset,NetDevil_FileManager; content:"get_drives_done"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087652; classtype:trojan-activity; sid:7783; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR netdevil runtime detection - file manager - flowbit set"; flow:to_server,established; content:"get_drives"; nocase; flowbits:set,NetDevil_FileManager; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087652; classtype:trojan-activity; sid:7782; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR elfrat runtime detection - initial connection"; flow:to_client,established; content:"|01|elfRAT|04|"; nocase; reference:url,www.megasecurity.org/trojans/e/elf/Elfrat1.2.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=55224; classtype:trojan-activity; sid:7778; rev:6;)
+# alert tcp $HOME_NET 7080 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR messiah 4.0 runtime detection - get drives"; flow:to_client,established; flowbits:isset,Messiah_GetDrives; content:"GET///Drives"; depth:12; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077400; classtype:trojan-activity; sid:7777; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7080 (msg:"MALWARE-BACKDOOR messiah 4.0 runtime detection - get drives - flowbit set"; flow:to_server,established; content:"GET///Drives**"; depth:14; flowbits:set,Messiah_GetDrives; flowbits:noalert; classtype:trojan-activity; sid:7776; rev:5;)
+# alert tcp $HOME_NET 876 -> $EXTERNAL_NET 877 (msg:"MALWARE-BACKDOOR messiah 4.0 runtime detection - screen capture"; flow:to_server,established; flowbits:isset,Messiah_ScreenCaptureA; content:"Downloadscreen|7C|"; depth:15; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077400; classtype:trojan-activity; sid:7775; rev:5;)
+# alert tcp $EXTERNAL_NET 877 -> $HOME_NET 876 (msg:"MALWARE-BACKDOOR messiah 4.0 runtime detection - screen capture - flowbit set"; flow:established; content:"getscreen|7C|"; depth:10; flowbits:set,Messiah_ScreenCaptureA; flowbits:noalert; classtype:trojan-activity; sid:7774; rev:4;)
+# alert tcp $HOME_NET 876 -> $EXTERNAL_NET 877 (msg:"MALWARE-BACKDOOR messiah 4.0 runtime detection - enable keylogger"; flow:to_server,established; flowbits:isset,Messiah_EnableKeyloggerA; content:"kcaption|7C|"; depth:9; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077400; classtype:trojan-activity; sid:7773; rev:6;)
+alert tcp $EXTERNAL_NET 877 -> $HOME_NET 876 (msg:"MALWARE-BACKDOOR messiah 4.0 runtime detection - enable keylogger - flowbit set"; flow:established; content:"enablekey|7C|"; depth:10; flowbits:set,Messiah_EnableKeyloggerA; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; classtype:trojan-activity; sid:7772; rev:5;)
+# alert tcp $HOME_NET 876 -> $EXTERNAL_NET 877 (msg:"MALWARE-BACKDOOR messiah 4.0 runtime detection - get server info"; flow:to_server,established; flowbits:isset,Messiah_GetServerInfoA; content:"serverinformation|7C|"; depth:18; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077400; classtype:trojan-activity; sid:7771; rev:5;)
+# alert tcp $EXTERNAL_NET 877 -> $HOME_NET 876 (msg:"MALWARE-BACKDOOR messiah 4.0 runtime detection - get server info - flowbit set"; flow:established; content:"getserverinfo|7C|"; depth:14; flowbits:set,Messiah_GetServerInfoA; flowbits:noalert; classtype:trojan-activity; sid:7770; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR data rape runtime detection - execute program server-to-client"; flow:to_client,established; content:"000File"; depth:7; nocase; content:"executed..."; distance:0; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076909; classtype:trojan-activity; sid:7769; rev:6;)
+# alert tcp $HOME_NET 6767 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR nt remote controller 2000 runtime detection - foldermonitor server-to-client"; flow:to_client,established; flowbits:isset,NT_Remote_Controller_2000_FolderMonitor; content:"FolderMonitor|3B|"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691; classtype:trojan-activity; sid:7767; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6767 (msg:"MALWARE-BACKDOOR nt remote controller 2000 runtime detection - foldermonitor client-to-server"; flow:to_server,established; content:"|3B|FolderMonitor"; nocase; flowbits:set,NT_Remote_Controller_2000_FolderMonitor; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691; classtype:trojan-activity; sid:7766; rev:4;)
+# alert tcp $HOME_NET 6767 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR nt remote controller 2000 runtime detection - sysinfo server-to-client"; flow:to_client,established; flowbits:isset,NT_Remote_Controller_2000_Sysinfo1; content:"SystemInfo|3B|"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691; classtype:trojan-activity; sid:7765; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6767 (msg:"MALWARE-BACKDOOR nt remote controller 2000 runtime detection - sysinfo client-to-server"; flow:to_server,established; content:"|3B|SystemInfo"; nocase; flowbits:set,NT_Remote_Controller_2000_Sysinfo1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691; classtype:trojan-activity; sid:7764; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6767 (msg:"MALWARE-BACKDOOR nt remote controller 2000 runtime detection - services client-to-server"; flow:to_server,established; content:"|3B|ServicesStatus"; nocase; pcre:"/^\x3BServicesStatus\x3B(All|Active|Inactive)Services/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691; classtype:trojan-activity; sid:7763; rev:5;)
+# alert udp $HOME_NET [1234,2018] -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR netthief runtime detection"; content:"|00 00 00 00 00 00 00 82|"; depth:8; offset:17; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=16078; classtype:trojan-activity; sid:7760; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR glacier runtime detection - screen capture"; flow:to_server,established; content:"|F5 CA C7 C7 C6 F5 C8 C8 CE C7 F5|"; depth:11; reference:url,www.symantec.com/avcenter/attack_sigs/s20302.html; classtype:trojan-activity; sid:7759; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR glacier runtime detection - initial connection and directory browse"; flow:to_server,established; content:"|F5 CB C9 CF C6 F5 C8 C8 CE C7 F5|"; depth:11; content:"|F5 D5 D1 D5 F5|"; distance:0; reference:url,www.symantec.com/avcenter/attack_sigs/s20302.html; classtype:trojan-activity; sid:7758; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR buschtrommel 1.22 runtime detection - spy function"; flow:to_client,established; flowbits:isset,BuschTrommel_SpyFunction2; content:"{FTPL}"; depth:6; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=20757; classtype:trojan-activity; sid:7755; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR buschtrommel 1.22 runtime detection - spy function - flowbit set 2"; flow:to_client,established; flowbits:isset,BuschTrommel_SpyFunction1; content:"{PLTS}"; depth:6; flowbits:set,BuschTrommel_SpyFunction2; flowbits:noalert; classtype:trojan-activity; sid:7754; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR buschtrommel 1.22 runtime detection - spy function - flowbit set 1"; flow:to_server,established; content:"GETIT"; depth:5; flowbits:set,BuschTrommel_SpyFunction1; flowbits:noalert; classtype:trojan-activity; sid:7753; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR buschtrommel 1.22 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,BuschTrommel_InitConnection2; content:"*VER1.22|28|REI|29|"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=20757; classtype:trojan-activity; sid:7752; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR buschtrommel 1.22 runtime detection - initial connection - flowbit set 2"; flow:to_server,established; flowbits:isset,BuschTrommel_InitConnection1; content:"ver"; depth:3; flowbits:set,BuschTrommel_InitConnection2; flowbits:noalert; classtype:trojan-activity; sid:7751; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR buschtrommel 1.22 runtime detection - initial connection - flowbit set 1"; flow:to_client,established; content:"*PASS*"; depth:6; flowbits:set,BuschTrommel_InitConnection1; flowbits:noalert; classtype:trojan-activity; sid:7750; rev:6;)
+# alert tcp $HOME_NET 4321 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bobo 1.0 runtime detection - send message"; flow:to_client,established; flowbits:isset,BoBo_SendMessages; content:"Message shown.|00|finish line|00|"; depth:27; reference:url,www.spywareguide.com/product_show.php?id=1531; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076842; classtype:trojan-activity; sid:7749; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"MALWARE-BACKDOOR bobo 1.0 runtime detection - send message - flowbit set"; flow:to_server,established; content:"Send Message"; depth:12; flowbits:set,BoBo_SendMessages; flowbits:noalert; classtype:trojan-activity; sid:7748; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"MALWARE-BACKDOOR bobo 1.0 runtime detection - initial connection"; flow:to_server,established; flowbits:isset,BoBo_InitConnection; content:"zdorovo"; depth:7; reference:url,www.spywareguide.com/product_show.php?id=1531; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076842; classtype:trojan-activity; sid:7747; rev:5;)
+# alert tcp $HOME_NET 4321 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bobo 1.0 runtime detection - initial connection - flowbit set"; flow:to_client,established; content:"Password|3A|"; depth:9; flowbits:set,BoBo_InitConnection; flowbits:noalert; classtype:trojan-activity; sid:7746; rev:5;)
+# alert tcp $HOME_NET 7410 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR phoenix 2.1 runtime detection"; flow:to_client,established; flowbits:isset,Phoenix_InitConnection; content:"The Phoenix is ready"; depth:20; reference:url,www.spywareguide.com/product_show.php?id=977; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079790; classtype:trojan-activity; sid:7745; rev:6;)
+# alert tcp $HOME_NET 7410 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR phoenix 2.1 runtime detection - flowbit set"; flow:to_client,established; content:"MSG00020"; depth:8; flowbits:set,Phoenix_InitConnection; flowbits:noalert; classtype:trojan-activity; sid:7744; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR nova 1.0 runtime detection - cgi notification server-to-client"; flow:to_client,established; flowbits:isset,nova_cgi_cts; file_data; content:"# Nova CGI Notification Script"; fast_pattern:only; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073030; classtype:trojan-activity; sid:7743; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR nova 1.0 runtime detection - initial connection with pwd set"; flow:to_client,established; flowbits:isset,nova_conn_1; content:"ClientsConnected"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073030; classtype:trojan-activity; sid:7741; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR nova 1.0 runtime detection - initial connection with pwd set - flowbit set"; flow:to_client,established; content:"Passed"; depth:6; nocase; flowbits:set,nova_conn_1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073030; classtype:trojan-activity; sid:7740; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4444 (msg:"MALWARE-BACKDOOR alexmessomalex runtime detection - grab"; flow:to_server,established; content:"grab|3A|"; depth:5; nocase; reference:url,www.megasecurity.org/trojans/a/alexmessomalex/Alexmessomalex_b2.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=45547; classtype:trojan-activity; sid:7739; rev:6;)
+# alert tcp $HOME_NET 4444 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR alexmessomalex runtime detection - initial connection"; flow:to_client,established; content:"accept|3A|"; depth:7; nocase; reference:url,www.megasecurity.org/trojans/a/alexmessomalex/Alexmessomalex_b2.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=45547; classtype:trojan-activity; sid:7738; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bionet 4.05 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,BioNet4_05_BE; content:"!|00 00 00|&|01 01 00 01|KA"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072406; classtype:trojan-activity; sid:7735; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR bionet 4.05 runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"|05 00 00 00|1|00 01 00 01 FD 12 00|"; depth:12; flowbits:set,BioNet4_05_BE; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072406; classtype:trojan-activity; sid:7734; rev:6;)
+# alert tcp $EXTERNAL_NET 5005 -> $HOME_NET any (msg:"MALWARE-BACKDOOR outbreak_0.2.7 runtime detection - initial connection"; flow:to_client,established; content:"CON"; nocase; pcre:"/^CON\w{1,10}\d+\xAE[^\r\n]{1,20}\x3B/smi"; reference:url,www.megasecurity.org/trojans/o/outbreak/Outbreak0.2.7.html; classtype:trojan-activity; sid:7733; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5005 (msg:"MALWARE-BACKDOOR outbreak_0.2.7 runtime detection - ring client-to-server"; flow:to_server,established; flowbits:isset,outbreak_ring_stc; content:"SINFO"; nocase; content:"PONG"; distance:0; nocase; pcre:"/^SINFO\x3B[^\r\n]{1,20}\x3BPONG\x3B/smi"; reference:url,www.megasecurity.org/trojans/o/outbreak/Outbreak0.2.7.html; classtype:trojan-activity; sid:7732; rev:6;)
+# alert tcp $EXTERNAL_NET 5005 -> $HOME_NET any (msg:"MALWARE-BACKDOOR outbreak_0.2.7 runtime detection - ring server-to-client"; flow:to_client,established; content:"SINFO"; nocase; pcre:"/^SINFO\x3B\d+\x3B/smi"; flowbits:set,outbreak_ring_stc; flowbits:noalert; reference:url,www.megasecurity.org/trojans/o/outbreak/Outbreak0.2.7.html; classtype:trojan-activity; sid:7731; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5005 (msg:"MALWARE-BACKDOOR outbreak_0.2.7 runtime detection - reverse connection"; flow:to_server,established; content:"Sin"; nocase; pcre:"/^Sin[^\r\n]*\/[^\r\n]*\x0D\x0A\d+\x0D\x0A/smi"; reference:url,www.megasecurity.org/trojans/o/outbreak/Outbreak0.2.7.html; classtype:trojan-activity; sid:7730; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR radmin runtime detection - server-to-client"; flow:to_client,established; flowbits:isset,Radmin; content:"|01 00 00 00|%|00 00 01 10 08 01 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:46; reference:url,www.spywareguide.com/product_show.php?id=578; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368; classtype:trojan-activity; sid:7729; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR radmin runtime detection - client-to-server"; flow:to_server,established; content:"|01 00 00 00 01 00 00 00 08 08|"; depth:10; flowbits:set,Radmin; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=578; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368; classtype:trojan-activity; sid:7728; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR reversable ver1.0 runtime detection - execute command"; flow:to_server,established; flowbits:isset,ReVerSaBle_ExecuteCommand; content:"COMMENFile"; depth:10; nocase; reference:url,www.megasecurity.org/trojans/r/reversable/Reversable1.0.html; classtype:trojan-activity; sid:7727; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR reversable ver1.0 runtime detection - execute command - flowbit set"; flow:to_client,established; content:"EXECUT"; depth:6; flowbits:set,ReVerSaBle_ExecuteCommand; flowbits:noalert; classtype:trojan-activity; sid:7726; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR reversable ver1.0 runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"PORT="; depth:5; content:"Victim="; distance:0; pcre:"/^PORT\x3D\d+\x2AVictim\x3D/"; classtype:trojan-activity; sid:7724; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR wollf runtime detection"; flow:to_client,established; content:"Wollf"; fast_pattern; nocase; content:"Remote"; distance:0; nocase; content:"Manager"; distance:0; nocase; pcre:"/^\x22Wollf\s+Remote\s+Manager\x22\s+v\d+\x2E\d+\x0d\x0a/smi"; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.wollf.16.html; classtype:trojan-activity; sid:7723; rev:5;)
+# alert tcp $HOME_NET 5110 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR prorat 1.9 initial connection detection"; flow:to_client,established; content:"Sifre_Korumasi"; depth:14; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.prorat.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082779; classtype:trojan-activity; sid:7721; rev:6;)
+# alert tcp $HOME_NET 7250 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR desktop scout runtime detection"; flow:to_client,established; content:"DTS-300|0D 0A|"; depth:9; nocase; reference:url,www.spywareguide.com/product_show.php?id=927; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074737; classtype:trojan-activity; sid:7720; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR dameware mini remote control runtime detection - initial connection"; flow:to_server,established; flowbits:isset,DameWareMiniRemoteControl_InitConnection; content:"0|11 00 00 00 00 00 00|333333|13|@|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:30; reference:url,www.spywareguide.com/product_show.php?id=925; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060041; classtype:trojan-activity; sid:7719; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dameware mini remote control runtime detection - initial connection - flowbit set"; flow:to_client,established; content:"0|11 00 00|"; depth:4; content:"333333|13|@"; offset:8; flowbits:set,DameWareMiniRemoteControl_InitConnection; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=925; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060041; classtype:trojan-activity; sid:7718; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR snake trojan runtime detection"; flow:to_client,established; content:"The"; depth:3; nocase; content:"Snake"; distance:0; nocase; content:"Trojan"; distance:0; nocase; pcre:"/^The\s+Snake\s+Trojan/smi"; reference:url,www.spywareguide.com/product_show.php?id=643; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078423; classtype:trojan-activity; sid:7717; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR netdevil runtime detection"; flow:to_client,established; flowbits:isset,backdoor.NetDevil.conn.step2; content:"ver"; nocase; pcre:"/^ver\d+\x2E\d+/smi"; reference:url,www.spywareguide.com/product_show.php?id=1516; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=27557; classtype:trojan-activity; sid:7716; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR netdevil runtime detection - flowbit set 2"; flow:to_server,established; flowbits:isset,backdoor.NetDevil.conn.step1; content:"version"; depth:7; nocase; flowbits:set,backdoor.NetDevil.conn.step2; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1516; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=27557; classtype:trojan-activity; sid:7715; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR netdevil runtime detection - flowbit set 1"; flow:to_client,established; content:"passed"; depth:6; nocase; flowbits:set,backdoor.NetDevil.conn.step1; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1516; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=27557; classtype:trojan-activity; sid:7714; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR Amitis v1.3 runtime detection - email notification"; flow:to_server,established; content:"From|3A|"; nocase; content:"Amitis"; distance:0; content:"1.3"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"Server"; distance:0; nocase; content:"information"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*Amitis\s+1\x2E3.*Subject\x3A[^\r\n]*Server\s+information/smi"; metadata:impact_flag red, service smtp; reference:url,www.spywareguide.com/product_show.php?id=669; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075097; classtype:trojan-activity; sid:7713; rev:6;)
+# alert tcp $HOME_NET 33229 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Amitis runtime detection victim to attacker"; flow:to_client,established; content:"["; depth:1; content:"]|0D 0A|"; within:25; pcre:"/^\[[a-z]{4,22}\]/si"; metadata:impact_flag red; reference:url,www.spywareguide.com/product_show.php?id=669; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072405; classtype:trojan-activity; sid:7712; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 33229 (msg:"MALWARE-BACKDOOR Amitis runtime command detection attacker to victim"; flow:to_server,established; content:"["; depth:1; content:"]|0D 0A|"; within:25; pcre:"/^\[[a-z]{4,22}\]/si"; metadata:impact_flag red; reference:url,www.spywareguide.com/product_show.php?id=669; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072405; classtype:trojan-activity; sid:7711; rev:6;)
+# alert tcp $HOME_NET 8811 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fear1.5/aciddrop1.0 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,Fear15_conn.2; content:"Drive"; nocase; reference:url,www.megasecurity.org/trojans/f/fear/Fear1.5a.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:7710; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8811 (msg:"MALWARE-BACKDOOR fear1.5/aciddrop1.0 runtime detection - initial connection - flowbit set"; flow:to_server,established; flowbits:isset,Fear15_conn.1; content:"listdrives"; nocase; flowbits:set,Fear15_conn.2; flowbits:noalert; reference:url,www.megasecurity.org/trojans/f/fear/Fear1.5a.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:7709; rev:4;)
+# alert tcp $HOME_NET 8811 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fear1.5/aciddrop1.0 runtime detection - initial connection - flowbit set"; flow:to_client,established; content:"connected"; nocase; flowbits:set,Fear15_conn.1; flowbits:noalert; reference:url,www.megasecurity.org/trojans/f/fear/Fear1.5a.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:7708; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"MALWARE-BACKDOOR omniquad instant remote control runtime detection - file transfer setup"; flow:to_server,established; content:"Welcome"; nocase; content:"to"; distance:0; nocase; content:"the"; distance:0; nocase; content:"Omniquad"; distance:0; nocase; content:"File"; distance:0; nocase; content:"Transfer"; distance:0; nocase; content:"Server"; distance:0; nocase; pcre:"/Welcome\s+to\s+the\s+Omniquad\s+File\s+Transfer\s+Server/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080053; classtype:trojan-activity; sid:7707; rev:5;)
+# alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR omniquad instant remote control runtime detection - initial connection"; flow:to_client,established; flowbits:isset,Omniquad_IRC_InitConnection; content:"|00 00 00|h|FF|SMB%|00 00 00|"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080053; classtype:trojan-activity; sid:7706; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"MALWARE-BACKDOOR omniquad instant remote control runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"Instant"; nocase; content:"Remote"; distance:0; nocase; content:"Control"; distance:0; nocase; content:"Service"; distance:0; nocase; pcre:"/Instant\s+Remote\s+Control\s+Service/smi"; flowbits:set,Omniquad_IRC_InitConnection; flowbits:noalert; classtype:trojan-activity; sid:7705; rev:6;)
+# alert tcp $HOME_NET 1111 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR roach 1.0 runtime detection - remote control actions"; flow:to_client,established; flowbits:isset,Roach_RemoteControlActions; content:"|A2 D0 D4 D6 DF C1 E1 D5 D6 DC BB DC CE D7|"; depth:14; reference:url,www.spywareguide.com/product_show.php?id=950; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075964; classtype:trojan-activity; sid:7703; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1111 (msg:"MALWARE-BACKDOOR roach 1.0 runtime detection - remote control actions - flowbit set"; flow:to_server,established; content:"|A2 D0 D4 D6 DF C1 E1 D5 D6 DC BB DC CE D7|"; depth:14; flowbits:set,Roach_RemoteControlActions; flowbits:noalert; classtype:trojan-activity; sid:7702; rev:6;)
+# alert tcp $HOME_NET 3100 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR brain wiper runtime detection - chat"; flow:to_client,established; flowbits:isset,BrAin_Wiper_Chat; content:"Chat dialog opened"; depth:18; reference:url,www.spywareguide.com/product_show.php?id=903; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068367; classtype:trojan-activity; sid:7701; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3100 (msg:"MALWARE-BACKDOOR brain wiper runtime detection - chat - flowbit set"; flow:to_server,established; content:"ChatCHA"; depth:7; flowbits:set,BrAin_Wiper_Chat; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=903; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068367; classtype:trojan-activity; sid:7700; rev:4;)
+# alert tcp $HOME_NET 3100 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR brain wiper runtime detection - launch application"; flow:to_client,established; flowbits:isset,BrAin_Wiper_LaunchApplication; content:"Program Launched"; depth:16; reference:url,www.spywareguide.com/product_show.php?id=903; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068367; classtype:trojan-activity; sid:7699; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3100 (msg:"MALWARE-BACKDOOR brain wiper runtime detection - launch application - flowbit set"; flow:to_server,established; content:"APP"; flowbits:set,BrAin_Wiper_LaunchApplication; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=903; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068367; classtype:trojan-activity; sid:7698; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hanky panky 1.1 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,hanky_conn2; content:"spas"; depth:4; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077209; classtype:trojan-activity; sid:7697; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR hanky panky 1.1 runtime detection - initial connection - flowbit set 2"; flow:to_server,established; flowbits:isset,hanky_conn1; content:"spas1|3A|"; depth:6; nocase; flowbits:set,hanky_conn2; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077209; classtype:trojan-activity; sid:7696; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hanky panky 1.1 runtime detection - initial connection - flowbit set 1"; flow:to_client,established; content:"spass|3A|"; depth:6; nocase; flowbits:set,hanky_conn1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077209; classtype:trojan-activity; sid:7695; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-BACKDOOR exception 1.0 runtime detection - notification"; flow:to_server,established; content:"ip="; nocase; http_uri; content:"port="; nocase; http_uri; content:"id=Exception"; nocase; http_uri; content:"ver=Exception"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"os="; nocase; http_uri; content:"conn="; nocase; http_uri; content:"cpu="; nocase; http_uri; content:"user="; nocase; http_uri; metadata:service http; reference:url,www.megasecurity.org/trojans/e/exception/Exception1.0b1.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077099; classtype:trojan-activity; sid:7692; rev:7;)
+# alert tcp $EXTERNAL_NET 9999 -> $HOME_NET any (msg:"MALWARE-BACKDOOR evade runtime detection - file manager"; flow:to_client,established; flowbits:isset,Evade_File_Manager1; content:"FRESH +"; reference:url,www.megasecurity.org/trojans/e/evade/Evade1.1b.html; classtype:trojan-activity; sid:7691; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"MALWARE-BACKDOOR evade runtime detection - file manager - flowbit set"; flow:to_server,established; content:"DRIVECHANGE +"; flowbits:set,Evade_File_Manager1; flowbits:noalert; reference:url,www.megasecurity.org/trojans/e/evade/Evade1.1b.html; classtype:trojan-activity; sid:7690; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR evade runtime detection - initial connection"; flow:to_server,established; content:"IDENTIFY"; depth:8; pcre:"/^IDENTIFY\s+\x23\s+\d+\x2E\d+\x2E\d+\x2E\d+\s+\x23\s+/"; reference:url,www.megasecurity.org/trojans/e/evade/Evade1.1b.html; classtype:trojan-activity; sid:7689; rev:5;)
+# alert tcp $EXTERNAL_NET 5024 -> $HOME_NET any (msg:"MALWARE-BACKDOOR illusion runtime detection - file browser server-to-client"; flow:to_client,established; flowbits:isset,Illusion_File; content:"[DRIVE"; nocase; content:"LIST]"; nocase; pcre:"/\x5BDRIVE\s+LIST\x5D/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077268; classtype:trojan-activity; sid:7688; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5024 (msg:"MALWARE-BACKDOOR illusion runtime detection - file browser client-to-server"; flow:to_server,established; content:"[LOAD DRIVE DATA]"; flowbits:set,Illusion_File; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077268; classtype:trojan-activity; sid:7687; rev:4;)
+# alert tcp $EXTERNAL_NET 5024 -> $HOME_NET any (msg:"MALWARE-BACKDOOR illusion runtime detection - get remote info server-to-client"; flow:to_client,established; flowbits:isset,Illusion_Info; content:"023"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077268; classtype:trojan-activity; sid:7686; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5024 (msg:"MALWARE-BACKDOOR illusion runtime detection - get remote info client-to-server"; flow:to_server,established; content:"104"; depth:3; flowbits:set,Illusion_Info; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077268; classtype:trojan-activity; sid:7685; rev:4;)
+# alert tcp $HOME_NET 567 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hrat 1.0 runtime detection"; flow:to_client,established; content:"hRat"; depth:4; nocase; content:"are"; distance:0; nocase; content:"ready"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"version"; distance:0; nocase; pcre:"/^hRat\s+are\s+ready\s+-\>\s+Server\s+version/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073815; classtype:trojan-activity; sid:7684; rev:6;)
+# alert tcp $HOME_NET 12345 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR acid head 1.00 runtime detection"; flow:to_client,established; flowbits:isset,acid_head_conn_step1; content:"1.6"; depth:3; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=71371; classtype:trojan-activity; sid:7683; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12345 (msg:"MALWARE-BACKDOOR acid head 1.00 runtime detection - flowbit set"; flow:to_server,established; content:"TROJAN"; depth:6; nocase; flowbits:set,acid_head_conn_step1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=71371; classtype:trojan-activity; sid:7682; rev:4;)
+# alert tcp $HOME_NET 11977 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cool remote control 1.12 runtime detection - download file"; flow:to_client,established; flowbits:isset,CoolRemoteControl_Download.1; content:"|7C|FILESIZE|7C|"; nocase; reference:url,www.megasecurity.org/trojans/c/coolremotecontrol/Coolremotecontrol1.12.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314; classtype:trojan-activity; sid:7681; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 11977 (msg:"MALWARE-BACKDOOR cool remote control 1.12 runtime detection - download file - flowbit set"; flow:to_server,established; content:"|7C|GETFILE|7C|"; nocase; flowbits:set,CoolRemoteControl_Download.1; flowbits:noalert; reference:url,www.megasecurity.org/trojans/c/coolremotecontrol/Coolremotecontrol1.12.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314; classtype:trojan-activity; sid:7680; rev:4;)
+# alert tcp $HOME_NET 11977 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cool remote control 1.12 runtime detection - upload file"; flow:to_client,established; flowbits:isset,CoolRemoteControl_upload; content:"|7C|COMPLETEPUTFILE|7C|"; nocase; reference:url,www.megasecurity.org/trojans/c/coolremotecontrol/Coolremotecontrol1.12.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314; classtype:trojan-activity; sid:7679; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 11977 (msg:"MALWARE-BACKDOOR cool remote control 1.12 runtime detection - upload file - flowbit set"; flow:to_server,established; content:"|7C|PUTFILE|7C|"; nocase; flowbits:set,CoolRemoteControl_upload; flowbits:noalert; reference:url,www.megasecurity.org/trojans/c/coolremotecontrol/Coolremotecontrol1.12.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314; classtype:trojan-activity; sid:7678; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cool remote control or crackdown runtime detection - initial connection"; flow:to_client,established; flowbits:isset,CoolRemoteControl_conn; content:"|7C|DRVS|7C|"; depth:6; nocase; reference:url,www.megasecurity.org/trojans/c/coolremotecontrol/Coolremotecontrol1.12.html; reference:url,www.spywareguide.com/product_show.php?id=1495; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314; classtype:trojan-activity; sid:7677; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR cool remote control or crackdown runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"|7C|ENUMDRVS|7C|"; depth:10; nocase; flowbits:set,CoolRemoteControl_conn; flowbits:noalert; reference:url,www.megasecurity.org/trojans/c/coolremotecontrol/Coolremotecontrol1.12.html; reference:url,www.spywareguide.com/product_show.php?id=1495; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314; classtype:trojan-activity; sid:7676; rev:5;)
+# alert tcp $HOME_NET 1001 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR remote havoc runtime detection"; flow:to_client,established; flowbits:isset,RemoteHAVOC_conn.2; content:"LIST"; nocase; reference:url,www.megasecurity.org/trojans/r/remotehavoc/Remotehavoc3.0.1.html; reference:url,www.spywareguide.com/product_show.php?id=863; classtype:trojan-activity; sid:7675; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1001 (msg:"MALWARE-BACKDOOR remote havoc runtime detection - flowbit set 2"; flow:to_server,established; flowbits:isset,RemoteHAVOC_conn.1; content:"REFR"; depth:4; flowbits:set,RemoteHAVOC_conn.2; flowbits:noalert; reference:url,www.megasecurity.org/trojans/r/remotehavoc/Remotehavoc3.0.1.html; reference:url,www.spywareguide.com/product_show.php?id=863; classtype:trojan-activity; sid:7674; rev:4;)
+# alert tcp $HOME_NET 1001 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR remote havoc runtime detection - flowbit set 1"; flow:to_client,established; content:"CONN"; depth:4; nocase; flowbits:set,RemoteHAVOC_conn.1; flowbits:noalert; reference:url,www.megasecurity.org/trojans/r/remotehavoc/Remotehavoc3.0.1.html; reference:url,www.spywareguide.com/product_show.php?id=863; classtype:trojan-activity; sid:7673; rev:6;)
+# alert tcp $HOME_NET 32222 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR remoter runtime detection - initial connection"; flow:to_client,established; content:"Connected"; nocase; reference:url,www.megasecurity.org/trojans/r/remoter/Remoter.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=53155; classtype:trojan-activity; sid:7672; rev:6;)
+# alert tcp $HOME_NET 19850 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR digital upload runtime detection - chat"; flow:to_client,established; content:"<chat>"; nocase; content:"</chat>"; nocase; pcre:"/\x3Cchat\x3E[^\r\n]*\x3C\x2Fchat\x3E/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068131; classtype:trojan-activity; sid:7671; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 19850 (msg:"MALWARE-BACKDOOR digital upload runtime detection - initial connection"; flow:to_server,established; content:"<password>"; depth:10; nocase; content:"</password>"; distance:0; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068131; classtype:trojan-activity; sid:7670; rev:5;)
+# alert tcp $HOME_NET 2213 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR screen control 1.0 runtime detection - capture on port 2213"; flow:to_client,established; flowbits:isset,ScreenControl_capture2213; content:"|00|2|00 00|x|9C ED|"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930; classtype:trojan-activity; sid:7669; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2213 (msg:"MALWARE-BACKDOOR screen control 1.0 runtime detection - capture on port 2213 - flowbit set"; flow:to_server,established; content:"a"; flowbits:set,ScreenControl_capture2213; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930; classtype:trojan-activity; sid:7668; rev:6;)
+# alert tcp $HOME_NET 2208 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR screen control 1.0 runtime detection - capture on port 2208"; flow:to_client,established; flowbits:isset,ScreenControl_conn; content:"/GR"; nocase; pcre:"/\x2FGR\d+\x3B\d+/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072468; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930; classtype:trojan-activity; sid:7667; rev:7;)
+# alert tcp $HOME_NET 2208 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR screen control 1.0 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,ScreenControl_conn; content:"/LO"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072468; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930; classtype:trojan-activity; sid:7665; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2208 (msg:"MALWARE-BACKDOOR screen control 1.0 runtime detection - flowbit set"; flow:to_server,established; content:"/"; depth:1; content:"R"; depth:1; offset:2; nocase; pcre:"/^\x2F[GL]R/smi"; flowbits:set,ScreenControl_conn; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072468; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930; classtype:trojan-activity; sid:7664; rev:6;)
+# alert tcp $HOME_NET 1784 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR snid x2 v1.2 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,Snid_X2_InitConnection; content:"Snid X2 Server"; depth:14; reference:url,www.spywareguide.com/product_show.php?id=1525; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5567; classtype:trojan-activity; sid:7663; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1784 (msg:"MALWARE-BACKDOOR snid x2 v1.2 runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"VER "; depth:4; flowbits:set,Snid_X2_InitConnection; flowbits:noalert; classtype:trojan-activity; sid:7662; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR lan filtrator 1.1 runtime detection - initial connection request"; flow:to_client,established; flowbits:isset,LanFiltrator_InitConnectionRequest; content:"id_id"; depth:5; reference:url,www.spywareguide.com/product_show.php?id=887; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074827; classtype:trojan-activity; sid:7661; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR lan filtrator 1.1 runtime detection - initial connection request - flowbit set"; flow:to_server,established; content:"|B4 AF 29 AE|LANfiltrator|AE 28 AF|`"; depth:20; flowbits:set,LanFiltrator_InitConnectionRequest; flowbits:noalert; classtype:trojan-activity; sid:7660; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR lan filtrator 1.1 runtime detection - sin notification"; flow:to_server,established; content:"pci"; depth:3; content:"|08 08 08 08 08 08 08 08|"; distance:0; reference:url,www.spywareguide.com/product_show.php?id=887; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074827; classtype:trojan-activity; sid:7659; rev:5;)
+# alert tcp $HOME_NET 7777 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR jodeitor 1.1 runtime detection - initial connection"; flow:to_client,established; content:"++Conectado a"; depth:13; reference:url,www.spywareguide.com/product_show.php?id=675; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077303; classtype:trojan-activity; sid:7658; rev:6;)
+# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR small uploader 1.01 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,smalluploader_conn; content:"Pass-On"; depth:7; nocase; classtype:trojan-activity; sid:7651; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"MALWARE-BACKDOOR small uploader 1.01 runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"Pass-On"; depth:7; nocase; flowbits:set,smalluploader_conn; flowbits:noalert; classtype:trojan-activity; sid:7650; rev:6;)
+# alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"MALWARE-BACKDOOR minicom lite runtime detection - server-to-client"; flow:to_client,established; flowbits:isset,MinicomLite; content:"|04 03 02 01|"; depth:4; nocase; reference:url,www.megasecurity.org/trojans/m/minicom/Minicom4.5.html; reference:url,www.spywareguide.com/product_show.php?id=910; classtype:trojan-activity; sid:7649; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-BACKDOOR minicom lite runtime detection - client-to-server"; flow:to_server,established; content:"|04 03 02 01|"; depth:4; nocase; flowbits:set,MinicomLite; flowbits:noalert; reference:url,www.megasecurity.org/trojans/m/minicom/Minicom4.5.html; reference:url,www.spywareguide.com/product_show.php?id=910; classtype:trojan-activity; sid:7648; rev:7;)
+# alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"MALWARE-BACKDOOR minicom lite runtime detection - udp"; content:"|04 03 02 01|n|00 00 00|"; depth:8; nocase; reference:url,www.megasecurity.org/trojans/m/minicom/Minicom4.5.html; reference:url,www.spywareguide.com/product_show.php?id=910; classtype:trojan-activity; sid:7647; rev:6;)
+# alert tcp $HOME_NET 667 -> $EXTERNAL_NET 666 (msg:"MALWARE-BACKDOOR snipernet 2.1 runtime detection"; flow:to_client,established; flowbits:isset,snipernet; content:"pingback"; depth:8; nocase; reference:url,www.megasecurity.org/trojans/s/snipernet/Snipernet2.1.html; classtype:trojan-activity; sid:7646; rev:7;)
+# alert tcp $EXTERNAL_NET 666 -> $HOME_NET 667 (msg:"MALWARE-BACKDOOR snipernet 2.1 runtime detection - flowbit set"; flow:to_server,established; content:"cmdping"; depth:7; nocase; flowbits:set,snipernet; flowbits:noalert; reference:url,www.megasecurity.org/trojans/s/snipernet/Snipernet2.1.html; classtype:trojan-activity; sid:7645; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1981 (msg:"MALWARE-BACKDOOR ullysse runtime detection - client-to-server"; flow:to_server,established; content:"L'esclave"; nocase; pcre:"/^\d+L\x27esclave\x09\d+\x09\d+/smi"; reference:url,www.megasecurity.org/trojans/u/ullysse/Ullysse.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075739; classtype:trojan-activity; sid:7644; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR netcontrol takeover runtime detection"; flow:to_client,established; content:"answer"; depth:6; nocase; content:"|00 00 00 00 00 00|NetControl.Server"; distance:0; nocase; content:"|22|The"; distance:0; nocase; content:"UNSEEN|22|"; distance:0; nocase; content:"Project"; distance:0; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077485; classtype:trojan-activity; sid:7643; rev:5;)
+# alert tcp $HOME_NET 6116 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR am remote client runtime detection - client response"; flow:to_client,established; flowbits:isset,AM_Remote_Client; content:"|35 01 02|"; depth:3; content:"|01 02|Program Files|01 02|"; fast_pattern:only; metadata:impact_flag red; reference:url,www.megasecurity.org/trojans/a/amrc/Amrc1.1.html; classtype:trojan-activity; sid:7642; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6116 (msg:"MALWARE-BACKDOOR am remote client runtime detection - client-to-server"; flow:to_server,established; content:"29|01|C:|5C|"; fast_pattern:only; flowbits:set,AM_Remote_Client; metadata:impact_flag red; reference:url,www.megasecurity.org/trojans/a/amrc/Amrc1.1.html; classtype:trojan-activity; sid:7641; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Exploit.Backdoor ncph runtime detection - initial connection"; flow:to_client,established; content:"xV4|12 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:24; nocase; metadata:impact_flag red; reference:url,en.wikipedia.org/wiki/Network_Crack_Program_Hacker_Group; classtype:trojan-activity; sid:7638; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch processes list"; flow:to_client,established; flowbits:isset,hornet.4; content:"008"; depth:3; reference:url,www.spywareguide.com/product_show.php?id=1667; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7636; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set"; flow:to_server,established; content:"008g"; depth:4; dsize:4; flowbits:set,hornet.4; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7635; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hornet 1.0 runtime detection - irc connection"; flow:to_client,established; flowbits:isset,hornet.3; content:"006cb"; depth:5; reference:url,www.spywareguide.com/product_show.php?id=1667; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7634; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR hornet 1.0 runtime detection - irc connection - flowbit set"; flow:to_server,established; content:"006cb"; depth:5; flowbits:set,hornet.3; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7633; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch system info"; flow:to_client,established; flowbits:isset,hornet.2; content:"007Server"; depth:9; reference:url,www.spywareguide.com/product_show.php?id=1667; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7632; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch system info - flowbit set"; flow:to_server,established; content:"007r"; depth:4; dsize:4; flowbits:set,hornet.2; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7631; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR helios 3.1 runtime detection - initial connection"; flow:to_client,established; content:"100|8D|"; depth:4; content:"|8D|3.1|8D|1|8F|"; distance:0; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074473; classtype:trojan-activity; sid:7630; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR skyrat show runtime detection - initial connection"; flow:to_client,established; flowbits:isset,skyrat.4; content:"*portok*"; depth:8; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453081105; classtype:trojan-activity; sid:7629; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR skyrat show runtime detection - initial connection - flowbit 4"; flow:to_client,established; flowbits:isset,skyrat.3; content:"*PORT3*"; depth:7; pcre:"/^\x2APORT3\x2A\d+/"; flowbits:set,skyrat.4; flowbits:noalert; classtype:trojan-activity; sid:7628; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR skyrat show runtime detection - initial connection - flowbit 3"; flow:to_client,established; flowbits:isset,skyrat.2; content:"*PORT2*"; depth:7; pcre:"/^\x2APORT2\x2A\d+/"; flowbits:set,skyrat.3; flowbits:noalert; classtype:trojan-activity; sid:7627; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR skyrat show runtime detection - initial connection - flowbit 2"; flow:to_client,established; flowbits:isset,skyrat.1; content:"*PORT1*"; depth:7; pcre:"/^\x2APORT1\x2A\d+/"; flowbits:set,skyrat.2; flowbits:noalert; classtype:trojan-activity; sid:7626; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR skyrat show runtime detection - initial connection - flowbit 1"; flow:to_server,established; content:"*SPORT*"; depth:7; flowbits:set,skyrat.1; flowbits:noalert; classtype:trojan-activity; sid:7625; rev:5;)
+# alert tcp $HOME_NET 7425 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR remote control 1.7 runtime detection - data connection"; flow:to_client,established; content:"|19 00 C8 00 01 00|"; depth:6; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080063; classtype:trojan-activity; sid:7624; rev:8;)
+# alert tcp $HOME_NET 7424 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR remote control 1.7 runtime detection - connection request"; flow:to_client,established; flowbits:isset,remote.control.3; content:"|03 00|"; depth:2; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080063; classtype:trojan-activity; sid:7623; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7424 (msg:"MALWARE-BACKDOOR remote control 1.7 runtime detection - connection request - flowbit 3"; flow:to_server,established; flowbits:isset,remote.control.2; content:"|1D 00 03 00|"; depth:4; flowbits:set,remote.control.3; flowbits:noalert; classtype:trojan-activity; sid:7622; rev:5;)
+# alert tcp $HOME_NET 7424 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR remote control 1.7 runtime detection - connection request - flowbit 2"; flow:to_client,established; flowbits:isset,remote.control.1; content:"|10 00|"; depth:2; flowbits:set,remote.control.2; flowbits:noalert; classtype:trojan-activity; sid:7621; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7424 (msg:"MALWARE-BACKDOOR remote control 1.7 runtime detection - connection request flowbit 1"; flow:to_server,established; content:"|0C 00 18 00 01 02 03 04 05 06 07 08 01 02 03 04 05 06 07 08 01 02 03 04 05 06 07 08|"; depth:28; flowbits:set,remote.control.1; flowbits:noalert; classtype:trojan-activity; sid:7620; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR theef 2.0 runtime detection - connection request with password"; flow:to_client,established; flowbits:isset,theef20.2; content:"|FA CB D9 D9|"; depth:4; reference:url,www.spywareguide.com/product_show.php?id=859; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083786; classtype:trojan-activity; sid:7619; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR theef 2.0 runtime detection - connection request with password - flowbit 2"; flow:to_server,established; flowbits:isset,theef20.1; content:"|FA CB D9 D9 EB DE DE D6 9B 98 99|"; depth:11; flowbits:set,theef20.2; flowbits:noalert; classtype:trojan-activity; sid:7618; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR theef 2.0 runtime detection - connection request with password - flowbit 1"; flow:to_client,established; content:"|FA CB D9 D9 DD C5 D8 CE D6|"; depth:9; flowbits:set,theef20.1; flowbits:noalert; classtype:trojan-activity; sid:7617; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR theef 2.0 runtime detection - connection without password"; flow:to_client,established; content:"|FA CB D9 D9 E5 E1 D6|"; depth:7; reference:url,www.spywareguide.com/product_show.php?id=859; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083786; classtype:trojan-activity; sid:7616; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR katux 2.0 runtime detection - chat"; flow:to_client,established; flowbits:isset,katux20.4; content:"000Chat ouvert..."; depth:17; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077310; classtype:trojan-activity; sid:7609; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR katux 2.0 runtime detection - chat - flowbit set"; flow:to_server,established; content:"07415"; depth:5; flowbits:set,katux20.4; flowbits:noalert; classtype:trojan-activity; sid:7608; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR katux 2.0 runtime detection - get system info"; flow:to_client,established; flowbits:isset,katux20.3; content:"001"; depth:3; content:"Version serveur|3A| Katux 2"; distance:0; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077310; classtype:trojan-activity; sid:7607; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR katux 2.0 runtime detection - get system info - flowbit set"; flow:to_server,established; content:"001"; depth:3; flowbits:set,katux20.3; flowbits:noalert; classtype:trojan-activity; sid:7606; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR katux 2.0 runtime detection - screen capture"; flow:to_client,established; flowbits:isset,katux20.2; content:"000Ecran captur|E9|, transfert lanc|E9|..."; depth:36; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077310; classtype:trojan-activity; sid:7605; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR katux 2.0 runtime detection - screen capture - flowbit set"; flow:to_server,established; content:"10040"; depth:5; flowbits:set,katux20.2; flowbits:noalert; classtype:trojan-activity; sid:7604; rev:4;)
+# alert udp $HOME_NET 5888 -> $EXTERNAL_NET 5887 (msg:"MALWARE-BACKDOOR y3k 1.2 runtime detection - init connection 2"; flow:to_client; flowbits:isset,Y3K_InitConnection_2; content:"{}"; depth:2; nocase; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7122; rev:7;)
+# alert udp $EXTERNAL_NET 5887 -> $HOME_NET 5888 (msg:"MALWARE-BACKDOOR y3k 1.2 runtime detection"; flow:to_server; content:"login"; depth:5; nocase; flowbits:set,Y3K_InitConnection_2; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7121; rev:6;)
+# alert udp $HOME_NET 5882 -> $EXTERNAL_NET 5881 (msg:"MALWARE-BACKDOOR y3k 1.2 runtime detection - init connection 1"; flow:to_client; flowbits:isset,Y3K_InitConnection_1; content:"C"; depth:1; nocase; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7120; rev:7;)
+# alert udp $EXTERNAL_NET 5881 -> $HOME_NET 5882 (msg:"MALWARE-BACKDOOR y3k 1.2 runtime detection"; flow:to_server; content:"Y3K"; depth:3; nocase; flowbits:set,Y3K_InitConnection_1; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7119; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR ghost 2.3 runtime detection"; flow:to_client,established; content:"ver|3A|Ghost version "; depth:18; nocase; content:"server"; distance:0; nocase; pcre:"/^ver\x3aGhost\s+version\s+\d+\x2E\d+\s+server/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/g/ghost/Ghost2.3.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=42053; classtype:trojan-activity; sid:7115; rev:6;)
+# alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.DonaldDick variant outbound connection detection"; flow:to_client,established; content:"OK|00|1|00|AF&AY|00|pINg_|00|!|28|c|29 23|"; depth:22; nocase; metadata:impact_flag red; reference:url,virustotal.com/en/file/f946e2faf21d7b2efc461e6a96135c1aa2c465485362f461177bca699366cc1f/analysis/; classtype:trojan-activity; sid:7114; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 23476 (msg:"MALWARE-BACKDOOR Win.Trojan.DonaldDick variant inbound connection detection"; flow:to_server,established; content:"1|00|AF&AY|00|pINg_|00|!|28|c|29 23|"; depth:19; nocase; metadata:impact_flag red; reference:url,virustotal.com/en/file/f946e2faf21d7b2efc461e6a96135c1aa2c465485362f461177bca699366cc1f/analysis/; classtype:trojan-activity; sid:7113; rev:9;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fearless lite 1.01 runtime detection"; flow:to_client,established; flowbits:isset,backdoor.fearless.runtime; content:"Pass-On0"; depth:8; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/fearless/Fearless_lite1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078381; classtype:trojan-activity; sid:7112; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR fearless lite 1.01 runtime detection"; flow:to_server,established; content:"Pass-On"; depth:7; nocase; flowbits:set,backdoor.fearless.runtime; flowbits:noalert; reference:url,www.megasecurity.org/trojans/f/fearless/Fearless_lite1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078381; classtype:trojan-activity; sid:7111; rev:12;)
+alert tcp $HOME_NET 777 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR undetected runtime detection"; flow:to_client,established; content:"STLUdt v3.3 - "; depth:14; nocase; content:"-|28|udt33vic|29|"; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/u/undetected/Undetected3.3.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=17265; classtype:trojan-activity; sid:7108; rev:6;)
+# alert tcp $HOME_NET 21554 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR girlfriend runtime detection"; flow:to_client,established; flowbits:isset,GirlFriend.1.35.connection; content:"GirlFriend Server"; depth:17; nocase; pcre:"/^GirlFriend\s+Server\s+\d+\x2E\d+\s+\x2E\s+port\s+\d/smi"; reference:url,www.megasecurity.org/trojans/g/girlfriend/GirlFriend1.35_ms.html; reference:url,www.spywareguide.com/product_show.php?id=834; classtype:trojan-activity; sid:7107; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21554 (msg:"MALWARE-BACKDOOR girlfriend runtime detection"; flow:to_server,established; content:"ver"; depth:3; nocase; flowbits:set,GirlFriend.1.35.connection; flowbits:noalert; reference:url,www.megasecurity.org/trojans/g/girlfriend/GirlFriend1.35_ms.html; reference:url,www.spywareguide.com/product_show.php?id=834; classtype:trojan-activity; sid:7106; rev:4;)
+alert tcp $HOME_NET 30029 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR aol admin runtime detection"; flow:to_client,established; content:"AOL Admin Server 1.1 By CHeeSeR"; depth:31; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/a/aoladmin/Aoladmin1.1.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=313; classtype:trojan-activity; sid:7105; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 30029 (msg:"MALWARE-BACKDOOR aol admin runtime detection"; flow:to_server,established; content:"INFO"; depth:4; nocase; flowbits:set,AOLAdmin1.1.connection; flowbits:noalert; reference:url,www.megasecurity.org/trojans/a/aoladmin/Aoladmin1.1.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=313; classtype:trojan-activity; sid:7104; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR gwboy 0.92 runtime detection"; flow:to_server,established; content:"|01 0A 02|"; depth:3; flowbits:set,GWBoy_InitConnection1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077181; classtype:trojan-activity; sid:7101; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1480 (msg:"MALWARE-BACKDOOR remote hack 1.5 runtime detection - start keylogger"; flow:to_server,established; content:"kstart|7C|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=1523; classtype:trojan-activity; sid:7099; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1480 (msg:"MALWARE-BACKDOOR remote hack 1.5 runtime detection - get password"; flow:to_server,established; content:"catasenha|7C|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1523; classtype:trojan-activity; sid:7098; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1480 (msg:"MALWARE-BACKDOOR remote hack 1.5 runtime detection - execute file"; flow:to_server,established; content:"executafile|7C|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1523; classtype:trojan-activity; sid:7097; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1480 (msg:"MALWARE-BACKDOOR remote hack 1.5 runtime detection - logon"; flow:to_server,established; content:"logon|7C|"; depth:6; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1523; classtype:trojan-activity; sid:7096; rev:5;)
+alert tcp $HOME_NET 5555 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR serveme runtime detection"; flow:to_client,established; content:"ServeMe 1.x"; depth:11; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/s/serveme/Serveme.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453081036; classtype:trojan-activity; sid:7091; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR sinique 1.0 runtime detection - initial connection with wrong password server-to-client"; flow:to_client,established; flowbits:isset,sinique_initial_wrg_client-to-server; content:"|B8 9B 93 9D 9A B2 95 9D 98 91 90|"; depth:11; reference:url,www.megasecurity.org/trojans/s/sinique/Sinique1.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077730; classtype:trojan-activity; sid:7090; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR sinique 1.0 runtime detection - initial connection with wrong password -client-to-server"; flow:to_server,established; content:"|B8 9B 93 9D 9A A2 91 86 9D 92 8D 88|"; depth:12; flowbits:set,sinique_initial_wrg_client-to-server; flowbits:noalert; reference:url,www.megasecurity.org/trojans/s/sinique/Sinique1.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077730; classtype:trojan-activity; sid:7089; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR sinique 1.0 runtime detection - initial connection with correct password server-to-client"; flow:to_client,established; flowbits:isset,sinique_initial_crt_client-to-server; content:"|B8 9B 93 9D 9A A2 91 86 9D 92 9D 91 90|"; depth:13; reference:url,www.megasecurity.org/trojans/s/sinique/Sinique1.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077730; classtype:trojan-activity; sid:7088; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR sinique 1.0 runtime detection - initial connection with correct password client-to-server"; flow:to_server,established; content:"|B8 9B 93 9D 9A A2 91 86 9D 92 8D 88|"; depth:12; flowbits:set,sinique_initial_crt_client-to-server; flowbits:noalert; reference:url,www.megasecurity.org/trojans/s/sinique/Sinique1.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077730; classtype:trojan-activity; sid:7087; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR erazer v1.1 runtime detection - init connection"; flow:to_server,established; flowbits:isset,Erazer_InitConnection; content:"000Ok"; depth:5; nocase; content:"echter"; distance:0; nocase; content:"server"; distance:0; nocase; pcre:"/^000Ok\s+echter\s+server\s+\?/smi"; reference:url,www.megasecurity.org/trojans/e/erazer/Erazer1.1.html; classtype:trojan-activity; sid:7086; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR erazer v1.1 runtime detection"; flow:to_client,established; content:"000, Checking..."; depth:16; nocase; flowbits:set,Erazer_InitConnection; flowbits:noalert; reference:url,www.megasecurity.org/trojans/e/erazer/Erazer1.1.html; classtype:trojan-activity; sid:7085; rev:6;)
+# alert tcp $EXTERNAL_NET 62358 -> $HOME_NET any (msg:"MALWARE-BACKDOOR erazer v1.1 runtime detection - sin notification"; flow:to_client,established; content:"Erazer"; depth:6; nocase; content:"SIN"; distance:0; nocase; content:"Server"; distance:0; nocase; pcre:"/^Erazer\s+SIN\s+Server/smi"; reference:url,www.megasecurity.org/trojans/e/erazer/Erazer1.1.html; classtype:trojan-activity; sid:7084; rev:7;)
+# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR mosucker3.0 runtime detection - server-to-client1"; flow:to_client,established; flowbits:isset,MoSucker3_0; content:"KEY="; depth:4; nocase; content:"PASSW="; distance:0; nocase; reference:url,www.spywareguide.com/product_show.php?id=1306; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083782; classtype:trojan-activity; sid:7083; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"MALWARE-BACKDOOR mosucker3.0 runtime detection - client-to-server"; flow:to_server,established; content:"KEY="; depth:4; nocase; content:"Nickname="; distance:0; nocase; pcre:"/^KEY=[^\s]*\s+Nickname=/smi"; flowbits:set,MoSucker3_0; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1306; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083782; classtype:trojan-activity; sid:7082; rev:6;)
+# alert tcp $EXTERNAL_NET 10015 -> $HOME_NET any (msg:"MALWARE-BACKDOOR up and run v1.0 beta runtime detection"; flow:to_client,established; flowbits:isset,up_run_3; content:"EOF"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088330; classtype:trojan-activity; sid:7081; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 10015 (msg:"MALWARE-BACKDOOR up and run v1.0 beta runtime detection flowbit 3"; flow:to_server,established; flowbits:isset,up_run_2; content:"NEXT"; nocase; flowbits:set,up_run_3; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088330; classtype:trojan-activity; sid:7080; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 10015 (msg:"MALWARE-BACKDOOR up and run v1.0 beta runtime detection flowbit 2"; flow:to_server,established; flowbits:isset,up_run_1; content:"NEXT"; depth:4; nocase; flowbits:set,up_run_2; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088330; classtype:trojan-activity; sid:7079; rev:5;)
+# alert tcp $EXTERNAL_NET 10015 -> $HOME_NET any (msg:"MALWARE-BACKDOOR up and run v1.0 beta runtime detection flowbit 1"; flow:to_client,established; content:"BOF"; depth:3; nocase; pcre:"/^BOF[a-z]\x3A\x5C/smi"; flowbits:set,up_run_1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088330; classtype:trojan-activity; sid:7078; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bandook 1.0 runtime detection"; flow:to_server,established; content:"&first& "; depth:8; nocase; reference:url,www.nuclearwinter.us/; classtype:trojan-activity; sid:7075; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fraggle rock 2.0 lite runtime detection - pc info"; flow:to_client,established; flowbits:isset,backdoor.fraggle.rock.2.0.lite.pc.info; content:"info"; depth:4; nocase; content:"Information"; distance:0; nocase; pcre:"/^info\s+Information\s+for/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077120; classtype:trojan-activity; sid:7072; rev:7;)
+# alert udp $HOME_NET 47262 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR delta source 0.5 beta runtime detection - pc info"; flow:to_client; content:"Server"; depth:6; nocase; content:"info|3A|"; distance:0; nocase; content:"Delta"; distance:0; nocase; content:"Source"; distance:0; nocase; pcre:"/^Server\s+info\x3A\x0D\x0ADelta\s+Source\s+v\d+\x2E\d+/smi"; reference:url,www.spywareguide.com/product_show.php?id=840; classtype:trojan-activity; sid:7069; rev:7;)
+# alert udp $HOME_NET 47262 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR delta source 0.5 beta runtime detection - ping"; flow:to_client; content:"Delta"; depth:5; nocase; content:"Source"; distance:0; nocase; pcre:"/^Delta\s+Source\s+\d+\x2E\d+/smi"; reference:url,www.spywareguide.com/product_show.php?id=840; classtype:trojan-activity; sid:7068; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cybernetic 1.62 runtime detection - reverse connection"; flow:to_server,established; flowbits:isset,backdoor.cybernetic.1.62.rev.conn.2; content:"connect"; depth:7; nocase; reference:url,research.sunbelt-software.com/threat_display.cfm?name=CyberNetic&threatid=41745; classtype:trojan-activity; sid:7067; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cybernetic 1.62 runtime detection - reverse connection flowbit 1"; flow:to_server,established; flowbits:isset,backdoor.cybernetic.1.62.rev.conn.1; content:"DmInf"; depth:5; nocase; pcre:"/^DmInf\^[^\r\n]*\^\d+\x2E\d+\x2E\d+\x2E\d+\^/smi"; flowbits:set,backdoor.cybernetic.1.62.rev.conn.2; flowbits:unset,backdoor.cybernetic.1.62.rev.conn.1; flowbits:noalert; reference:url,research.sunbelt-software.com/threat_display.cfm?name=CyberNetic&threatid=41745; classtype:trojan-activity; sid:7066; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR cybernetic 1.62 runtime detection - reverse connection flowbit 1"; flow:to_server,established; content:"DmInf"; depth:5; nocase; flowbits:set,backdoor.cybernetic.1.62.rev.conn.1; flowbits:noalert; reference:url,research.sunbelt-software.com/threat_display.cfm?name=CyberNetic&threatid=41745; classtype:trojan-activity; sid:7065; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR cybernetic 1.62 runtime detection - email notification"; flow:to_server,established; content:"from|3A|"; nocase; content:"cyber@yahoo.com"; distance:0; nocase; content:"subject|3A|"; nocase; content:"notification"; distance:0; nocase; pcre:"/^from\x3A[^\r\n]*cyber@yahoo\x2Ecom.*subject\x3A[^\r\n]*notification\d+\x2E\d+\x2E\d+\x2E\d+/smi"; metadata:service smtp; reference:url,research.sunbelt-software.com/threat_display.cfm?name=CyberNetic&threatid=41745; classtype:trojan-activity; sid:7064; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR charon runtime detection - download log flowbit 1"; flow:to_client,established; content:"REQ|7C 24|SYS|24|proc32.dll"; depth:19; nocase; flowbits:set,charon_download_1; flowbits:noalert; reference:url,vil.nai.com/vil/content/v_138997.htm; classtype:trojan-activity; sid:7061; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR charon runtime detection - download file/log"; flow:to_client,established; flowbits:isset,charon_download_2; content:"SEND|7C|"; depth:5; nocase; reference:url,vil.nai.com/vil/content/v_138997.htm; classtype:trojan-activity; sid:7060; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR charon runtime detection - download file/log flowbit 2"; flow:to_server,established; flowbits:isset,charon_download_1; content:"FREQ|7C|"; depth:5; nocase; pcre:"/^FREQ\x7C\d+/smi"; flowbits:set,charon_download_2; flowbits:noalert; reference:url,vil.nai.com/vil/content/v_138997.htm; classtype:trojan-activity; sid:7059; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR charon runtime detection - download file flowbit 1"; flow:to_client,established; content:"REQ|7C|"; depth:4; nocase; pcre:"/^REQ\|[A-Z]\x3A\x5C/smi"; flowbits:set,charon_download_1; flowbits:noalert; reference:url,vil.nai.com/vil/content/v_138997.htm; classtype:trojan-activity; sid:7058; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR charon runtime detection - initial connection"; flow:to_server,established; content:"SI|7C|Server|7C|"; depth:10; nocase; pcre:"/^SI\|Server\|[^\r\n]*\|\d+\x2E\d+\x2E\d+\x2E\d+\|/smi"; reference:url,vil.nai.com/vil/content/v_138997.htm; classtype:trojan-activity; sid:7057; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR omerta 1.3 runtime detection"; flow:to_server,established; flowbits:isset,Omerta_1_3_conn_1; content:"Details|7C|"; depth:8; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.omerta.html; reference:url,www.antivirusprogram.se/virusinfo/Backdoor.Omerta_4852.html; classtype:trojan-activity; sid:6500; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR omerta 1.3 runtime detection"; flow:to_client,established; content:"RequestName|7C|"; depth:12; nocase; flowbits:set,Omerta_1_3_conn_1; flowbits:noalert; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.omerta.html; reference:url,www.antivirusprogram.se/virusinfo/Backdoor.Omerta_4852.html; classtype:trojan-activity; sid:6499; rev:8;)
+# alert tcp $HOME_NET 21554 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR exploiter 1.0 runtime detection"; flow:to_client,established; flowbits:isset,backdoor.exploiter.1.0.conn; content:"Exploiter"; depth:9; nocase; content:"Server"; distance:0; nocase; content:"Port"; distance:0; nocase; pcre:"/^Exploiter\s+Server\s+\d+\x2E\d+\s+\x2E\s+Port\s+\d+/smi"; reference:url,www.spywareguide.com/product_show.php?id=1603; classtype:trojan-activity; sid:6498; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21554 (msg:"MALWARE-BACKDOOR exploiter 1.0 runtime detection"; flow:to_server,established; content:"ver"; depth:3; nocase; flowbits:set,backdoor.exploiter.1.0.conn; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1603; classtype:trojan-activity; sid:6497; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Trickler Backdoor-BAC.gen.e runtime detection - post data"; flow:to_server,established; content:"/dat7.php"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"xpsp2"; nocase; http_header; content:"lifeisfine.org"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3A[^\r\n]*xpsp2-\d+.*Host\x3A[^\r\n]*lifeisfine\x2Eorg/smiH"; metadata:impact_flag red, service http; reference:url,vil.mcafeesecurity.com/vil/content/v_138750.htm; classtype:misc-activity; sid:6493; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Trickler Backdoor-BAC.gen.e runtime detection - notification"; flow:to_server,established; content:"/bsrv.php"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"socksport="; fast_pattern; nocase; http_uri; content:"httpport="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,vil.mcafeesecurity.com/vil/content/v_138750.htm; classtype:misc-activity; sid:6492; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR badrat 1.1 runtime detection"; flow:to_client,established; flowbits:isset,backdoor.badrat.1.1.conn; content:"okpass"; depth:6; nocase; reference:url,www.megasecurity.org/trojans/b/badrat/Badrat1.1.html; classtype:trojan-activity; sid:6476; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR badrat 1.1 runtime detection - flowbit set"; flow:to_server,established; content:"badratpass"; depth:10; nocase; flowbits:set,backdoor.badrat.1.1.conn; flowbits:noalert; reference:url,www.megasecurity.org/trojans/b/badrat/Badrat1.1.html; classtype:trojan-activity; sid:6475; rev:4;)
+# alert tcp $HOME_NET 2115 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client"; flow:to_client,established; flowbits:isset,Bugs_InitConnection; content:"CURDIR "; nocase; reference:url,www.commodon.com/threat/threat-bugs.htm; classtype:trojan-activity; sid:6473; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2115 (msg:"MALWARE-BACKDOOR bugs runtime detection - file manager client-to-server"; flow:to_server,established; content:"CURDIR|0D|"; depth:7; nocase; flowbits:set,Bugs_InitConnection; flowbits:noalert; reference:url,www.commodon.com/threat/threat-bugs.htm; classtype:trojan-activity; sid:6472; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4125 (msg:"MALWARE-BACKDOOR netangel connection client-to-server"; flow:to_server,established; content:"netangel"; depth:8; nocase; reference:url,megasecurity.org/trojans/n/netangel/Netangel1.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086360; classtype:trojan-activity; sid:6402; rev:5;)
+# alert tcp $HOME_NET 5328 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR snowdoor runtime detection server-to-client"; flow:to_client,established; flowbits:isset,snowdoor_cts; content:"DISK"; depth:4; nocase; pcre:"/^DISK[A-z][0-9]/smi"; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.snowdoor.html; reference:url,www.megasecurity.org/trojans/s/snow/Snow1.3.html; classtype:trojan-activity; sid:6401; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5328 (msg:"MALWARE-BACKDOOR snowdoor runtime detection client-to-server"; flow:to_server,established; content:"DISK"; depth:4; nocase; flowbits:set,snowdoor_cts; flowbits:noalert; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.snowdoor.html; reference:url,www.megasecurity.org/trojans/s/snow/Snow1.3.html; classtype:trojan-activity; sid:6400; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR rad 1.2.3 runtime detection"; flow:to_client,established; content:"  rad "; depth:6; nocase; content:"  ><  "; distance:0; pcre:"/^\s\srad\s\d+\x2E\d+\x2E\d+\s\s\x3E\x3C/smi"; reference:url,www.megasecurity.org/trojans/r/rad/Rad1.2.3.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072457; classtype:trojan-activity; sid:6399; rev:7;)
+# alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR http rat runtime detection - http"; flow:to_client,established; content:"<html><head><title>HTTP_RAT</title>"; nocase; content:"<h3>z0mbie's HTTP_RAT"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076346; classtype:trojan-activity; sid:6398; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR http rat runtime detection - smtp"; flow:to_server,established; content:"from|3A|"; nocase; content:"HTTP_RAT_"; distance:0; nocase; content:"subject|3A|"; distance:0; nocase; content:"there"; distance:0; nocase; content:"is"; distance:0; nocase; content:"a"; distance:0; nocase; content:"HTTPRAT"; distance:0; nocase; content:"waiting"; distance:0; nocase; content:"4"; distance:0; nocase; content:"u"; distance:0; nocase; content:"on"; distance:0; nocase; pcre:"/^FROM\x3A\s+HTTP_RAT_.*SUBJECT\x3A\s+there\s+is\s+a\s+HTTPRAT\s+waiting\s+4\s+u\s+on/smi"; metadata:service smtp; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076346; classtype:trojan-activity; sid:6397; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR hatredfriend email notification detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"IP"; distance:0; nocase; content:"Contact"; distance:0; nocase; content:"X-Mailer|3A|"; nocase; content:"EBT"; distance:0; nocase; content:"Reporter"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"Vic"; distance:0; nocase; content:"Ip"; distance:0; nocase; content:"Addy"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*IP\s+Contact.*X-Mailer\x3A[^\r\n]*EBT\s+Reporter.*Subject\x3A[^\r\n]*Vic\s+Ip\s+Addy/smi"; metadata:service smtp; reference:url,www.spywareguide.com/product_show.php?id=832; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077215; classtype:trojan-activity; sid:6339; rev:6;)
+# alert tcp $HOME_NET 18713 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hatredfriend file manage command"; flow:to_client,established; flowbits:isset,backdoor.HatredFriend.cts; content:"[DRIVE"; nocase; content:"LIST]"; distance:0; nocase; pcre:"/\[DRIVE\s+LIST\]\d(\x00[a-zA-Z]\x3A(\s+\[.*\])?)+/smi"; reference:url,www.spywareguide.com/product_show.php?id=832; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077215; classtype:trojan-activity; sid:6338; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 18713 (msg:"MALWARE-BACKDOOR hatredfriend file manage command - set flowbit"; flow:to_server,established; content:"[LOAD"; nocase; content:"DRIVE"; distance:0; nocase; content:"DATA]"; distance:0; nocase; pcre:"/^\[LOAD\s+DRIVE\s+DATA\]/smi"; flowbits:set,backdoor.HatredFriend.cts; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=832; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077215; classtype:trojan-activity; sid:6337; rev:4;)
+# alert tcp $HOME_NET 12624 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR buttman v0.9p runtime detection - remote control"; flow:to_client,established; flowbits:isset,buttman.1; content:"|23|+|0D 0A|"; reference:url,www.spywareguide.com/product_show.php?id=684; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453089720; classtype:trojan-activity; sid:6336; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12624 (msg:"MALWARE-BACKDOOR buttman v0.9p runtime detection - remote control - set flowbit"; flow:to_server,established; content:"*?!?"; depth:4; flowbits:set,buttman.1; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=684; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453089720; classtype:trojan-activity; sid:6335; rev:6;)
+# alert tcp $HOME_NET 11831 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR backlash runtime detection"; flow:to_client,established; content:"BackLash Server"; depth:15; nocase; reference:url,www.spywareguide.com/product_show.php?id=1376; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076823; classtype:trojan-activity; sid:6334; rev:6;)
+# alert tcp $HOME_NET 2583 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR wincrash 2.0 runtime detection"; flow:to_client,established; content:"WinCrash"; depth:8; nocase; content:"Server"; distance:0; nocase; pcre:"/^WinCrash\s+Server\s+\d+\x2E\d+/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084089; classtype:trojan-activity; sid:6333; rev:6;)
+# alert tcp $HOME_NET 1255 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR globalkiller1.0 runtime detection - initial connection"; flow:to_client,established; content:"Conectado"; depth:9; nocase; content:"Yeah!"; distance:0; nocase; pcre:"/^Conectado\s+Yeah\!/smi"; reference:url,www.spywareguide.com/product_show.php?id=1656; classtype:trojan-activity; sid:6332; rev:6;)
+# alert tcp $EXTERNAL_NET 11000 -> $HOME_NET any (msg:"MALWARE-BACKDOOR commando runtime detection - chat server-to-client"; flow:to_client,established; flowbits:isset,Commando; content:"Servidor |3A|"; reference:url,www.megasecurity.org/trojans/c/comando/Comando.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068368; classtype:trojan-activity; sid:6330; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 11000 (msg:"MALWARE-BACKDOOR commando runtime detection - chat client-to-server"; flow:to_server,established; content:"Cliente |3A|"; flowbits:set,Commando; flowbits:noalert; reference:url,www.megasecurity.org/trojans/c/comando/Comando.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068368; classtype:trojan-activity; sid:6329; rev:4;)
+# alert tcp $EXTERNAL_NET 11000 -> $HOME_NET any (msg:"MALWARE-BACKDOOR commando runtime detection - initial connection"; flow:to_client,established; content:"Conectou"; depth:8; reference:url,www.megasecurity.org/trojans/c/comando/Comando.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068368; classtype:trojan-activity; sid:6328; rev:6;)
+# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fucktrojan 1.2 runtime detection - flood"; flow:to_client,established; flowbits:isset,FuckTrojan_flood; content:"Windows"; nocase; content:"Directory"; distance:0; nocase; content:"Flooded"; distance:0; nocase; pcre:"/Windows\s+Directory\s+Flooded/smi"; reference:url,megasecurity.org/trojans/f/fucktrojan/Fucktrojan1.2.html; classtype:trojan-activity; sid:6327; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"MALWARE-BACKDOOR fucktrojan 1.2 runtime detection - flood"; flow:to_server,established; content:"Flood"; nocase; flowbits:set,FuckTrojan_flood; flowbits:noalert; classtype:trojan-activity; sid:6326; rev:4;)
+# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fucktrojan 1.2 runtime detection - initial connection"; flow:to_client,established; content:"Connected to Server |3A|-|29|"; depth:23; nocase; reference:url,megasecurity.org/trojans/f/fucktrojan/Fucktrojan1.2.html; classtype:trojan-activity; sid:6325; rev:6;)
+# alert tcp $HOME_NET 47221 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR 3xBackdoor runtime detection"; flow:to_client,established; flowbits:isset,bit.3xBackdoorconnection; content:"Raport|3A| serwer aktywny"; depth:22; nocase; reference:url,www.megasecurity.org/trojans/0_9/3xbackdoor/3xbackdoor.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084228; classtype:trojan-activity; sid:6324; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 47221 (msg:"MALWARE-BACKDOOR 3xBackdoor runtime detection - set flowbit"; flow:to_server,established; content:"&raport"; depth:7; nocase; flowbits:set,bit.3xBackdoorconnection; flowbits:noalert; reference:url,www.megasecurity.org/trojans/0_9/3xbackdoor/3xbackdoor.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084228; classtype:trojan-activity; sid:6323; rev:6;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 8012 (msg:"MALWARE-BACKDOOR ptakks2.1 runtime detection - command pattern"; flow:to_server; content:",|3A|,j"; nocase; content:"G,o,,y,"; distance:0; nocase; pcre:"/\x2C\x3A\x2C\x6A[^\r\n]*\x47\x2C\x6F\x2C\x2C\x79\x2C/"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079909; classtype:trojan-activity; sid:6322; rev:7;)
+# alert udp $EXTERNAL_NET 8012 -> $HOME_NET any (msg:"MALWARE-BACKDOOR ptakks2.1 runtime detection - keepalive acknowledgement"; flow:to_client; flowbits:isset,PtakkS_Keepalive; content:",jRj,"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079909; classtype:trojan-activity; sid:6321; rev:7;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 8012 (msg:"MALWARE-BACKDOOR ptakks2.1 runtime detection - keepalive"; flow:to_server; content:"aComprobar"; nocase; content:"si"; distance:0; nocase; content:"esta"; distance:0; nocase; content:"conectadoa"; distance:0; nocase; pcre:"/\x23\x31\x23aComprobar\s+si\s+esta\s+conectadoa\x232\x23\x233\x23\x23f\x23/smi"; flowbits:set,PtakkS_Keepalive; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079909; classtype:trojan-activity; sid:6320; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR evilftp runtime detection - init connection"; flow:to_client,established; content:"Welcome to EvilFTP |3A 29|"; fast_pattern:only; metadata:impact_flag red; reference:url,www.spywareguide.com/product_show.php?id=965; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1929; classtype:trojan-activity; sid:6319; rev:6;)
+# alert tcp $HOME_NET 623 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR rtb666 runtime detection"; flow:to_client,established; content:"RTB"; depth:3; nocase; content:"666"; distance:0; nocase; content:"Firewall"; distance:0; nocase; content:"Guarded"; distance:0; nocase; content:"Port"; distance:0; nocase; content:"Your"; distance:0; nocase; content:"IP"; distance:0; nocase; content:"is"; distance:0; nocase; pcre:"/^RTB\s+666\s+v\x2E\d+\x2E\d+\x3B\s+Firewall\s+Guarded\s+Port\x2E\s+Your\s+IP\s+is/smi"; reference:url,www.spywareguide.com/product_show.php?id=1501; classtype:trojan-activity; sid:6318; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR net demon runtime detection - file manager response"; flow:to_client,established; flowbits:isset,NetDemon_FileManager; content:"FILESIZE>"; depth:9; pcre:"/^FILESIZE\x3E[^\r\n]*\x3E\d+/sm"; classtype:trojan-activity; sid:6317; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR net demon runtime detection - file manager request"; flow:to_server,established; content:"GETLIST "; depth:8; pcre:"/^GETLIST\s+[^\r\n]*\n/sm"; flowbits:set,NetDemon_FileManager; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6316; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR net demon runtime detection - open browser response"; flow:to_client,established; flowbits:isset,NetDemon_OpenBrowser; content:"browseropened|0A|"; depth:14; classtype:trojan-activity; sid:6315; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR net demon runtime detection - open browser request"; flow:to_server,established; content:"openbrowser "; depth:12; pcre:"/^openbrowser\s+[^\r\n]*\n/sm"; flowbits:set,NetDemon_OpenBrowser; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6314; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR net demon runtime detection - message response"; flow:to_client,established; flowbits:isset,NetDemon_Msg; content:"WAIT|0A|"; depth:5; classtype:trojan-activity; sid:6313; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR net demon runtime detection - message send"; flow:to_server,established; content:"MSG "; depth:4; pcre:"/^MSG\s+[^\r\n]*\n/sm"; flowbits:set,NetDemon_Msg; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6312; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR net demon runtime detection - initial connection - password accepted"; flow:to_client,established; flowbits:isset,NetDemon_Init2; content:"OKPWD|0A|"; depth:6; classtype:trojan-activity; sid:6311; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR net demon runtime detection - initial connection - password send"; flow:to_server,established; flowbits:isset,NetDemon_Init1; content:"PWD "; pcre:"/^PWD\s+[^\r\n]*\n/sm"; flowbits:set,NetDemon_Init2; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6310; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR net demon runtime detection - initial connection - password request"; flow:to_client,established; content:"PWD|0A|"; depth:4; flowbits:set,NetDemon_Init1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6309; rev:7;)
+# alert tcp $HOME_NET 6660 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR lamespy runtime detection - initial connection"; flow:to_client,established; flowbits:isset,bit.LameSpyInitialconnection; content:"cname|3A|"; depth:6; nocase; content:"Command Sendet"; distance:0; nocase; reference:url,www.spywareguide.com/product_show.php?id=1586; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3370; classtype:trojan-activity; sid:6308; rev:6;)
+# alert tcp $HOME_NET 6660 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR lamespy runtime detection - initial connection - set flowbit"; flow:to_client,established; content:"accept|3A|"; depth:7; nocase; flowbits:set,bit.LameSpyInitialconnection; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1586; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3370; classtype:trojan-activity; sid:6307; rev:5;)
+# alert tcp $HOME_NET 6912 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR shit heep runtime detection"; flow:to_client,established; content:"SHIT-HEEP"; depth:9; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5451; classtype:trojan-activity; sid:6306; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1207 (msg:"MALWARE-BACKDOOR softwar shadowthief runtime detection - initial connection"; flow:to_server,established; flowbits:isset,bit.SoftWARShadowThiefInitialconnection; content:"|01|SoftWAR Client|00|"; depth:18; nocase; reference:url,www.megasecurity.org/trojans/s/softwar/Softwar.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=19977; classtype:trojan-activity; sid:6305; rev:6;)
+# alert tcp $HOME_NET 1207 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR softwar shadowthief runtime detection - initial connection - set flowbit"; flow:to_client,established; content:"R|00|SoftWAR Server"; depth:16; nocase; flowbits:set,bit.SoftWARShadowThiefInitialconnection; flowbits:noalert; reference:url,www.megasecurity.org/trojans/s/softwar/Softwar.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=19977; classtype:trojan-activity; sid:6304; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cia runtime detection - initial connection"; flow:to_client,established; flowbits:isset,CIA13_conn; content:"passcorrect|3B|"; nocase; content:"CIA"; distance:0; nocase; pcre:"/^passcorrect\x3B\d+\x3B\d+\x3BCIA/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076260; classtype:trojan-activity; sid:6303; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR cia runtime detection - initial connection - set flowbit"; flow:to_server,established; content:"verifyPASS"; depth:10; flowbits:set,CIA13_conn; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076260; classtype:trojan-activity; sid:6302; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR cia 1.3 runtime detection - smtp notification"; flow:to_server,established; content:"From|3A|"; nocase; content:"Im"; distance:0; nocase; content:"Online"; distance:0; nocase; content:"<msn@msn.com>"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"Im"; distance:0; nocase; content:"Version|3A|"; distance:0; nocase; content:"CIA"; distance:0; nocase; content:"1.3"; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*Im\s+Online\s+\d+\x2E\d+\x2E\d+\x2E\d+/smi"; metadata:service smtp; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076260; classtype:trojan-activity; sid:6301; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR insurrection 1.1.0 runtime detection - initial connection"; flow:to_server,established; content:"Insurrection1"; depth:13; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076744; classtype:trojan-activity; sid:6299; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR insurrection 1.1.0 runtime detection - reverse connection"; flow:to_server,established; content:"sin"; depth:3; nocase; pcre:"/^sin\d+\x3A[^\r\n]*\x3A\d+\x3A\d+\x3A/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076744; classtype:trojan-activity; sid:6298; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1337 (msg:"MALWARE-BACKDOOR joker ddos v1.0.1 runtime detection - bomb"; flow:to_server,established; flowbits:isset,backdoor.joker.ddos.1.0.conn.2; content:"C2 "; depth:3; nocase; pcre:"/^C2\s\d+/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076749; classtype:trojan-activity; sid:6295; rev:5;)
+# alert tcp $HOME_NET 1337 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR joker ddos v1.0.1 runtime detection - bomb - second flowbit"; flow:to_client,established; flowbits:isset,backdoor.joker.ddos.1.0.conn.1; content:"M1 "; depth:3; nocase; pcre:"/^M1\s\d+\x2E\d+\x2E\d+\x2E\d+/smi"; flowbits:set,backdoor.joker.ddos.1.0.conn.2; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076749; classtype:trojan-activity; sid:6294; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1337 (msg:"MALWARE-BACKDOOR joker ddos v1.0.1 runtime detection - bomb - initial flowbit"; flow:to_server,established; content:"C1 "; depth:3; nocase; pcre:"/^C1\s\d+\x2E\d+\x2E\d+\x2E\d+/smi"; flowbits:set,backdoor.joker.ddos.1.0.conn.1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076749; classtype:trojan-activity; sid:6293; rev:5;)
+# alert tcp $HOME_NET 1337 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR joker ddos v1.0.1 runtime detection - initial connection"; flow:to_client,established; content:"MV 1.0"; depth:6; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076749; classtype:trojan-activity; sid:6292; rev:6;)
+# alert tcp $HOME_NET 7306 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR netspy runtime detection - command pattern server-to-client"; flow:to_client,established; content:"Netspy Version "; fast_pattern:only; reference:url,virustotal.com/en/file/4901d21e08de53f3c7e0e6015b6a84c144494f6802e8efba2c18acf30a375f34/analysis/; classtype:trojan-activity; sid:6290; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7306 (msg:"MALWARE-BACKDOOR netspy runtime detection - command pattern client-to-server"; flow:to_server,established; content:"Netspy Version"; fast_pattern:only; reference:url,virustotal.com/en/file/4901d21e08de53f3c7e0e6015b6a84c144494f6802e8efba2c18acf30a375f34/analysis/; classtype:trojan-activity; sid:6289; rev:5;)
+# alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fictional daemon 4.4 runtime detection - ftp"; flow:to_client,established; content:"We"; nocase; content:"got"; distance:0; nocase; content:"this"; distance:0; nocase; content:"GREAT"; distance:0; nocase; content:"Daemon"; distance:0; nocase; content:"Fictional"; nocase; content:"Daemon"; distance:0; nocase; pcre:"/We\s+got\s+this\s+GREAT\s+Daemon.*Fictional\s+Daemon/smi"; metadata:service ftp; reference:url,www.spywareguide.com/product_show.php?id=1159; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074164; classtype:trojan-activity; sid:6288; rev:7;)
+# alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fictional daemon 4.4 runtime detection - telent"; flow:to_client,established; content:"We"; nocase; content:"got"; distance:0; nocase; content:"this"; distance:0; nocase; content:"GREAT"; distance:0; nocase; content:"Daemon"; distance:0; nocase; content:"Fictional"; nocase; content:"Daemon"; distance:0; nocase; pcre:"/^We\s+got\s+this\s+GREAT\s+Daemon.*Fictional\s+Daemon/smi"; reference:url,www.spywareguide.com/product_show.php?id=1159; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074164; classtype:trojan-activity; sid:6287; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR antilamer 1.1 runtime detection"; flow:to_client,established; flowbits:isset,backdoor.antilamer1.1.conn; content:"024|C2 E5 F0 F1 E8 FF| |F1 E5 F0 E2 E5 F0 E0| - 1.1"; depth:23; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076222; classtype:trojan-activity; sid:6286; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR antilamer 1.1 runtime detection - set flowbit"; flow:to_server,established; content:"024"; depth:3; nocase; flowbits:set,backdoor.antilamer1.1.conn; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076222; classtype:trojan-activity; sid:6285; rev:4;)
+# alert tcp $HOME_NET 57341 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR netraider 0.0 runtime detection"; flow:to_client,established; flowbits:isset,backdoor.netraider.0.0.runtime; content:"NSServer-sPISPJ99"; depth:17; nocase; reference:url,www.megasecurity.org/trojans/n/netraider/Netraider0.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3979; classtype:trojan-activity; sid:6181; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 57341 (msg:"MALWARE-BACKDOOR netraider 0.0 runtime detection"; flow:to_server,established; content:"NSClient-sPISPJ99"; depth:17; nocase; flowbits:set,backdoor.netraider.0.0.runtime; flowbits:noalert; reference:url,www.megasecurity.org/trojans/n/netraider/Netraider0.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3979; classtype:trojan-activity; sid:6180; rev:4;)
+# alert tcp $HOME_NET 5400 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bladerunner 0.80 runtime detection"; flow:to_client,established; content:"Blade Runner"; depth:12; nocase; pcre:"/^Blade\s+Runner\s+ver\s+\d+/smi"; reference:url,www.megasecurity.org/trojans/b/bladerunner/BladeRunner0.80a.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=862; classtype:trojan-activity; sid:6179; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR ultimate destruction runtime detection - kill windows client-to-server"; flow:to_server,established; content:"Killwidows|7C|"; depth:11; nocase; reference:url,www.splintersecurity.com; classtype:trojan-activity; sid:6178; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR ultimate destruction runtime detection - kill process client-to-server"; flow:to_server,established; content:"Killpro|7C|"; depth:8; nocase; reference:url,www.splintersecurity.com; classtype:trojan-activity; sid:6177; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR guptachar 2.0 runtime detection"; flow:to_client,established; content:"Server|3A|"; nocase; content:"Guptachar"; distance:0; nocase; pcre:"/^Server\x3A\s+Guptachar\s+\d+\x2E\d+/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073814; classtype:trojan-activity; sid:6176; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"MALWARE-BACKDOOR cookie monster 0.24 runtime detection - kill kernel"; flow:to_server,established; content:"krnlkill|0D 0A|"; depth:10; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084262; classtype:trojan-activity; sid:6175; rev:5;)
+# alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cookie monster 0.24 runtime detection - file explorer"; flow:to_client,established; flowbits:isset,CookieMonster_FileExplorer; content:"ls|01|.|01|..|01|"; depth:8; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084262; classtype:trojan-activity; sid:6174; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"MALWARE-BACKDOOR cookie monster 0.24 runtime detection"; flow:to_server,established; content:"ls|0D 0A|"; depth:4; flowbits:set,CookieMonster_FileExplorer; flowbits:noalert; classtype:trojan-activity; sid:6173; rev:6;)
+# alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cookie monster 0.24 runtime detection - get version info"; flow:to_client,established; flowbits:isset,CookieMonster_GetVersionInfo; content:"Cookie"; content:"Monster"; distance:0; content:"server"; distance:0; content:"engine"; distance:0; pcre:"/Cookie\s+Monster\s+server\s+engine/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084262; classtype:trojan-activity; sid:6172; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"MALWARE-BACKDOOR cookie monster 0.24 runtime detection"; flow:to_server,established; content:"ver|0D 0A|"; depth:5; flowbits:set,CookieMonster_GetVersionInfo; flowbits:noalert; classtype:trojan-activity; sid:6171; rev:4;)
+# alert tcp $HOME_NET 2600 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR digital rootbeer runtime detection"; flow:to_client,established; flowbits:isset,backdoor.digital.rootbeer.conn; content:"/NFO,Registered"; depth:15; nocase; content:"Owner|3A|"; distance:0; nocase; content:"|0D 0A|Current"; distance:0; nocase; content:" user|3A|"; distance:0; nocase; pcre:"/^\x2FNFO\x2CRegistered\s+Owner\x3A\s+[^\r\n]*\x0D\x0ACurrent\s+user\x3A\s+/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1641; classtype:trojan-activity; sid:6170; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2600 (msg:"MALWARE-BACKDOOR digital rootbeer runtime detection"; flow:to_server,established; content:"iiiiiiinfo"; depth:10; nocase; flowbits:set,backdoor.digital.rootbeer.conn; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1641; classtype:trojan-activity; sid:6169; rev:4;)
+# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR unicorn runtime detection - set wallpaper server-to-client"; flow:to_client,established; flowbits:isset,Unicore_SetWallpaper; content:"Wallpaper Changed"; nocase; reference:url,www.spywareguide.com/product_show.php?id=1506; classtype:trojan-activity; sid:6168; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"MALWARE-BACKDOOR unicorn runtime detection - set wallpaper client-to-server"; flow:to_server,established; content:"WALLPAPER "; depth:10; nocase; flowbits:set,Unicore_SetWallpaper; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1506; classtype:trojan-activity; sid:6167; rev:6;)
+# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR unicorn runtime detection - initial connection"; flow:to_client,established; content:"Connected to"; depth:12; nocase; pcre:"/^Connected\s+to\s+[^\r\n]*\x28\d+\.\d+\.\d+\.\d+\x29/smi"; reference:url,www.spywareguide.com/product_show.php?id=1506; classtype:trojan-activity; sid:6166; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR psyrat 1.0 runtime detection"; flow:to_client,established; flowbits:isset,backdoor.psyrat.runtime.detection; content:"PsyRAT_10A"; depth:10; nocase; reference:url,www.megasecurity.org/trojans/p/psyrat/Psyrat1.0.html; classtype:trojan-activity; sid:6165; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR psyrat 1.0 runtime detection"; flow:to_client,established; content:"GOODPWD"; depth:7; nocase; flowbits:set,backdoor.psyrat.runtime.detection; flowbits:noalert; reference:url,www.megasecurity.org/trojans/p/psyrat/Psyrat1.0.html; classtype:trojan-activity; sid:6164; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR furax 1.0 b2 runtime detection"; flow:to_client,established; content:"|03 00 1C 00 00 00 00 00 01|Furax "; depth:15; nocase; content:"Server|00|"; distance:0; pcre:"/^\x03\x00\x1c\x00\x00\x00\x00\x00\x01Furax\s+\d+\.\d+\w+\s+Server\x00/smi"; reference:url,www.megasecurity.org/trojans/f/furax/Furax1.0b2.html; classtype:trojan-activity; sid:6161; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"MALWARE-BACKDOOR delirium of disorder runtime detection - stop keylogger"; flow:to_server,established; content:"stopklog"; depth:8; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.megasecurity.org/trojans/d/deleriumofdisorder/Deleriumofdisorder.html; classtype:trojan-activity; sid:6160; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"MALWARE-BACKDOOR delirium of disorder runtime detection - enable keylogger"; flow:to_server,established; content:"enableklog"; depth:10; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.megasecurity.org/trojans/d/deleriumofdisorder/Deleriumofdisorder.html; classtype:trojan-activity; sid:6159; rev:6;)
+# alert udp $HOME_NET 4950 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dirtxt runtime detection - view server-to-client"; flow:to_client; flowbits:isset,Dirtxt_View; content:"view"; depth:4; nocase; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6157; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 4950 (msg:"MALWARE-BACKDOOR dirtxt runtime detection - view client-to-server"; flow:to_server; content:"view"; depth:4; nocase; flowbits:set,Dirtxt_View; flowbits:noalert; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6156; rev:7;)
+# alert udp $HOME_NET 4950 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dirtxt runtime detection - info server-to-client"; flow:to_client; flowbits:isset,Dirtxt_Info; content:"info"; depth:4; nocase; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6155; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 4950 (msg:"MALWARE-BACKDOOR dirtxt runtime detection - info client-to-server"; flow:to_server; content:"info"; depth:4; nocase; flowbits:set,Dirtxt_Info; flowbits:noalert; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6154; rev:7;)
+# alert udp $HOME_NET 4950 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dirtxt runtime detection - chdir server-to-client"; flow:to_client; flowbits:isset,Dirtxt_Chdir; content:"chdir "; depth:6; nocase; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6153; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 4950 (msg:"MALWARE-BACKDOOR dirtxt runtime detection - chdir client-to-server"; flow:to_server; content:"chdir "; depth:6; nocase; flowbits:set,Dirtxt_Chdir; flowbits:noalert; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6152; rev:7;)
+# alert tcp $HOME_NET 33812 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR back attack v1.4 runtime detection"; flow:to_client,established; content:" You"; depth:4; nocase; content:"are"; distance:0; nocase; content:"now"; distance:0; nocase; content:"connected"; distance:0; nocase; content:"to"; distance:0; nocase; content:"an"; distance:0; nocase; content:"BackAtTaCk"; distance:0; nocase; content:"server"; distance:0; nocase; pcre:"/You\s+are\s+now\s+connected\s+to\s+an\s+BackAtTaCk\s+server/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074438; classtype:trojan-activity; sid:6151; rev:6;)
+# alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR netcontrol v1.0.8 runtime detection"; flow:to_client,established; flowbits:isset,backdoor.netcontro.1.0.8.conn; content:"con1.08"; depth:7; nocase; reference:url,www.system-help.com/spyware/netcontrol/; classtype:trojan-activity; sid:6150; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"MALWARE-BACKDOOR netcontrol v1.0.8 runtime detection"; flow:to_server,established; content:"con"; depth:3; nocase; flowbits:set,backdoor.netcontro.1.0.8.conn; flowbits:noalert; reference:url,www.system-help.com/spyware/netcontrol/; classtype:trojan-activity; sid:6149; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR mantis runtime detection - go to address server-to-client"; flow:to_client,established; flowbits:isset,Mantis_GotoAdress; content:"adressgoneto"; depth:12; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6148; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR mantis runtime detection - go to address client-to-server"; flow:to_server,established; content:"gotoadres"; depth:9; nocase; flowbits:set,Mantis_GotoAdress; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6147; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR mantis runtime detection - sent notify option client-to-server 2"; flow:to_server,established; flowbits:isset,Mantis_Notify2; content:"notifsubject"; depth:12; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6146; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR mantis runtime detection - sent notify option server-to-client"; flow:to_client,established; flowbits:isset,Mantis_Notify1; content:"sendsubject"; depth:11; nocase; flowbits:set,Mantis_Notify2; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6145; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR mantis runtime detection - sent notify option client-to-server 1"; flow:to_server,established; content:"notifuin"; depth:8; nocase; flowbits:set,Mantis_Notify1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6144; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"MALWARE-BACKDOOR dark connection inside v1.2 runtime detection"; flow:to_server,established; content:"DCIClient12|0A|"; depth:12; nocase; reference:url,attack.mitre.org/techniques/T1065; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075571; classtype:trojan-activity; sid:6143; rev:6;)
+# alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hellzaddiction v1.0e runtime detection - ftp open"; flow:to_client,established; content:"220 HellzAddiction FTP server."; depth:30; nocase; metadata:service ftp; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076338; classtype:trojan-activity; sid:6142; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR hellzaddiction v1.0e runtime detection - init conn"; flow:to_client,established; content:"R_Server"; depth:8; fast_pattern; nocase; content:"version|3A|"; distance:0; nocase; pcre:"/^R_Server\s+version\x3A\d+\x2E\d+[^\r\n]*R\d+\x2E\d+/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076338; classtype:trojan-activity; sid:6141; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12566 (msg:"MALWARE-BACKDOOR clindestine 1.0 runtime detection - get system directory"; flow:to_server,established; content:"system"; depth:6; reference:url,www.spywareguide.com/product_show.php?id=1486; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:trojan-activity; sid:6139; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12566 (msg:"MALWARE-BACKDOOR clindestine 1.0 runtime detection - get computer info"; flow:to_server,established; content:"info"; depth:4; reference:url,www.spywareguide.com/product_show.php?id=1486; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:trojan-activity; sid:6138; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12566 (msg:"MALWARE-BACKDOOR clindestine 1.0 runtime detection - capture small screen"; flow:to_server,established; content:"small"; depth:5; reference:url,www.spywareguide.com/product_show.php?id=1486; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:trojan-activity; sid:6137; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12566 (msg:"MALWARE-BACKDOOR clindestine 1.0 runtime detection - capture big screen"; flow:to_server,established; content:">>Send Capture"; depth:14; reference:url,www.spywareguide.com/product_show.php?id=1486; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:trojan-activity; sid:6136; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 13473 (msg:"MALWARE-BACKDOOR chupacabra 1.0 runtime detection - delete file"; flow:to_server,established; content:"delete|5C|"; depth:7; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=21339; classtype:trojan-activity; sid:6134; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 13473 (msg:"MALWARE-BACKDOOR chupacabra 1.0 runtime detection - send messages"; flow:to_server,established; content:"sndmsg|5C|"; depth:7; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=21339; classtype:trojan-activity; sid:6133; rev:5;)
+# alert tcp $HOME_NET 13473 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR chupacabra 1.0 runtime detection - get user name"; flow:to_client,established; flowbits:isset,Chupacabra_GetUserName; content:"Current"; nocase; content:"User"; distance:0; nocase; content:"Logged"; distance:0; nocase; pcre:"/^Current\s+User\s+Logged\s+on\x3A/"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=21339; classtype:trojan-activity; sid:6132; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 13473 (msg:"MALWARE-BACKDOOR chupacabra 1.0 runtime detection"; flow:to_server,established; content:"getname"; depth:7; flowbits:set,Chupacabra_GetUserName; flowbits:noalert; classtype:trojan-activity; sid:6131; rev:4;)
+# alert tcp $HOME_NET 13473 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR chupacabra 1.0 runtime detection - get computer name"; flow:to_client,established; flowbits:isset,Chupacabra_GetComputerName; content:"Owner|3A|"; depth:6; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=21339; classtype:trojan-activity; sid:6130; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 13473 (msg:"MALWARE-BACKDOOR chupacabra 1.0 runtime detection"; flow:to_server,established; content:"getowner"; depth:8; flowbits:set,Chupacabra_GetComputerName; flowbits:noalert; classtype:trojan-activity; sid:6129; rev:4;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dkangel runtime detection - icmp echo reply client-to-server"; itype:0; content:"This is made by yyt_hac!"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278; classtype:trojan-activity; sid:6128; rev:7;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"MALWARE-BACKDOOR dkangel runtime detection - udp client-to-server"; flow:to_server; content:"This is made by yyt_hac!"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278; classtype:trojan-activity; sid:6127; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR dkangel runtime detection - smtp"; flow:to_server,established; flowbits:isset,DKangel_Email; content:"yyt_hac"; nocase; metadata:service smtp; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278; classtype:trojan-activity; sid:6126; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR dkangel runtime detection - smtp"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"|BA DA B0 B5 CC EC CA B9| 2.41 "; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*2\x2E41/smi"; flowbits:set,DKangel_Email; flowbits:noalert; metadata:service smtp; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278; classtype:trojan-activity; sid:6125; rev:6;)
+# alert udp $HOME_NET 10666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR ambush 1.0 runtime detection - ping server-to-client"; flow:to_client; flowbits:isset,Ambush_Ping; content:"=======>> AMBUSH v"; depth:18; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=238; classtype:trojan-activity; sid:6124; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 10666 (msg:"MALWARE-BACKDOOR ambush 1.0 runtime detection - ping client-to-server"; flow:to_server; content:"10"; depth:2; nocase; flowbits:set,Ambush_Ping; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=238; classtype:trojan-activity; sid:6123; rev:7;)
+# alert tcp $EXTERNAL_NET 20001 -> $HOME_NET any (msg:"MALWARE-BACKDOOR millenium v1.0 runtime detection"; flow:to_client,established; content:"Millenium 1.0"; fast_pattern:only; dsize:13; reference:url,virustotal.com/en/file/75d1e57605ab02111590b5176aacaf3162910a34853df739fdc3be2ba21d392d/analysis/; classtype:trojan-activity; sid:6122; rev:6;)
+# alert tcp $HOME_NET 1023 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR net runner runtime detection - download file server-to-client"; flow:to_client,established; flowbits:isset,NetRunner_Download_File; content:"|08|New File File"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503; classtype:trojan-activity; sid:6121; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1023 (msg:"MALWARE-BACKDOOR net runner runtime detection - download file client-to-server"; flow:to_server,established; content:"|0D|Download File"; depth:14; nocase; flowbits:set,NetRunner_Download_File; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503; classtype:trojan-activity; sid:6120; rev:6;)
+# alert tcp $HOME_NET 1023 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR net runner runtime detection - initial connection server-to-client"; flow:to_client,established; flowbits:isset,NetRunner_Init_Connection; content:"|0F|New Resoltutione"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503; classtype:trojan-activity; sid:6119; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1023 (msg:"MALWARE-BACKDOOR net runner runtime detection - initial connection client-to-server"; flow:to_server,established; content:"|0E|Get Resolution"; depth:15; nocase; flowbits:set,NetRunner_Init_Connection; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503; classtype:trojan-activity; sid:6118; rev:6;)
+# alert tcp $HOME_NET 50766 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fore v1.0 beta runtime detection - init conn"; flow:to_client,established; flowbits:isset,back.fore.v1.0.conn.1; content:"access ok "; depth:10; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086922; classtype:trojan-activity; sid:6117; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 50766 (msg:"MALWARE-BACKDOOR fore v1.0 beta runtime detection - init conn"; flow:to_server,established; content:"access flatboost6302"; depth:20; nocase; flowbits:set,back.fore.v1.0.conn.1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086922; classtype:trojan-activity; sid:6116; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR optix 1.32 runtime detection - email notification"; flow:to_server,established; content:"!!!Optix"; nocase; content:"Pro"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"Online!!!"; distance:0; nocase; pcre:"/^\x21{3}Optix\s+Pro\s+v\d+\x2E\d+\s+Server\s+Online\x21{3}/smi"; metadata:service smtp; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748; classtype:trojan-activity; sid:6114; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix 1.32 runtime detection - init conn"; flow:to_client,established; flowbits:isset,back.optix.1.32.conn.2; content:"001|AC|Optix"; depth:9; nocase; content:"Pro"; distance:0; nocase; content:"Connected"; distance:0; nocase; content:"Successfully!"; distance:0; nocase; pcre:"/^001\xACOptix\s+Pro\s+v\d+\x2E\d+\s+Connected\s+Successfully\x21/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748; classtype:trojan-activity; sid:6113; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR optix 1.32 runtime detection - init conn"; flow:to_server,established; flowbits:isset,back.optix.1.32.conn.1; content:"022|AC|"; depth:4; nocase; flowbits:set,back.optix.1.32.conn.2; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748; classtype:trojan-activity; sid:6112; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix 1.32 runtime detection - init conn"; flow:to_client,established; content:" |0D 0A|"; depth:3; nocase; flowbits:set,back.optix.1.32.conn.1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748; classtype:trojan-activity; sid:6111; rev:6;)
+# alert tcp $HOME_NET 9999 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR forced entry v1.1 beta runtime detection"; flow:to_client,established; content:"ForCed"; depth:6; nocase; content:"EnTrY"; distance:0; nocase; content:"|0D 0A 0D 0A 0D 0A|Connection"; distance:0; nocase; content:" Stable"; distance:0; nocase; pcre:"/^ForCed\s+EnTrY\s+\d+\x2E\d+\x2E\d+\x0D\x0A\x0D\x0A\x0D\x0AConnection\s+Stable/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=2160; classtype:trojan-activity; sid:6110; rev:6;)
+# alert tcp $HOME_NET 2589 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dagger v1.1.40 runtime detection"; flow:to_client,established; flowbits:isset,backdoor.dagger.1.1.40.conn; content:"|07 00 00 00 03 00 00 00|Yes"; depth:11; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1641; classtype:trojan-activity; sid:6109; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2589 (msg:"MALWARE-BACKDOOR dagger v1.1.40 runtime detection"; flow:to_server,established; content:"|0B 00 00 00 07 00 00 00|Connect"; depth:15; nocase; flowbits:set,backdoor.dagger.1.1.40.conn; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1477; classtype:trojan-activity; sid:6108; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR backage 3.1 runtime detection"; flow:to_server,established; content:"ExecuteUnloadAll"; depth:16; nocase; reference:url,www.spywareguide.com/product_show.php?id=1186; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=698; classtype:trojan-activity; sid:6107; rev:6;)
+# alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection - download file"; flow:to_client; flowbits:isset,Alvgus_DownloadFile; content:"tfTransferring"; depth:14; nocase; content:"file"; distance:0; nocase; content:"from"; distance:0; nocase; pcre:"/^tfTransferring\s+file\s+from\x3A/smi"; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6106; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"tf"; depth:2; nocase; flowbits:set,Alvgus_DownloadFile; flowbits:noalert; classtype:trojan-activity; sid:6105; rev:5;)
+# alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection - upload file"; flow:to_client; flowbits:isset,Alvgus_UploadFile; content:"ttTransferring"; depth:14; nocase; content:"file"; distance:0; nocase; content:"to"; distance:0; nocase; pcre:"/^ttTransferring\s+file\s+to\x3A/smi"; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6104; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"tt"; depth:2; nocase; flowbits:set,Alvgus_UploadFile; flowbits:noalert; classtype:trojan-activity; sid:6103; rev:5;)
+# alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection - execute command"; flow:to_client; flowbits:isset,Alvgus_ExecuteCommand; content:"feExecuting"; depth:11; nocase; content:"program"; distance:0; nocase; pcre:"/^feExecuting\s+program\x3A/smi"; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6102; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"fe"; depth:2; nocase; flowbits:set,Alvgus_ExecuteCommand; flowbits:noalert; classtype:trojan-activity; sid:6101; rev:5;)
+# alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection - view content of directory"; flow:to_client; flowbits:isset,Alvgus_ViewDirectory; content:"diGetting"; depth:9; nocase; content:"content"; distance:0; nocase; content:"directory"; distance:0; nocase; pcre:"/^diGetting\s+content\s+of\s+directory\x3A/smi"; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6100; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"di"; depth:2; nocase; flowbits:set,Alvgus_ViewDirectory; flowbits:noalert; classtype:trojan-activity; sid:6099; rev:5;)
+# alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection - check server"; flow:to_client; flowbits:isset,Alvgus_CheckServer; content:"stAlvgus"; depth:8; nocase; content:"Trojan"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"2000"; distance:0; nocase; pcre:"/^stAlvgus\'s\s+Trojan\s+Server\s+2000/smi"; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6098; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"st"; depth:2; nocase; flowbits:set,Alvgus_CheckServer; flowbits:noalert; classtype:trojan-activity; sid:6097; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection - get system info"; flow:to_client,established; flowbits:isset,A_Trojan_GetSysInfo; content:"infsy"; depth:5; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6096; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection"; flow:to_server,established; content:"infsy"; depth:5; flowbits:set,A_Trojan_GetSysInfo; flowbits:noalert; classtype:trojan-activity; sid:6095; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection - get drive info"; flow:to_client,established; flowbits:isset,A_Trojan_GetDriveInfo; content:"infdr"; depth:5; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6094; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection"; flow:to_server,established; content:"infdr"; depth:5; flowbits:set,A_Trojan_GetDriveInfo; flowbits:noalert; classtype:trojan-activity; sid:6093; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection - get harddisk info"; flow:to_client,established; flowbits:isset,A_Trojan_GetHarddiskInfo; content:"infhd"; depth:5; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6092; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection"; flow:to_server,established; content:"infhd"; depth:5; flowbits:set,A_Trojan_GetHarddiskInfo; flowbits:noalert; classtype:trojan-activity; sid:6091; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection - get memory info"; flow:to_client,established; flowbits:isset,A_Trojan_GetMemoryInfo; content:"infme"; depth:5; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6090; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection"; flow:to_server,established; content:"infme"; depth:5; flowbits:set,A_Trojan_GetMemoryInfo; flowbits:noalert; classtype:trojan-activity; sid:6089; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection - init connection"; flow:to_server,established; flowbits:isset,A_Trojan_InitConnection; content:"conec"; depth:5; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6088; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection"; flow:to_client,established; content:"resp1Conectado"; depth:14; flowbits:set,A_Trojan_InitConnection; flowbits:noalert; classtype:trojan-activity; sid:6087; rev:5;)
+# alert tcp $HOME_NET 3505 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR autospy runtime detection - make directory"; flow:to_client,established; flowbits:isset,AutoSpy_MakeDirectory; content:"folder created"; depth:14; reference:url,www.spywareguide.com/product_show.php?id=1438; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59685; classtype:trojan-activity; sid:6086; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"MALWARE-BACKDOOR autospy runtime detection - make directory"; flow:to_server,established; content:"mkdir"; depth:5; flowbits:set,AutoSpy_MakeDirectory; flowbits:noalert; classtype:trojan-activity; sid:6085; rev:4;)
+# alert tcp $HOME_NET 3505 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR autospy runtime detection - hide taskbar"; flow:to_client,established; flowbits:isset,AutoSpy_HideTaskbar; content:"Taskbar hidden"; depth:14; reference:url,www.spywareguide.com/product_show.php?id=1438; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59685; classtype:trojan-activity; sid:6084; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"MALWARE-BACKDOOR autospy runtime detection - hide taskbar"; flow:to_server,established; content:"taskhide"; depth:8; flowbits:set,AutoSpy_HideTaskbar; flowbits:noalert; classtype:trojan-activity; sid:6083; rev:4;)
+# alert tcp $HOME_NET 3505 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR autospy runtime detection - show nude pic"; flow:to_client,established; flowbits:isset,AutoSpy_ShowNudePicture; content:"nude Raider pic"; depth:15; reference:url,www.spywareguide.com/product_show.php?id=1438; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59685; classtype:trojan-activity; sid:6082; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"MALWARE-BACKDOOR autospy runtime detection - show nude pic"; flow:to_server,established; content:"nraider"; depth:7; flowbits:set,AutoSpy_ShowNudePicture; flowbits:noalert; classtype:trojan-activity; sid:6081; rev:4;)
+# alert tcp $HOME_NET 3505 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR autospy runtime detection - show autospy"; flow:to_client,established; flowbits:isset,AutoSpy_ShowAutoSpy; content:"autoSpY shown"; depth:13; reference:url,www.spywareguide.com/product_show.php?id=1438; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59685; classtype:trojan-activity; sid:6080; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"MALWARE-BACKDOOR autospy runtime detection - show autospy"; flow:to_server,established; content:"frmauto"; depth:7; flowbits:set,AutoSpy_ShowAutoSpy; flowbits:noalert; classtype:trojan-activity; sid:6079; rev:4;)
+# alert tcp $HOME_NET 3505 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR autospy runtime detection - get information"; flow:to_client,established; flowbits:isset,AutoSpy_GetInformation; content:"Product Name"; depth:12; reference:url,www.spywareguide.com/product_show.php?id=1438; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59685; classtype:trojan-activity; sid:6078; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"MALWARE-BACKDOOR autospy runtime detection - get information"; flow:to_server,established; content:"info"; depth:4; flowbits:set,AutoSpy_GetInformation; flowbits:noalert; classtype:trojan-activity; sid:6077; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1204 (msg:"MALWARE-BACKDOOR amiboide uploader runtime detection - init connection"; flow:to_server,established; content:"23L'esclave|09|49152|09|65535"; depth:23; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088579; classtype:trojan-activity; sid:6076; rev:5;)
+# alert tcp $HOME_NET 7648 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR xhx 1.6 runtime detection - initial connection server-to-client"; flow:to_client,established; flowbits:isset,xhx_cts; content:" ["; depth:2; reference:url,www.megasecurity.org/trojans/x/xhx/Xhx1.60.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084140; classtype:trojan-activity; sid:6075; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7648 (msg:"MALWARE-BACKDOOR xhx 1.6 runtime detection - initial connection client-to-server"; flow:to_server,established; content:"UAIIA"; depth:5; nocase; content:"XHX"; distance:0; nocase; content:"YANER"; distance:0; nocase; pcre:"/^UAIIA\s+XHX\s+YANER/smi"; flowbits:set,xhx_cts; flowbits:noalert; reference:url,www.megasecurity.org/trojans/x/xhx/Xhx1.60.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084140; classtype:trojan-activity; sid:6074; rev:5;)
+# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR freak 1.0 runtime detection - initial connection server-to-client"; flow:to_client,established; content:"027FrEaK_ViCTiM"; depth:15; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453073808; classtype:trojan-activity; sid:6073; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"MALWARE-BACKDOOR freak 1.0 runtime detection - irc notification"; flow:to_server,established; content:"NICK"; nocase; content:"FrEaK_ViCTiM"; distance:0; nocase; pcre:"/^NICK\s+FrEaK_ViCTiM\x0D\x0A/smi"; reference:url,www.megasecurity.org/trojans/f/freak/Freak1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073808; classtype:trojan-activity; sid:6070; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optixlite 1.0 runtime detection - connection success server-to-client"; flow:to_client,established; content:"password|3B|1|3B|Optix Lite Server Ready"; nocase; reference:url,www.spywareguide.com/product_show.php?id=578; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368; classtype:trojan-activity; sid:6066; rev:9;)
+# alert tcp $HOME_NET 21212 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR schwindler 1.82 runtime detection"; flow:to_client,established; flowbits:isset,schwindler; content:"Schwindler"; depth:10 ; nocase; content:"Servidor"; distance:0; nocase; content:"Porta"; distance:0; nocase; pcre:"/Schwindler\s+Servidor\x2E\s+Porta\s+\d+/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5287; classtype:trojan-activity; sid:6064; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21212 (msg:"MALWARE-BACKDOOR schwindler 1.82 runtime detection"; flow:to_server,established; content:"ver"; depth:3; nocase; flowbits:set,schwindler; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5287; classtype:trojan-activity; sid:6063; rev:4;)
+# alert tcp $HOME_NET 831 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR neurotickat1.3 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,neurotickat.2; content:"One"; nocase; content:"more"; distance:0; nocase; content:"step"; distance:0; nocase; content:"until"; distance:0; nocase; content:"connection."; distance:0; nocase; pcre:"/One\s+more\s+step\s+until\s+connection\x2E/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31859; classtype:trojan-activity; sid:6062; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 831 (msg:"MALWARE-BACKDOOR neurotickat1.3 runtime detection - initial connection"; flow:to_server,established; flowbits:isset,neurotickat.1; content:"FTPON"; nocase; content:"TIME"; distance:0; nocase; pcre:"/FTPON\d+\s+TIME\d+\s+/smi"; flowbits:set,neurotickat.2; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31859; classtype:trojan-activity; sid:6061; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 831 (msg:"MALWARE-BACKDOOR neurotickat1.3 runtime detection - initial connection"; flow:to_server,established; content:"VER "; depth:4; nocase; flowbits:set,neurotickat.1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31859; classtype:trojan-activity; sid:6060; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR bifrose 1.1 runtime detection"; flow:to_server,established; flowbits:isset,bifrose.rev_conn.2; content:"|02 00 00 00 90|x"; reference:url,www.spywareguide.com/product_show.php?id=1464; classtype:trojan-activity; sid:6057; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bifrose 1.1 runtime detection"; flow:to_client,established; flowbits:isset,bifrose.rev_conn.1; content:"|02 00 00 00|4x"; flowbits:set,bifrose.rev_conn.2; flowbits:unset,bifrose.rev_conn.1; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1464; classtype:trojan-activity; sid:6056; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR bifrose 1.1 runtime detection"; flow:to_server,established; content:"|00 00 00 91|I|16 1B|e|1C|"; flowbits:set,bifrose.rev_conn.1; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1464; classtype:trojan-activity; sid:6055; rev:7;)
+# alert tcp $HOME_NET 8799 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fun factory runtime detection - do script remotely"; flow:to_client,established; flowbits:isset,FunFactory_doscript; content:"100014"; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6054; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8799 (msg:"MALWARE-BACKDOOR fun factory runtime detection - do script remotely"; flow:to_server,established; content:"|AE 86 01 00|"; flowbits:set,FunFactory_doscript; flowbits:noalert; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6053; rev:5;)
+# alert tcp $HOME_NET 8799 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fun factory runtime detection - set volume"; flow:to_client,established; flowbits:isset,FunFactory_volume; content:"100016"; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6052; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8799 (msg:"MALWARE-BACKDOOR fun factory runtime detection - set volume"; flow:to_server,established; content:"|B0 86 01 00 01 00 00 00|0"; flowbits:set,FunFactory_volume; flowbits:noalert; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6051; rev:5;)
+# alert tcp $HOME_NET 8799 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fun factory runtime detection - upload"; flow:to_client,established; flowbits:isset,FunFactory_upload; content:"100011"; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6050; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8799 (msg:"MALWARE-BACKDOOR fun factory runtime detection - upload"; flow:to_server,established; content:"|AB 86 01 00 12 00 00 00|"; flowbits:set,FunFactory_upload; flowbits:noalert; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6049; rev:5;)
+# alert tcp $HOME_NET 8799 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fun factory runtime detection - connect"; flow:to_client,established; flowbits:isset,FunFactory_conn; content:"100013Agentsvr^^Merlin"; nocase; pcre:"/^100013Agentsvr\x5E\x5EMerlin/smi"; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6048; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8799 (msg:"MALWARE-BACKDOOR fun factory runtime detection - connect"; flow:to_server,established; content:"|AD 86 01 00 08 00 00 00|"; content:"1^Merlin"; distance:0; nocase; pcre:"/^\xad\x86\x01\x00\x08\x00\x00\x001\x5EMerlin/smi"; flowbits:set,FunFactory_conn; flowbits:noalert; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6047; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fear 0.2 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,fear_0_2.conn.2; content:"QTAxe1h9e1l9"; fast_pattern:only; reference:url,www.spywareguide.com/product_show.php?id=1973; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:6046; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR fear 0.2 runtime detection - initial connection"; flow:to_server,established; flowbits:isset,fear_0_2.conn.1; content:"QTAz"; depth:4; nocase; flowbits:set,fear_0_2.conn.2; flowbits:unset,fear_0_2.conn.1; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1973; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:6045; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fear 0.2 runtime detection - initial connection"; flow:to_client,established; content:"QTAze1l9"; depth:8; nocase; flowbits:set,fear_0_2.conn.1; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1973; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:6044; rev:7;)
+# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fade 1.0 runtime detection - enable keylogger"; flow:to_client,established; flowbits:isset,Fade_kl; content:"877110"; depth:6; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076292; classtype:trojan-activity; sid:6041; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"MALWARE-BACKDOOR fade 1.0 runtime detection - enable keylogger"; flow:to_server,established; content:"877110"; depth:6; flowbits:set,Fade_kl; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076292; classtype:trojan-activity; sid:6040; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR netbus 1.7 runtime detection - email notification"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"NetBus"; distance:0; nocase; content:"server"; distance:0; nocase; content:"is"; distance:0; nocase; content:"up"; distance:0; nocase; content:"and"; distance:0; nocase; content:"running"; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*NetBus\s+server\s+is\s+up\s+and\s+running/smi"; metadata:service smtp; reference:url,www.2-spyware.com/file-backdoor-netbus-12-exe.html; classtype:trojan-activity; sid:6037; rev:6;)
+# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR minicommand runtime detection - initial connection server-to-client"; flow:to_client,established; content:"login_ok"; nocase; content:"MiniCommand"; distance:0; nocase; content:"version"; distance:0; nocase; content:"ready"; distance:0; nocase; content:"for"; distance:0; nocase; content:"action"; distance:0; nocase; pcre:"/^login_ok\x5EMiniCommand\s+version\s+\d+\.\d+\.\d+\s+ready\s+for\s+action\x2E/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075932; classtype:trojan-activity; sid:6035; rev:10;)
+# alert udp $HOME_NET 18001 -> $EXTERNAL_NET 18000 (msg:"MALWARE-BACKDOOR cyberpaky runtime detection"; content:"H02EXE"; nocase; content:"File"; distance:0; nocase; content:"Name|3A|"; distance:0; nocase; content:"CYBERPAKY"; distance:0; nocase; content:"Operating"; distance:0; nocase; content:"System"; distance:0; nocase; pcre:"/H02EXE\s+File\s+Name\x3A\s+CYBERPAKY\x0D\x0AOperating\s+System/smi"; reference:url,www.2-spyware.com/remove-cyberpaky-trojan.html; reference:url,www.megasecurity.org/trojans/c/cyberpaky/Cyberpaky1.8.html; classtype:trojan-activity; sid:6028; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-BACKDOOR WIN.Trojan.Netshadow runtime detection"; flow:to_server,established; content:"AJust a server"; depth:18; nocase; metadata:impact_flag red; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.netshadow.html; classtype:trojan-activity; sid:6027; rev:5;)
+# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dimbus 1.0 runtime detection - get pc info"; flow:to_client,established; content:"DIMBUS"; nocase; content:"Server"; distance:0; nocase; pcre:"/\s{23}DIMBUS\s+Server\s+v\d+\x2E\d+/smi"; reference:url,www.2-spyware.com/remove-dimbus-1-0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060480; classtype:trojan-activity; sid:6026; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR tequila bandita 1.2 runtime detection - reverse connection"; flow:to_server,established; content:"|07|LAN|07|Win"; depth:28; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083232; classtype:trojan-activity; sid:6025; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR nuclear rat v6_21 runtime detection"; flow:to_client,established; content:"|C2 C5 CD C4 FD F9 FF 86 E4 9A F8 FF E5 9B 98 E5 FC E1 FD A9 FC C2 C5 99 C0 A9|"; depth:26; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077717; classtype:trojan-activity; sid:6024; rev:6;)
+# alert tcp $EXTERNAL_NET 4226 -> $HOME_NET any (msg:"MALWARE-BACKDOOR silent spy 2.10 command response port 4226"; flow:to_client,established; content:"+---|7C|"; content:"|7C|---+"; distance:0; pcre:"/\x2B\x2D{3}\x7C[^\r\n]*\x7C\x2D{3}\x2B/smi"; reference:url,www.spywareguide.com/product_show.php?id=1530; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073048; classtype:trojan-activity; sid:6022; rev:8;)
+# alert tcp $EXTERNAL_NET 4225 -> $HOME_NET any (msg:"MALWARE-BACKDOOR silent spy 2.10 command response port 4225"; flow:to_client,established; content:"+---|7C|"; content:"|7C|---+"; distance:0; pcre:"/\x2B\x2D{3}\x7C[^\r\n]*\x7C\x2D{3}\x2B/smi"; reference:url,www.spywareguide.com/product_show.php?id=1530; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073048; classtype:trojan-activity; sid:6021; rev:7;)
+# alert tcp $HOME_NET 800: -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dsk lite 1.0 runtime detection - disconnect"; flow:to_client,established; flowbits:isset,DSK_Lite_1.0_TCP; content:"disconnect"; depth:10; nocase; reference:url,www.spywareguide.com/product_show.php?id=1554; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866; classtype:trojan-activity; sid:6017; rev:7;)
+# alert tcp $HOME_NET 800: -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dsk lite 1.0 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,DSK_Lite_1.0_TCP; content:"connect|3B|"; depth:8; nocase; reference:url,www.spywareguide.com/product_show.php?id=1554; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866; classtype:trojan-activity; sid:6016; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 800: (msg:"MALWARE-BACKDOOR dsk lite 1.0 runtime detection - initial connection"; flow:to_server,established; content:"verifypass|3B|"; depth:11; nocase; flowbits:set,DSK_Lite_1.0_TCP; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1554; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866; classtype:trojan-activity; sid:6015; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR coolcat runtime connection detection - tcp 3"; flow:to_client,established; flowbits:isset,CoolCat.2; content:"psswd"; fast_pattern; nocase; content:"password"; distance:0; nocase; pcre:"/^psswd((ok\*\-\*Password\s+OK\r\n)|(error\*\-\*Wrong\s+password\r\n))/smi"; reference:url,www.spywareguide.com/product_show.php?id=555; classtype:trojan-activity; sid:6014; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"MALWARE-BACKDOOR coolcat runtime connection detection - tcp 2"; flow:to_server,established; flowbits:isset,CoolCat.1; content:"password |22|"; depth:10; nocase; flowbits:set,CoolCat.2; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=555; classtype:trojan-activity; sid:6013; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR coolcat runtime connection detection - tcp 1"; flow:to_server,established; content:"testforconnection|0D 0A|"; depth:19; nocase; flowbits:set,CoolCat.1; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=555; classtype:trojan-activity; sid:6012; rev:7;)
+# alert tcp $HOME_NET 17499 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Crazzy Net 5.0 connection established"; flow:to_client,established; content:"Crazzynet"; depth:9; classtype:trojan-activity; sid:3636; rev:6;)
+# alert tcp $HOME_NET 23032 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Amanda 2.0 connection established"; flow:to_client,established; content:"Connected To Amanda 2.0"; depth:23; classtype:trojan-activity; sid:3635; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"MALWARE-BACKDOOR BackOrifice 2000 Inbound Traffic"; flow:to_server,established; content:"1j|D0 D9|"; metadata:ruleset community; classtype:trojan-activity; sid:3155; rev:7;)
+# alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Y3KRAT 1.5 Connection confirmation"; flow:to_client,established; flowbits:isset,backdoor.y3krat_15.client.response; content:"client"; depth:7; metadata:ruleset community; classtype:misc-activity; sid:3083; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5880 (msg:"MALWARE-BACKDOOR Y3KRAT 1.5 Connect Client Response"; flow:to_server,established; flowbits:isset,backdoor.y3krat_15.connect; content:"getclient"; depth:9; flowbits:set,backdoor.y3krat_15.client.response; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3082; rev:13;)
+alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Y3KRAT 1.5 Connect"; flow:to_client,established; content:"connected"; depth:9; flowbits:set,backdoor.y3krat_15.connect; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3081; rev:13;)
+# alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Vampire 1.2 connection confirmation"; flow:to_client,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; metadata:ruleset community; classtype:misc-activity; sid:3064; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"MALWARE-BACKDOOR Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3063; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"MALWARE-BACKDOOR NetBus Pro 2.0 connection request"; flow:to_server,established; content:"BN |00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; flowbits:set,backdoor.netbus_2.connect; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3009; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR FsSniffer connection attempt"; flow:to_server,established; content:"RemoteNC Control Password|3A|"; metadata:ruleset community; reference:nessus,11854; classtype:trojan-activity; sid:2271; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"MALWARE-BACKDOOR Remote PC Access connection"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; metadata:ruleset community; reference:nessus,11673; classtype:trojan-activity; sid:2124; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response"; flow:to_client,established; content:"connected. time/date|3A| "; depth:22; content:"version|3A| GOLD 2.1"; distance:1; metadata:ruleset community; reference:mcafee,10566; reference:nessus,10409; classtype:trojan-activity; sid:2100; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Doly variant outbound connection attempt"; flow:to_client,established; content:"* Doly trojan v1.5 - Connected."; fast_pattern:only; metadata:impact_flag red, ruleset community, service http; reference:url,virustotal.com/en/file/499446edf3dfd200ebf3df2526cd4d101979e626afcd1860193f71829be23922/; classtype:trojan-activity; sid:1985; rev:8;)
+# alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1984; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120"; flow:to_server; content:"00"; depth:2; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1983; rev:10;)
+# alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1982; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150"; flow:to_server; content:"00"; depth:2; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1981; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Connection"; flow:to_server; content:"00"; depth:2; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1980; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"MALWARE-BACKDOOR win-trin00 connection attempt"; flow:to_server; content:"png []..Ks l44"; depth:14; metadata:ruleset community; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:1853; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 33270 (msg:"MALWARE-BACKDOOR trinity connection attempt"; flow:to_server,established; content:"!@|23|"; depth:3; metadata:ruleset community; reference:cve,2000-0138; reference:nessus,10501; classtype:attempted-admin; sid:1843; rev:11;)
+# alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"MALWARE-BACKDOOR hack-a-tack attempt"; flow:stateless; flags:A+; content:"A"; depth:1; metadata:ruleset community; classtype:attempted-recon; sid:614; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; metadata:ruleset community; classtype:misc-activity; sid:220; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; metadata:ruleset community; classtype:misc-activity; sid:219; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; metadata:ruleset community; classtype:attempted-user; sid:218; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; metadata:ruleset community; classtype:attempted-admin; sid:217; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:216; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:215; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:214; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:213; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; metadata:ruleset community; classtype:attempted-admin; sid:212; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; metadata:ruleset community; classtype:attempted-admin; sid:211; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR attempt"; flow:to_server,established; content:"backdoor"; nocase; metadata:ruleset community; classtype:attempted-admin; sid:210; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; metadata:ruleset community; classtype:attempted-admin; sid:209; rev:9;)
+# alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR PhaseZero Server Active on Network"; flow:established,to_client; content:"phAse zero server"; depth:17; nocase; metadata:ruleset community; reference:url,www.megasecurity.org/trojans/p/phasezero/PhaseZero1.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4539; classtype:trojan-activity; sid:208; rev:12;)
+# alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Server Response"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:195; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"MALWARE-BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca"; depth:15; nocase; metadata:ruleset community; classtype:misc-activity; sid:185; rev:10;)
+# alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR WinCrash 1.0 Server Active"; flow:stateless; flags:SA,12; content:"|B4 B4|"; metadata:ruleset community; classtype:misc-activity; sid:163; rev:14;)
+# alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"MALWARE-BACKDOOR Matrix 2.0 Server access"; flow:to_server; content:"logged in"; metadata:ruleset community; classtype:misc-activity; sid:162; rev:10;)
+# alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"MALWARE-BACKDOOR Matrix 2.0 Client connect"; flow:to_server; content:"activate"; metadata:ruleset community; classtype:misc-activity; sid:161; rev:10;)
+# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:to_client,established; content:"FTP Port open"; metadata:ruleset community; classtype:misc-activity; sid:158; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"MALWARE-BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; metadata:ruleset community; classtype:misc-activity; sid:157; rev:9;)
+# alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR BackConstruction 2.1 Connection"; flow:established,to_client; content:"c|3A 5C|"; metadata:ruleset community; classtype:misc-activity; sid:152; rev:11;)
+# alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR GateCrasher"; flow:established,to_client; content:"GateCrasher"; depth:11; nocase; content:"Server"; distance:0; nocase; content:"On-Line..."; distance:0; nocase; pcre:"/^GateCrasher\s+v\d+\x2E\d+\x2C\s+Server\s+On-Line\x2E\x2E\x2E/smi"; metadata:ruleset community; reference:url,www.spywareguide.com/product_show.php?id=973; classtype:trojan-activity; sid:147; rev:11;)
+# alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR NetSphere access"; flow:established,to_client; content:"NetSphere"; metadata:ruleset community; classtype:trojan-activity; sid:146; rev:13;)
+# alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR HackAttack 1.20 Connect"; flow:established,to_client; content:"host"; metadata:ruleset community; classtype:misc-activity; sid:141; rev:10;)
+# alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"MALWARE-BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; metadata:ruleset community; reference:nessus,11157; classtype:misc-activity; sid:121; rev:14;)
+# alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Doly 2.0 access"; flow:established,to_client; content:"Wtzup Use"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:119; rev:11;)
+# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR SatansBackdoor.2.0.Beta"; flow:to_client,established; content:"Remote|3A| "; depth:11; nocase; content:"You are connected to me.|0D 0A|Remote|3A| Ready for commands"; distance:0; nocase; metadata:ruleset community; reference:url,www.megasecurity.org/trojans/s/satanzbackdoor/SBD2.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5260; classtype:trojan-activity; sid:118; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Infector.1.x"; flow:established,to_client; content:"WHATISIT"; depth:9; metadata:impact_flag red, ruleset community; reference:nessus,11157; classtype:misc-activity; sid:117; rev:17;)
+# alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR NetBus Pro 2.0 connection established"; flow:to_client,established; flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; metadata:ruleset community; classtype:trojan-activity; sid:115; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"MALWARE-BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; metadata:ruleset community; classtype:trojan-activity; sid:110; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"MALWARE-BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; metadata:ruleset community; reference:mcafee,98775; classtype:misc-activity; sid:108; rev:11;)
+# alert tcp $HOME_NET 2589 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR - Dagger_1.4.0"; flow:to_client,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|"; depth:16; metadata:ruleset community; classtype:misc-activity; sid:105; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 58455 (msg:"MALWARE-BACKDOOR Zollard variant outbound connection attempt"; flow:to_server,established; content:".zollard/"; fast_pattern:only; metadata:impact_flag red, ruleset community, service telnet; reference:url,www.deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:trojan-activity; sid:28913; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $FTP_PORTS (msg:"MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt"; flow:to_server,established; dsize:62; content:"STOR fp_"; depth:8; fast_pattern; content:"|2E|bin|0D 0A|"; within:54; pcre:"/STOR\x20fp(_[A-F0-9]{8}){2}[A-F0-9]{8}_[A-F0-9]{4}(_[A-F0-9]{8}){2}\x2ebin\x0d\x0a/smi"; metadata:impact_flag red, policy security-ips drop, service ftp; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/f09a400bf8abb19d57ecc0c34b7fe989b34b43019770216c46ae05bd54da41a3/analysis/; classtype:trojan-activity; sid:29055; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 2533 (msg:"MALWARE-BACKDOOR Win.Trojan.Shatekrat variant initial outbound connection"; flow:to_server,established; content:"|2E|Data|03 00 00 00 04|data|05|image|05|bytes"; fast_pattern:only; content:"|00 00 00|"; content:"102622021F200324"; within:16; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/0c5a5a85ced8c201508d45613330e3909ed99cef90ae15b3695d27928f74407c/analysis/; classtype:trojan-activity; sid:29094; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Trojan.Dremseko outbound username enumeration"; flow:to_server,established; content:"/dbg.php?e="; depth:11; fast_pattern; http_uri; content:"|5C|"; http_raw_uri; content:"%20"; within:33; http_raw_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,virustotal.com/en/file/44024e287dd998921c3901aa4320a59c3a7a50a2ba750d7383ed3b010de165e3/analysis/; classtype:trojan-activity; sid:29874; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR FireCrotch exploit kit backdoor attempt"; flow:to_client,established; file_data; content:"|38 3D 3D 3D 3D 3D 3D 3D 3D 3D 44 7E 7E 7E 7E|"; fast_pattern:only; content:"a gift you say?"; nocase; classtype:misc-activity; sid:30000; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Hikit outbound banner response"; flow:to_client,established; content:"|5D 00 20 00|h|00|i|00|k|00|i|00|t|00|>|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http, service ssl; reference:url,www.virustotal.com/en/file/aa4b2b448a5e246888304be51ef9a65a11a53bab7899bc1b56e4fc20e1b1fd9f/analysis/; classtype:trojan-activity; sid:30948; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR phpMyAdmin server_sync.php backdoor access attempt"; flow:to_server,established; content:"/phpMyAdmin/server_sync.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,55672; reference:cve,2012-5159; reference:url,phpmyadmin.net/home_page/security/PMASA-2012-5.php; classtype:trojan-activity; sid:24256; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Andromeda variant outbound connection"; flow:to_server,established; content:"GET|20|"; depth:4; content:"_W"; distance:0; content:"|2E|"; within:1; distance:6; content:"/publickey/"; distance:0; fast_pattern; content:!"Accept|3A|"; distance:0; content:!"Connection|3A|"; distance:0; content:!"Referer|3A|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/; classtype:trojan-activity; sid:31559; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Andromeda variant outbound connection"; flow:to_client,established; content:"Server|3A| Stalin"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/; classtype:trojan-activity; sid:31558; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-BACKDOOR Backdoor.Perl.Shellbot outbound communication attempt"; flow:to_server,established; content:"NICK Rizee|7C|RYN|7C|05|7C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,www.virustotal.com/en/file/519409a4bee3a39e164e9d1b656b8c5d43632039b3023315b48da1578e0f11a6/analysis/; classtype:trojan-activity; sid:31746; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR AlienSpy RAT outbound connection"; flow:to_server,established; flowbits:isset,alienspy.rat; content:"|78 70 00 00|"; depth:4; content:"|1F 8B 08 00 00 00 00 00 00 00|"; within:10; distance:2; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/d871121a10ca032b03157d38025248545559d2174804ba66165d18358eb98e8e/analysis/; classtype:trojan-activity; sid:32006; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR AlienSpy RAT outbound connection"; flow:to_server,established; dsize:17; content:"|75 72 00|"; depth:3; content:"|02 00 00|"; within:3; distance:11; flowbits:set,alienspy.rat; flowbits:noalert; reference:url,www.virustotal.com/en/file/d871121a10ca032b03157d38025248545559d2174804ba66165d18358eb98e8e/analysis/; classtype:trojan-activity; sid:32005; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Blohi variant outbound connection"; flow:to_server,established; content:"/PostView.nhn?blogId=cjddms52&logNo=130104953765&parentCategoryNo=1"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/efdbb6f54eed70a476a35257e1f61c2867fbc42a7605154a2d5b9061edb56cf3/analysis/; classtype:trojan-activity; sid:32055; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 58273 (msg:"MALWARE-BACKDOOR Linux.Backdoor.Starysu variant inbound connection"; flow:to_server,established; content:"IAMYOURGOD"; depth:10; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/382f385fa57ea150393335385dc4e4e68647441914b037b5798a93b013570b53/analysis/; classtype:trojan-activity; sid:32081; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53629 (msg:"MALWARE-BACKDOOR Linux.Backdoor.Starysu variant inbound connection"; flow:to_server,established; content:"f|75|ckyO"; depth:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/1b28b3256f7de74c1de6a254e3f69c784f8b356a25da024ffee722704056c9bd/analysis/; classtype:trojan-activity; sid:32080; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR PHP IRCBot port bind attempt"; flow:to_server,established; content:"POST"; http_method; content:"port="; depth:5; http_client_body; content:"&bind_pass="; distance:0; content:"&use="; distance:0; content:"&dir="; distance:0; content:"&submit=Bind"; distance:0; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519/analysis/; reference:url,www.virustotal.com/en/file/7bea540bad4f6f9a98d3059e96e6c9f79023f990cc34cb462fcfda43e5b2aa1d/analysis/; classtype:trojan-activity; sid:32249; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR PHP IRCBot file edit attempt"; flow:to_server,established; content:"POST"; http_method; content:"e_name="; depth:7; http_client_body; content:"&cmd=edit_file&dir="; distance:0; fast_pattern; content:"&submit=Edit|2B|file"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519/analysis/; reference:url,www.virustotal.com/en/file/7bea540bad4f6f9a98d3059e96e6c9f79023f990cc34cb462fcfda43e5b2aa1d/analysis/; classtype:trojan-activity; sid:32248; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR PHP IRCBot command execution attempt"; flow:to_server,established; content:"POST"; http_method; content:"cmd="; depth:4; http_client_body; content:"&dir="; distance:0; content:"&submit=Execute"; distance:0; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519/analysis/; reference:url,www.virustotal.com/en/file/7bea540bad4f6f9a98d3059e96e6c9f79023f990cc34cb462fcfda43e5b2aa1d/analysis/; classtype:trojan-activity; sid:32247; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"Sleepy!@#qaz13402scvsde890"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32918; rev:1;)
+# alert tcp $EXTERNAL_NET [547,8080,133,117,189,159] -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established; content:"|7B 08 2A 2A|"; offset:17; content:"|08 2A 2A 01 00|"; distance:0; metadata:impact_flag red, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32917; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 488 (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt"; flow:to_server,established; content:"|65 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32916; rev:1;)
+# alert tcp $EXTERNAL_NET 488 -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established; content:"|65 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32915; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 C2 67 80 F2 24 88 10|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32914; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|4C 4C|"; depth:2; offset:16; content:"|75 14 2A 2A|"; within:4; distance:4; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32913; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 488 (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt"; flow:to_server,established; content:"|60 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32912; rev:1;)
+# alert tcp $EXTERNAL_NET 488 -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established; content:"|60 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32911; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-BACKDOOR Win.Trojan.lubot download"; flow:to_server,established; file_data; content:"sendraw|28|$IRC_cur_socket, |22|PRIVMSG $printl |3A 03|7-shell"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service smtp; reference:url,www.virustotal.com/en/file/d46d95c0be8b62c195d70a7219e6d6487d9624b21057ff4d9cb107ff9023a808/analysis/; classtype:trojan-activity; sid:33619; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.lubot download"; flow:to_client,established; file_data; content:"sendraw|28|$IRC_cur_socket, |22|PRIVMSG $printl |3A 03|7-shell"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/d46d95c0be8b62c195d70a7219e6d6487d9624b21057ff4d9cb107ff9023a808/analysis/; classtype:trojan-activity; sid:33618; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Speccom variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/word.asp"; http_uri; content:"Mozilla/5.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.1|3B| Trident/6.0)"; fast_pattern:only; http_header; content:"s="; depth:2; http_client_body; content:"&t="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3d860f8d272b69c11ec582cd550f4ee66876aeef8f845a284a4a7784696887fa/analysis/; classtype:trojan-activity; sid:33823; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection"; flow:established, to_server; dsize:16; content:"|00 00 00 11 C8 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/1D6BCF409C85887861D587C8AABFC8C8393EA692FE93C0A6836BE507A7F75985/analysis/; classtype:trojan-activity; sid:34500; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Bimteni variant initial outbound connection"; flow:to_server,established; content:"|E5 E4 F5|"; depth:3; content:"|F5 99 94 9B F5|"; within:50; content:"|E7 E7 E7 E7 E7 E7 E7 E7 E7 E7|"; within:100; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/5e40305268587e4735dd6bbe63f1a33a8adc72e9d83ace7566a0aafcfec1982e/analysis/; classtype:trojan-activity; sid:35371; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Nicabown variant outbound connection"; flow:to_server,established; content:"POST /favicon.ico"; fast_pattern:only; content:"|00 55 AA|"; depth:3; http_client_body; content:"|00 C8 00 00|"; depth:4; offset:40; http_client_body; content:"|0A 00 00 00|"; depth:4; offset:172; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c14d6a75ed9145dc8f3f7f2f14e70751aa26f634a54c342a2ae740a6d6fc5fd0/analysis/; classtype:trojan-activity; sid:35384; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-BACKDOOR Win.Backdoor.Cobrike outbound connection "; flow:to_server,established; content:"Windows PowerShell running as user"; fast_pattern; content:"|0A|Copyright (C) 2015 Microsoft Corporation. All rights reserved.|0A 0A|"; within:150; flowbits:set,backdoor.powershell; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,attack.mitre.org/techniques/T1086; reference:url,virustotal.com/en/file/a3b52cba0783b856f93e593fbaae4fb8bd75b3a6e22426e82f4dbd45bab2bc77/analysis/; classtype:trojan-activity; sid:35770; rev:4;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Cobrike inbound connection "; flow:to_client,established; flowbits:isset,backdoor.powershell; content:"powerfun"; fast_pattern:only; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,attack.mitre.org/techniques/T1086; reference:url,virustotal.com/en/file/a3b52cba0783b856f93e593fbaae4fb8bd75b3a6e22426e82f4dbd45bab2bc77/analysis/; classtype:trojan-activity; sid:35769; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-BACKDOOR Adzok RAT server file download"; flow:to_server,established; file_data; content:"inic$ShutdownHook.classPK"; fast_pattern:only; content:"svd$Mensaje.classPK"; nocase; content:"svd$keyh.classPK"; within:150; nocase; metadata:impact_flag red, service smtp; reference:url,virustotal.com/en/file/a8ba7452c628c379f3e78b795e03f59426f9e8cb07fdd1b8866ea6fb9f093dc4/analysis/; classtype:trojan-activity; sid:37422; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-BACKDOOR Adzok RAT download"; flow:to_server,established; file_data; content:"ManejadorCliente$eventoBotonesKeylogger.classPK"; fast_pattern:only; metadata:impact_flag red, service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/a8ba7452c628c379f3e78b795e03f59426f9e8cb07fdd1b8866ea6fb9f093dc4/analysis/; classtype:trojan-activity; sid:37421; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR Adzok RAT initial connection"; flow:to_client; content:"|73 72 00 07|"; depth:4; content:"mensaje"; within:20; content:"dato"; within:20; content:"archivo"; within:20; metadata:impact_flag red; reference:url,virustotal.com/en/file/a8ba7452c628c379f3e78b795e03f59426f9e8cb07fdd1b8866ea6fb9f093dc4/analysis/; classtype:trojan-activity; sid:37420; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR Adzok RAT inbound connection"; flow:to_client; flowbits:isset,adzok.rat; content:"|00 00 00|"; depth:3; content:"|70 70 70|"; within:3; distance:1; content:"|00|"; within:1; distance:1; metadata:impact_flag red; reference:url,virustotal.com/en/file/a8ba7452c628c379f3e78b795e03f59426f9e8cb07fdd1b8866ea6fb9f093dc4/analysis/; classtype:trojan-activity; sid:37419; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR Adzok RAT inbound connection"; flow:to_client; dsize:6; content:"|73 71 00 7E 00 00|"; depth:6; flowbits:set,adzok.rat; flowbits:noalert; metadata:impact_flag red; reference:url,virustotal.com/en/file/a8ba7452c628c379f3e78b795e03f59426f9e8cb07fdd1b8866ea6fb9f093dc4/analysis/; classtype:trojan-activity; sid:37418; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Adzok RAT server file download"; flow:to_client,established; file_data; content:"inic$ShutdownHook.classPK"; fast_pattern:only; content:"svd$Mensaje.classPK"; nocase; content:"svd$keyh.classPK"; within:150; nocase; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/a8ba7452c628c379f3e78b795e03f59426f9e8cb07fdd1b8866ea6fb9f093dc4/analysis/; classtype:trojan-activity; sid:37417; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Adzok RAT download"; flow:to_client,established; file_data; content:"ManejadorCliente$eventoBotonesKeylogger.classPK"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/a8ba7452c628c379f3e78b795e03f59426f9e8cb07fdd1b8866ea6fb9f093dc4/analysis/; classtype:trojan-activity; sid:37416; rev:2;)
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR ReGeorg socks proxy initial connection attempt"; flow:to_client,established; file_data; content:"Georg says, 'All seems fine'"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b97136e3235c1bc9f2005d3253fbc3af5900f8222740cfd85ef5d449cf4ac251/analysis/; classtype:misc-activity; sid:38329; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR ReGeorg socks proxy connection attempt"; flow:to_server,established; content:"cmd=connect"; http_uri; content:"target="; http_uri; content:"port="; http_uri; content:"X-CMD|3A| CONNECT|0D 0A|"; fast_pattern:only; http_header; content:"X-TARGET|3A| "; http_header; content:"X-PORT|3A| "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b97136e3235c1bc9f2005d3253fbc3af5900f8222740cfd85ef5d449cf4ac251/analysis/; classtype:misc-activity; sid:38328; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR ReGeorg proxy read attempt"; flow:to_server,established; content:"cmd=read"; content:"X-CMD|3A| READ|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b97136e3235c1bc9f2005d3253fbc3af5900f8222740cfd85ef5d449cf4ac251/analysis/; classtype:misc-activity; sid:38327; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/zecmd/zecmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38719; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/x/pwn.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38718; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/tunnel/tunnel.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38717; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/ssvcss/index.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38716; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/shellinvoker/shellinvoker.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38715; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/shel/shel.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38714; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/sh3ll/sh3ll.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38713; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/oss/smd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38712; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/momo/no.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38711; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/mgr/lnx.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38710; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/mela/mela.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38709; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jspshell/index.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38708; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jdev3/cmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38707; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jdev2/cmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38706; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jdev/cmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38705; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jbot/jbot.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38704; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jbossos/jbossos.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38703; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jbossdox/jbossdox.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38702; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jbossdoc/jbossdoc.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38701; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jbossass/jbossass.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38700; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jbossass/index.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38699; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/javadev/cmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38698; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/is/cmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38697; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/genesis/genesis.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38696; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/esc/esc/ss.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38695; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/egdus/smd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38694; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/egd/smd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38693; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/eg/smd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38692; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/e/shell.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38691; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/e/e.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38690; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/com/cmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38689; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/cmd1/cmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38688; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/cmd/cmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38687; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/bynazi/cmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38686; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/browser/shell.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38685; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/browser/browser/Browser.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38684; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/a/pwn.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38683; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jexws3/jexws3.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39059; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:".jsp?ppp="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39058; rev:1;)
+# alert tcp $EXTERNAL_NET 1099 -> $HOME_NET any (msg:"MALWARE-BACKDOOR HVL Rat inbound command"; flow:to_client,established; content:"|1B 5B 32 4A 1B 5B 34 30 6D 1B 5B|37mHVL RAT Trojan  "; fast_pattern:only; metadata:impact_flag red; reference:url,megasecurity.org/trojans/h/hvl_rat/Hvl_rat5.3.0.html; classtype:trojan-activity; sid:43806; rev:1;)
+# alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.DonaldDick variant outbound connection detection"; flow:to_client,established; content:"OK|00|00000096|00|"; fast_pattern:only; metadata:impact_flag red; reference:url,virustotal.com/en/file/f946e2faf21d7b2efc461e6a96135c1aa2c465485362f461177bca699366cc1f/analysis/; classtype:trojan-activity; sid:43943; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-BACKDOOR CobaltStrike inbound beacon download"; flow:to_server; file_data; content:"powershell -nop -exec bypass -EncodedCommand |22|%s|22|"; fast_pattern:only; content:"char c = (i & 0xFF)|3B|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1086; reference:url,colbaltstrike.com; classtype:trojan-activity; sid:45905; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR CobaltStrike inbound beacon download"; flow:to_client; file_data; content:"powershell -nop -exec bypass -EncodedCommand |22|%s|22|"; fast_pattern:only; content:"char c = (i & 0xFF)|3B|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1086; reference:url,colbaltstrike.com; classtype:trojan-activity; sid:45904; rev:2;)
+alert tcp any any -> any any (msg:"MALWARE-BACKDOOR Unix.Malware.Chaos backdoor trigger attempt"; flow:established,to_server; content:"j0DtFt1LTvbIU|00|"; depth:14; isdataat:!0,relative; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.virustotal.com/#/file/e9fc1441bb88dd8cc7fcc2e176e53084ccd28f8766a017b3a07474b7e6b72ab9/detection; classtype:trojan-activity; sid:45975; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor file management attempt"; flow:to_server,established; content:"FolderPath="; fast_pattern:only; content:"FolderPath="; nocase; content:"Action="; nocase; content:"Filename="; nocase; content:".jsp"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46291; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:".jsp?Action="; fast_pattern:only; content:".jsp?Action="; nocase; pcre:"/(&)?Action=(M|F|S|L|D|E|R|K|N|P|d|r|Z|U|n|A|I|s|H|i|T)(&)?/"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46290; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-BACKDOOR JSP webshell transfer attempt"; flow:to_server,established; file_data; content:"request.getParameter(|22|LName|22|).equals(username)"; fast_pattern:only; content:".jsp"; nocase; metadata:impact_flag red, policy security-ips drop, service smtp; classtype:trojan-activity; sid:46289; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR JSP webshell transfer attempt"; flow:to_client,established; file_data; content:"request.getParameter(|22|LName|22|).equals(username)"; fast_pattern:only; content:".jsp"; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:46288; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP Web shell access attempt"; flow:to_server,established; content:".jsp"; http_uri; content:"o=login&pw"; fast_pattern:only; http_client_body; content:"&o=login"; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,virustotal.com/#/file/17018c4a69f1c99ba547b76ae7844c58016c3fb5886220c383b00d01863f1f1d; classtype:trojan-activity; sid:46369; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP Web shell upload attempt"; flow:to_server,established; content:"savePath = request.getParameter|28 22|savepath"; fast_pattern:only; content:"downFileUrl = request.getParameter|28 22|url"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,virustotal.com/#/file/17018c4a69f1c99ba547b76ae7844c58016c3fb5886220c383b00d01863f1f1d; classtype:trojan-activity; sid:46368; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Rebhip variant runtime detection"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"x_X_BLOCKMOUSE"; fast_pattern:only; content:"PASS"; content:"UPDAT"; reference:url,www.virustotal.com/#/file/15f8396754898348d0df09c85a304e2359c9102e87e7fed270e10b3814a82a7d/detection; classtype:trojan-activity; sid:48146; rev:1;)
--- a/docker/etc/rules/malware-cnc.rules
+++ b/docker/etc/rules/malware-cnc.rules
--- a/docker/etc/rules/malware-other.rules
+++ b/docker/etc/rules/malware-other.rules
@@ -0,0 +1,816 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#---------------------
+# MALWARE-OTHER RULES
+#---------------------
+
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER known malicious email string - You have received a Hallmark E-Card"; flow:to_server,established; content:"Subject|3A| You have received a Hallmark E-Card!"; nocase; content:!"href=|22|http|3A|//www.hallmark.com/"; distance:0; metadata:service smtp; reference:url,www.virustotal.com/#/file/925a4a25cfa562a0330c8733cc697021/detection; reference:url,www.virustotal.com/en/file/bd1cfd7b15f70d131d8f3f013a4e6afb0807791b898d96d3cc2b57de576acf1f/analysis/; classtype:misc-activity; sid:19595; rev:9;)
+alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"MALWARE-OTHER known malicious FTP login banner - 0wns j0"; flow:established,to_client; content:"220|20|"; depth:4; content:"0wns j0"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,seclists.org/fulldisclosure/2004/Sep/895; reference:url,www.cyber-ta.org/releases/malware-analysis/public/SOURCES/CLUSTERS-NEW/behavior-summary.html; classtype:trojan-activity; sid:21255; rev:5;)
+alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"MALWARE-OTHER known malicious FTP quit banner - Goodbye happy r00ting"; flow:established,to_client; content:"221 Goodbye happy r00ting"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,taosecurity.blogspot.com/2006/01/nepenthes-discoveries-earlier-today-i.html; classtype:trojan-activity; sid:21256; rev:6;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER connection to malware sinkhole"; flow:to_client,established; content:"malware-sinkhole|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:25018; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER connection to malware sinkhole"; flow:to_client,established; content:"X-Sinkhole|3A| Malware"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:30320; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER connection to malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:33306; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER VBScript potential executable write attempt"; flow:to_client,established; file_data; content:"VBScript"; nocase; content:"4D5A"; content:"50450000"; distance:0; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ecfb852662d8127673332939f8b062645797e91bce6acae0615e24334a3df2ad/analysis/; classtype:trojan-activity; sid:28054; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-OTHER DirtJumper denial of service attack traffic"; flow:to_server,established; content:"login="; nocase; http_client_body; content:"&passwrd="; within:9; distance:2121; nocase; http_client_body; content:"&vb_login_md5password="; within:22; distance:235; nocase; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:attempted-dos; sid:27115; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Clickserver ad harvesting redirection attempt"; flow:to_server,established; content:"/?q="; http_uri; content:"##1"; fast_pattern:only; http_uri; pcre:"/^\/\?q=[^&]*##1$/U"; metadata:policy balanced-ips alert, policy security-ips drop, service http; classtype:misc-activity; sid:26934; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Clickserver ad harvesting redirection attempt"; flow:to_server,established; urilen:8; content:"/?id=##1"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; classtype:misc-activity; sid:26933; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Win.Trojan.Kazy download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"CLSID = s '{D4D8E7EF-EB95-405E-A9F2-886DBB4168F4}'"; fast_pattern:only; content:"ForceRemove {D4D8E7EF-EB95-405E-A9F2-886DBB4168F4} = s 'Norm Class'"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/787b20ee10650cc3bd0df34f210000e771e7d5d1d902ffbbd9f6786c46fd5e0b/analysis/; classtype:trojan-activity; sid:26921; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTML.Dropper.Agent uri scheme detected"; flow:to_server,established; content:"/recurrence=always"; fast_pattern:only; http_uri; content:"adid="; nocase; http_uri; content:"loadfirst="; nocase; http_uri; content:"event_type="; nocase; http_uri; content:"signature="; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/105646b598cc60695243b89a49ba24814f83a93545e380be235573a0b95abd83/analysis/; classtype:trojan-activity; sid:26881; rev:2;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER DNS data exfiltration attempt"; flow:to_server; content:"|00 00 00|"; offset:2; content:"|01|"; within:1; content:"|3A|"; within:1; distance:6; content:"|2D 2D 2D|"; within:3; distance:30; fast_pattern; content:"|3A|"; within:1; distance:25; content:"|01|"; within:1; distance:58; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,attack.mitre.org/techniques/T1020; classtype:policy-violation; sid:26803; rev:5;)
+# alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER WIN.Worm.Beagle.AZ SMTP propagation detection"; flow:to_server,established; flowbits:isset,file.exe; content:"yuuvelntbgfkbkjhhkgjgvkvkggtkbbjbg"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-012714-0030-99&tabid=2; reference:url,www.virustotal.com/en/file/bd820efb2a5befb776bde2e47a7fb5ad98d191b04438a4c0b11289bd5d8abb50/analysis/; classtype:trojan-activity; sid:26802; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.ZertSecurity encrypted information leak"; flow:to_server,established; content:"/sms/d_m009.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.lookout.com/blog/2013/05/06/zertsecurity; classtype:trojan-activity; sid:26796; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Kazy download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"CLSID = s '{D4D8E7EF-EB95-405E-A9F2-886DBB4168F4}'"; fast_pattern:only; content:"ForceRemove {D4D8E7EF-EB95-405E-A9F2-886DBB4168F4} = s 'Norm Class'"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/787b20ee10650cc3bd0df34f210000e771e7d5d1d902ffbbd9f6786c46fd5e0b/analysis/; classtype:trojan-activity; sid:26778; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Compromised Website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"<!--ded509-->"; content:"<!--/ded509-->"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.jsunpack.jeek.org/?report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f; classtype:trojan-activity; sid:26698; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER OSX.Trojan.KitM file download"; flow:to_server,established; flowbits:isset,file.universalbinary; file_data; content:"N37CXSRXLD"; fast_pattern:only; content:"Developer ID Application: Rajinder Kumar"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26671; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.KitM file download"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"N37CXSRXLD"; fast_pattern:only; content:"Developer ID Application: Rajinder Kumar"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26670; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake delivery information phishing attack"; flow:to_client,established; content:"|3B| filename="; http_header; content:"Delivery_Information_ID-"; fast_pattern:only; http_header; file_data; content:"Delivery_Information_ID-"; content:".exe"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:26660; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Unix.Backdoor.Cdorked download attempt"; flow:to_server,established; flowbits:isset,file.elf; file_data; content:"Jan 13 2013 10:57:10"; fast_pattern:only; content:"Cpanel::Easy::Apache"; content:"1.4.6|00|Architecture:"; within:19; distance:151; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26532; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Unix.Backdoor.Cdorked download attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"Jan 13 2013 10:57:10"; fast_pattern:only; content:"Cpanel::Easy::Apache"; content:"1.4.6|00|Architecture:"; within:19; distance:151; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26531; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)
+# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot Desktop.ini snkb0ptz.exe creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; content:"|5C|"; within:1; content:"|00 44 00 65 00 73 00 6B 00 74 00 6F 00 70 00 2E 00 69 00 6E 00 69 00|"; distance:0; metadata:ruleset community, service netbios-ssn; classtype:trojan-activity; sid:26413; rev:2;)
+# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot executable snkb0ptz.exe creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; fast_pattern:only; content:".exe"; metadata:ruleset community, service netbios-ssn; classtype:trojan-activity; sid:26412; rev:2;)
+# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot folder snkb0ptz creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; fast_pattern:only; metadata:ruleset community, service netbios-ssn; classtype:trojan-activity; sid:26411; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_client,established; file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26382; rev:3;)
+# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_client,established; file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy security-ips drop, ruleset community, service ftp-data, service imap, service pop3; classtype:trojan-activity; sid:26381; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_server,established; file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy security-ips drop, ruleset community, service smtp; classtype:trojan-activity; sid:26380; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Double HTTP Server declared"; flow:to_client,established; content:"Server|3A| Apache"; http_header; content:"Server|3A|nginx"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26369; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=Postal-Receipt.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"Postal-Receipt.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:26261; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*eb167039d64daa68c565052678c517a4*/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-activity; sid:26093; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER WIN.Trojan.Nap Malicious executable file download from webroot"; flow:to_server,established; content:"/newbos2.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; classtype:bad-unknown; sid:25782; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=BookingDetails.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"BookingDetails.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25580; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=BookingInfo.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"BookingInfo.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25579; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=PostalReceipt.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"PostalReceipt.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25578; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Request for a non-legit postal receipt"; flow:to_server,established; content:".php?php=receipt"; fast_pattern:only; http_uri; pcre:"/\x2f[a-z0-9]+\.php\?php\x3dreceipt$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=.php%3Fphp%3Dreceipt&type=string; classtype:misc-activity; sid:25277; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PHP.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"lama|27|s|27|hell"; fast_pattern:only; content:"execute"; nocase; content:"htmlspecialchars"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:25097; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PHP.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"post|5B 27|tac|27 5D|"; fast_pattern:only; content:"login"; nocase; content:"admin"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:25096; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"AnakDompu"; fast_pattern:only; content:"Convertbytes"; nocase; content:"explode"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/3730e3c259cb4f727f7a803c23716ceacd640dab102ec61c3bda3974a4ef0175/analysis/; classtype:trojan-activity; sid:25095; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PERL.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"Mass Defacement"; fast_pattern:only; content:"d:f:n"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:25094; rev:3;)
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool variant outbound connection"; flow:to_client,established; file_data; content:"cmd|3A 5B 2D|bindconnverb"; fast_pattern:only; content:"bindconnverb command received"; nocase; content:"verb |5B 2D|tran|5D|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:25092; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"wvs.exe|2C|iexplore.exe"; fast_pattern:only; content:"Can|27|t Load"; nocase; content:"Error Code: |5B 25|d|5D|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:25091; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"wvs.exe|2C|iexplore.exe"; fast_pattern:only; content:"Can|27|t Load"; nocase; content:"Error Code: |5B 25|d|5D|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:25090; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Start Transmit"; fast_pattern:only; content:"One recv|5B 25|d|5D|"; nocase; content:"sockconsole.pdb"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/89acf767780e0d427b58310eb2776179cb963016b908e197c41a7504c6663d8c/analysis/; classtype:trojan-activity; sid:25089; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Start Transmit"; fast_pattern:only; content:"One recv|5B 25|d|5D|"; nocase; content:"sockconsole.pdb"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/89acf767780e0d427b58310eb2776179cb963016b908e197c41a7504c6663d8c/analysis/; classtype:trojan-activity; sid:25088; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"transmit produce over"; fast_pattern:only; content:"Two send|5B 25|d|5D|"; nocase; content:"transerver.pdb"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/09c0ab18b970a5f0dd35a591aeb8073a7fa1c6b6aac829a04ea66784e99b127f/analysis/; classtype:trojan-activity; sid:25087; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"transmit produce over"; fast_pattern:only; content:"Two send|5B 25|d|5D|"; nocase; content:"transerver.pdb"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/09c0ab18b970a5f0dd35a591aeb8073a7fa1c6b6aac829a04ea66784e99b127f/analysis/; classtype:trojan-activity; sid:25086; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"I got back a null buffer !"; fast_pattern:only; content:"Coded by fzk"; nocase; content:"|40 00|smb.txt"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:25085; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"I got back a null buffer !"; fast_pattern:only; content:"Coded by fzk"; nocase; content:"|40 00|smb.txt"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:25084; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"!!!!=>iNF-"; fast_pattern:only; content:"|0D 0A|Priority: urgent|0D 0A|"; content:"|0D 0A|X-Priority: 1|0D 0A|"; pcre:"/[A-F0-9]{2}\-[A-F0-9]{2}\-[A-F0-9]{2}\-[A-F0-9]{2}\-[A-F0-9]{2}\-[A-F0-9]{2}|0D 0A|/"; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/CDAD6C1C11C130F193FBB76D09073DE40A27DC142D42AE30FF3430C991BE9831/analysis/; classtype:trojan-activity; sid:25031; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Narilam variant inbound attachemtn"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|27|##Maliran_PROG_COUNT|27| |00|Yes|00|No|00|Disactive"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/cf3c015d828784c7dffcba80619dba4cba970680ea5aa9f42f7356e79643a749/analysis/; classtype:trojan-activity; sid:25002; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Narilam variant outbound connection"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|27|##Maliran_PROG_COUNT|27| |00|Yes|00|No|00|Disactive"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/cf3c015d828784c7dffcba80619dba4cba970680ea5aa9f42f7356e79643a749/analysis/; classtype:trojan-activity; sid:25001; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"MALWARE-OTHER itsoknoproblembro v2 UDP flood attempt"; flow:to_server; content:"|00 17 01 00 00 01 00 00 00 00 00 00 03 77 77 77|"; fast_pattern:only; content:"|00 00 01 00 01 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E|"; metadata:impact_flag red, service dns; reference:url,www.virustotal.com/file/87cbb24e5f6de2a788955572005b0577462a1ae570bfcf31dd99c7d5e0a0d373/analysis/1355347894/; classtype:attempted-dos; sid:24988; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"ngatur"; fast_pattern:only; content:"filenyo"; content:"ls -la"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/1e737d034848cc7cdec9940e09fd952c9357d24d25e430027649be91867e770e/analysis/; classtype:trojan-activity; sid:24900; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Compromised Website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*c3284d*/"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:misc-activity; sid:24899; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*qhk6sa6g1c*/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,stopmalvertising.com/tag/km0ae9gr6m/; classtype:misc-activity; sid:24884; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*km0ae9gr6m*/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,stopmalvertising.com/tag/km0ae9gr6m/; classtype:misc-activity; sid:24883; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER OSX.Trojan.Imuler suspicious download"; flow:to_server,established; flowbits:isset,file.universalbinary; file_data; content:"/tmp/launch-ICS000"; fast_pattern:only; content:".confr"; nocase; content:"rm -rf"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24800; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.Imuler suspicious download"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"/tmp/launch-ICS000"; fast_pattern:only; content:".confr"; nocase; content:"rm -rf"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24799; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"wieeeee"; fast_pattern:only; content:"md5 cracker"; nocase; content:"die()"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/eb8c799f47fad06026e5e454e3dc56902055c9c6c55f5f1ded4f88f53ac9076c/analysis/1350929362/; classtype:trojan-activity; sid:24727; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"<?php"; content:"closelog("; within:100; nocase; content:"getcwd("; within:250; nocase; content:"|3B| rm -rf /tmp/"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:24648; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Error in cmdline|21|"; fast_pattern:only; content:"InjectDllAndCallFunction"; nocase; content:"lsass.exe"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:24622; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Error in cmdline|21|"; fast_pattern:only; content:"InjectDllAndCallFunction"; nocase; content:"lsass.exe"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:24621; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|5B|SERVER|5D|connection to |25|s|3A 25|d error"; fast_pattern:only; content:"ntimfos|2E|eng"; nocase; content:"wsastartup"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/c770b96d25c4f0102b3d0a728f75d683779308dca2283a0ebae69ac1e2672a52/analysis/; classtype:trojan-activity; sid:24620; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|5B|SERVER|5D|connection to |25|s|3A 25|d error"; fast_pattern:only; content:"ntimfos|2E|eng"; nocase; content:"wsastartup"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/c770b96d25c4f0102b3d0a728f75d683779308dca2283a0ebae69ac1e2672a52/analysis/; classtype:trojan-activity; sid:24619; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|23 23|auth|23 23 5B 25|s|5D| succ|21|"; fast_pattern:only; content:"cqo |00|cqto |00|"; nocase; content:"block socket|5B 25|d|5D|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/8f6c0e43bab53df013ef522c83acf0278e9c3ed248f6d10560ae57e13fc3c0a3/analysis/; classtype:trojan-activity; sid:24618; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|23 23|auth|23 23 5B 25|s|5D| succ|21|"; fast_pattern:only; content:"cqo |00|cqto |00|"; nocase; content:"block socket|5B 25|d|5D|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/08f7c373abfa4dc80b015c518834a2f441544a75ae5091f7585bedd31c0e31e2/analysis/; classtype:trojan-activity; sid:24617; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"crack|5F|ftp|28|self|29|"; fast_pattern:only; content:"users |3D| |5B 27|root"; nocase; content:"do|5F|smb|5F|ck"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/7c334a0a9ef6ab520366e0b20ba488e41b546aae34395c83c0d420102ad550cd/analysis/; classtype:trojan-activity; sid:24616; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"crack|5F|ftp|28|self|29|"; fast_pattern:only; content:"users |3D| |5B 27|root"; nocase; content:"do|5F|smb|5F|ck"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/7c334a0a9ef6ab520366e0b20ba488e41b546aae34395c83c0d420102ad550cd/analysis/; classtype:trojan-activity; sid:24615; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"Type your current password to get root"; fast_pattern:only; content:"/usr/bin/chfn |2D|h"; nocase; content:"uid|3D|1000|28|hunger|29|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/25748edee2e58e31b9f79d328ce9286b69f082db86467d6401dd23cb55b0cdfa/analysis/; classtype:trojan-activity; sid:24614; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"Type your current password to get root"; fast_pattern:only; content:"/usr/bin/chfn |2D|h"; nocase; content:"uid|3D|1000|28|hunger|29|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/25748edee2e58e31b9f79d328ce9286b69f082db86467d6401dd23cb55b0cdfa/analysis/; classtype:trojan-activity; sid:24613; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"IO_wfile_underflow"; fast_pattern:only; content:"Gethostbyname|28 25|s|29|"; nocase; content:"stack smashing attack"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/e01351a627a5db51607b1bffd7cb22eabf64d421436131a1ef24fc447d47a85d/analysis/; classtype:trojan-activity; sid:24612; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"IO_wfile_underflow"; fast_pattern:only; content:"Gethostbyname|28 25|s|29|"; nocase; content:"stack smashing attack"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/e01351a627a5db51607b1bffd7cb22eabf64d421436131a1ef24fc447d47a85d/analysis/; classtype:trojan-activity; sid:24611; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"udp associate"; fast_pattern:only; content:"lost host1|21|"; nocase; content:"cmdsocks |3C|1.34|3E|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/af2a6b22b4f42d6b190f122c1c06abb0760b47c4e195cc0e5bd4e4fabf56b8cb/analysis/; classtype:trojan-activity; sid:24610; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"udp associate"; fast_pattern:only; content:"lost host1|21|"; nocase; content:"cmdsocks |3C|1.34|3E|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/af2a6b22b4f42d6b190f122c1c06abb0760b47c4e195cc0e5bd4e4fabf56b8cb/analysis/; classtype:trojan-activity; sid:24609; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"SSLTlsvc has removed successfully!"; fast_pattern:only; content:"bindconnverb"; nocase; content:"cmd3"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/655d1a21fbaf3571beee860a99d009ba0a604430fe42925d07eff48a97a3cf73/analysis/; classtype:trojan-activity; sid:24607; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"SSLTlsvc has removed successfully!"; fast_pattern:only; content:"bindconnverb"; nocase; content:"cmd3"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/655d1a21fbaf3571beee860a99d009ba0a604430fe42925d07eff48a97a3cf73/analysis/; classtype:trojan-activity; sid:24606; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"msiveop.dat|00|msnetst.exe"; fast_pattern:only; content:"cmd.exe|00|command.com"; nocase; content:"700WP"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/3a99a24bd0420fa5176e68092b803f68a8d13d803de4f9d8d375256b132c8951/analysis/; classtype:trojan-activity; sid:24605; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"msiveop.dat|00|msnetst.exe"; fast_pattern:only; content:"cmd.exe|00|command.com"; nocase; content:"700WP"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/3a99a24bd0420fa5176e68092b803f68a8d13d803de4f9d8d375256b132c8951/analysis/; classtype:trojan-activity; sid:24604; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"bind port |5B 25|d|5D| faild!"; fast_pattern:only; content:"-conn"; nocase; content:"cmdsocks.pdb"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/410a85bb7522e86de3da953c69d3721752ef88b272ef47c86555a08c1767cdda/analysis/; classtype:trojan-activity; sid:24603; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"bind port |5B 25|d|5D| faild!"; fast_pattern:only; content:"-conn"; nocase; content:"cmdsocks.pdb"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/410a85bb7522e86de3da953c69d3721752ef88b272ef47c86555a08c1767cdda/analysis/; classtype:trojan-activity; sid:24602; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"p2x5142.dll failed"; fast_pattern:only; content:"DBG: FIND"; nocase; content:"GetTempDir"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/886ecd19280ab8f7dc962d85ad1b94b251592e412f4f41fe7c1596767e739489/analysis/ ; classtype:trojan-activity; sid:24601; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"p2x5142.dll failed"; fast_pattern:only; content:"DBG: FIND"; nocase; content:"GetTempDir"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/886ecd19280ab8f7dc962d85ad1b94b251592e412f4f41fe7c1596767e739489/analysis/ ; classtype:trojan-activity; sid:24600; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.MiniFlame C&C command response attempt"; flow:to_client,established; flowbits:isset,malware.miniflame; content:"|0D 0A|<!-- "; fast_pattern:only; pcre:"/^<!--\s+[\w]{52,}\s+-->\r\n/smi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24594; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"unable to start gsecdump"; fast_pattern:only; content:"dump_usedhashes,u"; nocase; content:"iamservice"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/0821986b379c8f823bffea73cb25819a8a807c381b084e962b5e51c78f187199/analysis/; classtype:trojan-activity; sid:24592; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"unable to start gsecdump"; fast_pattern:only; content:"dump_usedhashes,u"; nocase; content:"iamservice"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/0821986b379c8f823bffea73cb25819a8a807c381b084e962b5e51c78f187199/analysis/; classtype:trojan-activity; sid:24591; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Coded by fzk"; nocase; content:"|40 00|smb.txt"; nocase; content:"I got back a null buffer !"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:24590; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Coded by fzk"; nocase; content:"|40 00|smb.txt"; nocase; content:"I got back a null buffer !"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:24589; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Lucuis malware file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"01234567890123456789eric0123456789012345678karen|00 00 00 00 25|SystemRoot"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/b76b6c8d5378e465c91f6283b6f11fdd58916cfe02923b3a48344174c2272bc0/analysis/; classtype:trojan-activity; sid:24516; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Lucuis malware file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"01234567890123456789eric0123456789012345678karen|00 00 00 00 25|SystemRoot"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24515; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Java.Trojan.Jacksbot jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"key.dat3715pr52u"; fast_pattern:only; content:"B.class"; content:"v.class"; distance:0; content:"y.class"; distance:0; content:"a.class"; distance:0; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/7b654a13d36d3497636c4e934e06ba64/analysis/; classtype:trojan-activity; sid:24427; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Java.Trojan.Jacksbot class download"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"FLOOD DRAIN"; fast_pattern:only; content:"#!/bin/bash"; content:".minecraft"; distance:0; content:"/etc/rc.common"; distance:0; content:"/etc/rc.local"; distance:0; content:".filezilla/recentservers.xml"; distance:0; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1087; reference:url,www.virustotal.com/file/7b654a13d36d3497636c4e934e06ba64/analysis/; classtype:trojan-activity; sid:24426; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Gauss download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|2E 00|B|00|a|00|c|00|k|00|u|00|p|00|0|00|D"; nocase; content:"t|00|a|00|r|00|g|00|e|00|t|00 2E 00|l|00|n|00|k"; fast_pattern:only; content:"|25 00|x"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24411; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Gauss download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|2E 00|B|00|a|00|c|00|k|00|u|00|p|00|0|00|D"; nocase; content:"t|00|a|00|r|00|g|00|e|00|t|00 2E 00|l|00|n|00|k"; fast_pattern:only; content:"|25 00|x"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24410; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Miniflame download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"icsvnt"; fast_pattern:only; content:"RegisterService"; nocase; content:"ServiceMain"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24409; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Miniflame download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"icsvnt"; fast_pattern:only; content:"RegisterService"; nocase; content:"ServiceMain"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24408; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"MALWARE-OTHER itsoknoproblembro UDP flood"; flow:stateless,no_stream; dsize:>1300; content:"AAAAAAAAAAAAAAAAAAAA"; fast_pattern:only; detection_filter:track by_src, count 30, seconds 60; metadata:service dns; reference:url,arstechnica.com/security/2012/10/ddos-attacks-against-major-us-banks-no-stuxnet/; classtype:attempted-dos; sid:24396; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"MALWARE-OTHER itsoknoproblembro TCP flood"; flow:to_server,established,no_stream; dsize:>1300; content:"AAAAAAAAAAAAAAAAAAAA"; depth:20; detection_filter:track by_src, count 30, seconds 30; metadata:impact_flag red, service http; reference:url,arstechnica.com/security/2012/10/ddos-attacks-against-major-us-banks-no-stuxnet/; classtype:attempted-dos; sid:24395; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Downloader inbound email"; flow:to_server,established; file_data; content:"|01 7C F2 E8 39 0A 61 81 59 BD CA 62 00 BE CA 7D D3 F9 4E CC EB 48 20 5F EC D3 61 46 36 7B 36 EB|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/2256753459e529a64d5559e2f1154456187f49e84b5fe9fda8a180aadde9dc9f/analysis/; classtype:trojan-activity; sid:24312; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Downloader download"; flow:to_client,established; file_data; content:"|01 7C F2 E8 39 0A 61 81 59 BD CA 62 00 BE CA 7D D3 F9 4E CC EB 48 20 5F EC D3 61 46 36 7B 36 EB|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/2256753459e529a64d5559e2f1154456187f49e84b5fe9fda8a180aadde9dc9f/analysis/; classtype:trojan-activity; sid:24311; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 84 (msg:"MALWARE-OTHER Malicious UA detected on non-standard port"; flow:to_server,established,no_stream; content:"User-Agent|3A| Mozilla/5.0 |28|Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US|29|"; detection_filter:track by_src, count 1, seconds 120; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,anubis.iseclab.org/?action=result&task_id=1691c3b8835221fa4692960681f39c736&format=html; classtype:trojan-activity; sid:24265; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Lanman2.dll download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 51 C7 45 FC 41 C7 B5 D2 C9 C3 66 A1 04 90 01 10 0F B7 C0 99 B9 1F CE 00 00 F7 F9 B9 03|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/763fec95b3c5daf7be6dbdae16355fde4829191956bf3c41e08fee1901872d78/analysis/; classtype:trojan-activity; sid:24262; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Lanman2.dll download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 51 C7 45 FC 41 C7 B5 D2 C9 C3 66 A1 04 90 01 10 0F B7 C0 99 B9 1F CE 00 00 F7 F9 B9 03|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/763fec95b3c5daf7be6dbdae16355fde4829191956bf3c41e08fee1901872d78/analysis/; classtype:trojan-activity; sid:24261; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER PwDump7.exe download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Dump system passwords"; nocase; content:"Dump passwords from files"; within:150; nocase; content:"pwdump"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/b20f667c2539954744ddcb7f1d673c2a6dc0c4a934df45a3cca15a203a661c88/analysis/; classtype:trojan-activity; sid:24260; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PwDump7.exe download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Dump system passwords"; nocase; content:"Dump passwords from files"; within:150; nocase; content:"pwdump"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/b20f667c2539954744ddcb7f1d673c2a6dc0c4a934df45a3cca15a203a661c88/analysis/; classtype:trojan-activity; sid:24259; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER mygeeksmail.dll download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"improve performance|00|check=|00 00|REMOTE_ADDR"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24258; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER mygeeksmail.dll download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"improve performance|00|check=|00 00|REMOTE_ADDR"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24257; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER malicious redirection attempt"; flow:to_server,established; content:"a=YWZmaWQ9MDUyODg"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html; classtype:bad-unknown; sid:24225; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Dorifel/Quervar/XDocCrypt sent over email"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"[+++fpnesnpr+++]"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24145; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Dorifel/Quervar/XDocCrypt download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"[+++fpnesnpr+++]"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24144; rev:4;)
+alert udp $HOME_NET any -> $HOME_NET 137 (msg:"MALWARE-OTHER Dorifel/Quervar/XDocCrypt query for machine name KASPERSKY"; content:"|01 10 00 01|"; depth:4; offset:2; content:" ELEBFDFAEFFCFDELFJCACACACACACAAA|00 00 20 00 01|"; depth:38; offset:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ns; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24143; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTTP POST request to an MP3 file"; flow:to_server,established; content:"POST"; nocase; http_method; urilen:<50; content:".mp3"; nocase; http_uri; pcre:"/\.mp3([\?\x5c\x2f]|$)/Usmi"; metadata:service http; reference:url,snort.org/rule_docs/1-24110; classtype:non-standard-protocol; sid:24110; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTTP POST request to a ZIP file"; flow:to_server,established; content:"POST"; nocase; http_method; urilen:<50; content:".zip"; nocase; http_uri; pcre:"/\.zip([\?\x5c\x2f]|$)/Usmi"; metadata:service http; reference:url,snort.org/rule_docs/1-24109; classtype:non-standard-protocol; sid:24109; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTTP POST request to a RAR file"; flow:to_server,established; content:"POST"; nocase; http_method; urilen:<50; content:".rar"; nocase; http_uri; pcre:"/\.rar([\?\x5c\x2f]|$)/Usmi"; metadata:service http; reference:url,snort.org/rule_docs/1-24108; classtype:non-standard-protocol; sid:24108; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTTP POST request to a BMP file"; flow:to_server,established; content:"POST"; nocase; http_method; urilen:<50; content:".bmp"; nocase; http_uri; content:!"Content-Type|3A| multipart/form-data|3B|"; http_header; pcre:"/\.bmp([\?\x5c\x2f]|$)/Usmi"; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-24107; classtype:non-standard-protocol; sid:24107; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTTP POST request to a PNG file"; flow:to_server,established; content:"POST"; nocase; http_method; urilen:<50; content:".png"; nocase; http_uri; pcre:"/\.png([\?\x5c\x2f]|$)/Usmi"; metadata:service http; reference:url,snort.org/rule_docs/1-24106; classtype:non-standard-protocol; sid:24106; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTTP POST request to a GIF file"; flow:to_server,established; content:"POST"; nocase; http_method; urilen:<50; content:".gif"; nocase; http_uri; content:!"widgetserver.com"; nocase; http_header; pcre:"/\.gif([\?\x5c\x2f]|$)/Usmi"; metadata:service http; reference:url,snort.org/rule_docs/1-24105; classtype:non-standard-protocol; sid:24105; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTTP POST request to a JPEG file"; flow:to_server,established; content:"POST"; nocase; http_method; urilen:<50; content:".jpeg"; nocase; http_uri; pcre:"/\.jpeg([\?\x5c\x2f]|$)/Usmi"; metadata:service http; reference:url,snort.org/rule_docs/1-24104; classtype:non-standard-protocol; sid:24104; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTTP POST request to a JPG file"; flow:to_server,established; content:"POST"; nocase; http_method; urilen:<50; content:".jpg"; nocase; http_uri; pcre:"/\.jpg([\?\x5c\x2f]|$)/Usmi"; metadata:service http; reference:url,snort.org/rule_docs/1-24103; classtype:non-standard-protocol; sid:24103; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Malvertising redirection attempt"; flow:to_server,established; content:".ru/"; nocase; http_uri; content:"/?"; distance:0; http_uri; content:"|0D 0A|"; within:2; distance:1; http_uri; pcre:"/\x2eru\/\w+\?\d$/miU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:24099; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Possible malicious redirect - rebots.php"; flow:to_server,established; content:"/rebots.php"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2012/08/rebots-php-javascript-malware-being-actively-injected.html; reference:url,labs.sucuri.net/db/malware/mwjs-include-rebots; classtype:misc-activity; sid:24017; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Malvertising redirection campaign - blackmuscat"; flow:to_server,established; content:"/blackmuscat"; fast_pattern:only; http_uri; pcre:"/\x2fblackmuscats?\x3f\d/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:23833; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Malvertising redirection page"; flow:to_client,established; file_data; content:"|22| height=0 width=0></iframe>|27 29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:trojan-activity; sid:23798; rev:4;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Malvertising network attempted redirect"; flow:to_client,established; file_data; content:".php|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|></iframe>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1102; reference:url,labs.sucuri.net/?details=pairedpixels.com; classtype:trojan-activity; sid:23620; rev:5;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Malvertising redirection attempt"; flow:to_client,established; file_data; content:"|27 20|width=|27|6|27 20|height=|27|10|27 20|style=|27|position|3A 20|absolute|3B 20|left|3A 20 2D|1000px|3B 20|top|3A 20 2D|1000px|3B 20|z-index|3A 20|1|3B 27 3E 3C 2F|iframe|3E 22 29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:23618; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER potential clickjacking via css pointer-events attempt"; flow:to_client,established; file_data; content:"<style"; nocase; content:"text/css"; within:25; nocase; content:"position"; distance:0; nocase; content:"absolute"; within:15; nocase; content:"pointer-events"; within:100; fast_pattern; nocase; content:"none"; within:10; nocase; content:!"</div>"; within:10; nocase; pcre:"/position\s*?\x3a\s*?absolute\s*?\x3b[^\x7d]*?pointer-events\s*?\x3a\s*?none\s*?\x3b/i"; metadata:service http; reference:url,jsfiddle.net/gcollazo/UMyEm/embedded/result/; classtype:policy-violation; sid:23350; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER NeoSploit Malvertising - URI Requested"; flow:to_server,established; urilen:34; content:"/?"; depth:2; http_uri; content:" *|3B| q=.2, */*|3B| q=.2"; fast_pattern:only; http_header; pcre:"/\/\?[0-9a-f]{32}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:23058; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Alureon - Malicious IFRAME load attempt"; flow:to_client,established; file_data; content:"name=|5C 22|Twitter|5C 22| scrolling=|5C 22|auto|5C 22| frameborder=|5C 22|no|5C 22| align=|5C 22|center|5C 22| height = |5C 22|1px|5C 22| width = |5C 22|1px|5C 22|>"; fast_pattern:only; metadata:policy balanced-ips alert, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1102; classtype:trojan-activity; sid:22061; rev:7;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER nikjju script injection"; flow:to_client,established; file_data; content:"script src=http|3A 2F 2F|"; nocase; content:"|2F|r.php"; within:50; fast_pattern; nocase; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:url,isc.sans.edu/diary.html?storyid=13036; classtype:misc-activity; sid:21949; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; content:"302"; http_stat_code; content:"=_"; content:"_|5C 3B| domain="; within:11; distance:1; pcre:"/^[a-z]{5}\d=_\d_/C"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21851; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER TDS Sutra - request hi.cgi"; flow:to_server,established; content:"/hi.cgi"; http_uri; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21850; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - HTTP header redirecting to a SutraTDS"; flow:to_client,established; content:"/in.cgi"; http_header; pcre:"/\x2Fin\.cgi\?(\d{1,2}|default)$/Hsmi"; metadata:impact_flag red, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21849; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - page redirecting to a SutraTDS"; flow:to_client,established; file_data; content:"/in.cgi?"; isdataat:15,relative; content:!"id="; within:3; nocase; content:!"&"; within:6; content:!"="; within:6; pcre:"/\x2Fin\.cgi\?(\w{1,6}|default)\b/smi"; metadata:impact_flag red, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21848; rev:14;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; content:"_0000="; fast_pattern; content:"SL_"; http_cookie; content:"_0000="; within:8; http_cookie; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21845; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Possible malicious jar file download page"; flow:to_client, established; file_data; content:"String.fromCharCode"; nocase; content:".jar|27|"; content:"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"; fast_pattern:only; metadata:service http; classtype:attempted-user; sid:21642; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Possible banking trojan with known banking strings"; flow:to_client,established; file_data; content:"bankofamerica.com"; content:"capitalonebank.com"; content:"citigroup.com"; content:"capitalonebank.com"; content:"ebanking-services.com"; content:"mandtbank.com"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:21641; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-OTHER Horde javascript.php href backdoor"; flow:to_server,established; content:"/horde/services/javascript.php"; fast_pattern; http_uri; content:"href="; http_cookie; content:"file=open_calendar.js"; http_client_body; metadata:service http; reference:cve,2012-0209; reference:url,eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/; classtype:trojan-activity; sid:21555; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Tong Keylogger outbound connection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"KeyLogged"; distance:0; nocase; content:"from"; distance:0; nocase; content:"|5B|Sync"; nocase; content:" Manager|5D|"; distance:0; nocase; content:"|2D|"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/5251107a201ddc5bd3d1fdc5b2f64bf1a4480f0f95e92c69a150a41078b1e4e5/analysis/; classtype:trojan-activity; sid:19901; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Tong Keylogger outbound connection"; flow:to_server,established; flowbits:isset,backdoor.tongkeylogger; content:"|5B|Sync"; nocase; content:" Manager|5D|"; distance:0; nocase; content:"|2D|"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/5251107a201ddc5bd3d1fdc5b2f64bf1a4480f0f95e92c69a150a41078b1e4e5/analysis/; classtype:trojan-activity; sid:19900; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Tong Keylogger outbound connectiooutbound connection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"KeyLogged"; distance:0; nocase; content:"from"; distance:0; nocase; flowbits:set,backdoor.tongkeylogger; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/5251107a201ddc5bd3d1fdc5b2f64bf1a4480f0f95e92c69a150a41078b1e4e5/analysis/; classtype:trojan-activity; sid:19899; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-OTHER PWS.Win32.Scofted keylogger runtime detection"; flow:to_server,established; content:"STOR JUNIPER-"; depth:13; nocase; content:".log|0D 0A|"; within:10; metadata:service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/1ed945316f12208e4d45633d78de79eade9af9904f9817e447d39148668e2d75/analysis/; classtype:trojan-activity; sid:19741; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-OTHER Keylogger Monitor.win32.perflogger"; flow:to_server,established; flowbits:isset,w32.perflogger; content:"MKD"; nocase; pcre:"/MKD\s+\d{4}\x2d(\d{2}\x2d){4}/i"; metadata:service ftp; reference:url,attack.mitre.org/techniques/T1056; classtype:trojan-activity; sid:19393; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-OTHER Keylogger Monitor.win32.perflogger"; flow:to_server,established; content:"USER|20|nacky8|0D 0A|"; nocase; flowbits:set,w32.perflogger; flowbits:noalert; metadata:service ftp; reference:url,attack.mitre.org/techniques/T1056; classtype:trojan-activity; sid:19392; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-OTHER generic IRC botnet connection"; flow:to_server,established; content:"USER|20|"; content:"|20 30 20 30 20 3A|"; within:32; distance:2; metadata:impact_flag red, service ircd; reference:url,www.virustotal.com/file/209D49E1A327919329BD8E737A133A33826668D4678DF56330CC7AF58A80B3D0/analysis/; reference:url,www.virustotal.com/file/4bf35e8ca725ccb4a3ca3be464141b49a5f0e9292aed5dd244235edf7e809626/analysis/; reference:url,www.virustotal.com/file/4c2c745bde3ada3c266d9d341c52aefc4b3a79dfc42e269c6af04119e6f13aa7/analysis/; classtype:trojan-activity; sid:19362; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger WL-Keylogger outbound connection"; flow:to_server,established; flowbits:isset,Malware_Keylogger_InitConnection; content:"ServerDetails|7C|"; depth:14; nocase; pcre:"/^ServerDetails\x7c[^\r\n]*\x7c[^\r\n]*\x7c/smi"; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.megasecurity.org/trojans/k/keylogger/Keylogger_darkdays.html; classtype:trojan-activity; sid:19325; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Keylogger WL-Keylogger inbound connection"; flow:to_client,established; content:"ServerDetails"; depth:13; nocase; flowbits:set,Malware_Keylogger_InitConnection; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.megasecurity.org/trojans/k/keylogger/Keylogger_darkdays.html; classtype:trojan-activity; sid:19324; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack"; flow:established,to_server,no_stream; content:"U dun goofed"; fast_pattern:only; detection_filter:track by_src, count 10, seconds 2; reference:url,attack.mitre.org/techniques/T1078; reference:url,sourceforge.net/projects/loic/; classtype:attempted-dos; sid:19319; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Dos.Tool.LOIC UDP default U dun goofed attack"; flow:stateless,no_stream; content:"U dun goofed"; fast_pattern:only; detection_filter:track by_src, count 10, seconds 2; reference:url,attack.mitre.org/techniques/T1078; reference:url,sourceforge.net/projects/loic/; classtype:attempted-dos; sid:19318; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Keylogger Ardamax keylogger runtime detection - http"; flow:to_server,established; content:"/pub/u1.php?v="; http_uri; content:"&pr="; http_uri; content:"&id="; http_uri; content:"&rn="; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.malware-control.com/statics-pages/fc321d8376cc9fad4cf02453d3cd353c.php; classtype:trojan-activity; sid:19106; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER lizamoon script injection"; flow:to_client,established; file_data; content:"script src=http|3A 2F 2F|"; nocase; content:"|2F|ur.php"; within:50; fast_pattern; nocase; metadata:service http; reference:url,isc.sans.edu/diary.html?storyid=10642; classtype:misc-activity; sid:18604; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger egyspy keylogger 1.13 runtime detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"EgySpy"; distance:0; nocase; content:"Victim"; distance:0; nocase; pcre:"/^From\x3a[^\r\n]*EgySpy\s+Victim/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.sunbeltsecurity.com/threatdisplay.aspx?name=EgySpy&tid=48410&cs=6ECDDEC7712C7CE701773045B519AE38; classtype:successful-recon-limited; sid:16455; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger cheat monitor runtime detection"; flow:to_server,established; content:"Report"; nocase; content:"@"; nocase; content:"name=cheatmonitorR_SCREEN.DATETIME."; fast_pattern:only; pcre:"/Report\x20\x40.*name\x3dcheatmonitorR\x5fSCREEN\x2eDATETIME/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453141479; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-090408-5607-99&tabid=2; classtype:successful-recon-limited; sid:16137; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware owlforce runtime detection - remote server #2"; flow:to_server,established; content:"/status.php?"; nocase; http_uri; content:"searchurl="; http_uri; content:"version="; http_uri; content:"act="; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Nimo Software HTTP Retriever"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Nimo\x20Software\x20HTTP\x20Retriever/smiH"; metadata:service http; reference:url,spywaresignatures.com/details/owlforce.pdf; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453113210; classtype:successful-recon-limited; sid:16133; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware owlforce runtime detection - remote server #1"; flow:to_server,established; content:"/success.php?"; nocase; http_uri; content:"itemname="; http_uri; content:"User-Agent|3A| Nimo Software HTTP Retriever"; fast_pattern:only; metadata:service http; reference:url,spywaresignatures.com/details/owlforce.pdf; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453113210; classtype:successful-recon-limited; sid:16132; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware adclicker trojan zlob.dnz runtime detection - ads"; flow:to_server,established; content:"/bc/123kah.php"; nocase; content:"Host|3A|"; nocase; http_header; content:"ads.gooochi.biz"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ads\x2egooochi\x2ebiz/smiH"; metadata:service http; classtype:successful-recon-limited; sid:16131; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Keylogger lord spy pro 1.4 runtime detection"; flow:to_server,established; content:"POST //"; nocase; content:"Host|3A| www.fakemailer.info"; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:16130; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Keylogger kamyab Keylogger v.3 runtime detection"; flow:to_server,established; content:"/ahmad.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.kamyab-hack.com"; distance:0; fast_pattern; nocase; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.megasecurity.org/trojans/k/keylogger/Kamyabkeylogger3.0.html; classtype:successful-recon-limited; sid:16129; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-OTHER Keylogger spyyahoo v2.2 runtime detection"; flow:to_server,established; content:"RETR k3ylogger.txt"; fast_pattern:only; metadata:service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.megasecurity.org/trojans/s/spyyahoo/Spyyahoo2.2.html; classtype:successful-recon-limited; sid:16125; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware rightonadz.biz adrotator runtime detection - ads"; flow:to_server,established; content:"/bc/123kah.php"; nocase; content:"Host|3A|"; nocase; http_header; content:"ads.targetedbanner.biz"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ads\x2etargetedbanner\x2ebiz/smiH"; metadata:service http; reference:url,www.sophos.com/security/analyses/adware-and-puas/rightonadz.html; classtype:successful-recon-limited; sid:16117; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware rightonadz.biz adrotator runtime detection - pass user info to remote server"; flow:to_server,established; content:"/bc/ip.php"; nocase; content:"Host|3A| ads.targetedbanner.biz"; distance:0; nocase; metadata:service http; reference:url,www.sophos.com/security/analyses/adware-and-puas/rightonadz.html; classtype:successful-recon-limited; sid:16116; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger ultimate Keylogger pro runtime detection"; flow:to_server,established; content:"Subject|3A| Ultimate Keylogger Report from"; fast_pattern:only; content:"Activity Report from Ultimate"; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453139331; reference:url,www.411-spyware.com/remove-ultimate-keylogger; classtype:successful-recon-limited; sid:14075; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spybosspro 4.2 runtime detection"; flow:to_server,established; content:"Subject|3A| SpyBoss Pro - Log File Mailing"; fast_pattern:only; content:"X-Mailer|3A| SpyBoss Pro"; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.2-spyware.com/remove-spybosspro.html; reference:url,www.411-spyware.com/remove/spyboss-pro; classtype:successful-recon-limited; sid:14074; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Keylogger emptybase j runtime detection"; flow:to_server,established; content:"/th/script.php?"; nocase; content:"boundary=--__abcd-xyz789__--"; distance:0; nocase; content:"name=|22|Module|22 0D 0A 0D 0A|"; distance:0; nocase; content:"IE"; distance:0; nocase; pcre:"/name\x3d\x22Module\x22\x0d\x0a\x0d\x0a(IEGrabber|IEInjector|IEFaker|IEKeylogger|IETanGrabber|IEScrGrabber|IECertGrab|IEFileGrabber)/smi"; metadata:service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453117299; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/malencpkay.html; classtype:successful-recon-limited; sid:14065; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware rightonadz.biz adrotator runtime detection - ads"; flow:to_server,established; content:"/bc/123kah.php"; fast_pattern:only; content:"Host|3A|"; nocase; http_header; content:"rightonadz.biz"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*rightonadz\x2ebiz/smiH"; metadata:service http; reference:url,www.askmehelpdesk.com/spyware-viruses-etc/pop-up-http-rightonadz-biz-bc-123kah-php-151385.html; reference:url,www.nettrafficchat.com/showthread.php?t=1347; classtype:successful-recon-limited; sid:13933; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware adclicker-fc.gen.a runtime detection"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"cmpname="; nocase; http_uri; content:"gai="; nocase; http_uri; content:"gli="; nocase; http_uri; content:"gff="; nocase; http_uri; content:"ed="; nocase; http_uri; content:"ex="; nocase; http_uri; content:"eu="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"intervarioclick.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*intervarioclick\x2ecom/smiH"; metadata:service http; reference:url,vil.nai.com/vil/content/v_144220.htm; classtype:successful-recon-limited; sid:13867; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware adclicker-fc.gen.a runtime detection - popup ads"; flow:to_server,established; content:"/r.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"pn="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"said="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"directnameservice2008.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*directnameservice2008\x2ecom/smiH"; metadata:service http; reference:url,vil.nai.com/vil/content/v_144220.htm; classtype:successful-recon-limited; sid:13866; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger refog Keylogger runtime detection"; flow:to_server,established; content:"Content-Type|3A|"; nocase; content:"NextPart_2"; nocase; content:"<TIT=|0D 0A|LE>REFOG log</TITLE>"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,secure.shareit.com/shareit/product.html?productid=219815&sessionid=890841208&random=d4da8e41f97c6c623e18f4b52ad63142; reference:url,www.refog.com; classtype:successful-recon-limited; sid:13812; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger kgb employee monitor runtime detection"; flow:to_server,established; content:"<TIT= LE> KGB log </TITLE>"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/spydet_26548_kgb_employee_monitor.html; reference:url,www.spywareremove.com/removeKGBKeylogger.html; classtype:successful-recon-limited; sid:13778; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware syscleaner runtime detection - presale traffic"; flow:to_server,established; content:"/order.php?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"id="; nocase; http_uri; content:"context="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.sys-cleaner.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Esys-cleaner\x2Ecom/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453123831; reference:url,spywaredetector.net/spyware_encyclopedia/Fake%20Anti%20Spyware.SysCleaner.htm; classtype:successful-recon-limited; sid:13776; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger cyber sitter runtime detection"; flow:to_server,established; flowbits:isset,cyberSitter_detection; content:"CYBERsitter"; nocase; content:"appears"; distance:0; nocase; content:"to"; distance:0; nocase; content:"be"; distance:0; nocase; content:"functioning"; distance:0; nocase; pcre:"/CYBERsitter\s+appears\s+to\s+be\s+functioning/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=CyberSitter&threatid=30845; reference:url,www.spywareguide.com/spydet_1056_cybersitter.html; classtype:successful-recon-limited; sid:13768; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger cyber sitter runtime detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"CYBERsitter"; distance:0; nocase; content:"Report"; distance:0; nocase; content:"for|3A|"; distance:0; nocase; pcre:"/Subject\x3A[^\r\n]*CYBERsitter\s+Report\s+for\x3A/smi"; flowbits:set,cyberSitter_detection; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:13767; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger family cyber alert runtime detection - smtp traffic for recorded activities"; flow:to_server,established; content:"thread-index|3A| Acio"; nocase; content:"Subject|3A| Email from Family Cyber Alert"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Family%20Cyber%20Alert&threatid=48570; reference:url,www.ca.com/ca/en/securityadvisor/pest/pest.aspx?id=453117297; classtype:successful-recon-limited; sid:13651; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger easy Keylogger runtime detection"; flow:to_server,established; content:"DQp+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fg0KV2luZG93IFRpd"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Easy%20Keylogger&threatid=43573; reference:url,spywaresignatures.com/details.php?spyware=easykeyloggerfree5.0; classtype:successful-recon-limited; sid:13642; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger sys keylog 1.3 advanced runtime detection"; flow:to_server,established; content:"This is the file kept 'LOG', of the program Sys="; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Sys_Keylog&threatid=48624; reference:url,spywaredetector.net/spyware_encyclopedia/Spyware.SysKeylog.htm; classtype:successful-recon-limited; sid:13568; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger msn spy monitor runtime detection"; flow:to_server,established; content:"<TITLE>MSN Spy Monitor Logging Report</TITLE>"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=MSN%20Spy%20Monitor&threatid=41180; classtype:successful-recon-limited; sid:13567; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger smart pc Keylogger runtime detection"; flow:to_server,established; content:"Subject|3A| Smart PC Keylogger - Log File Mailing"; fast_pattern:only; content:"X-Mailer|3A| Smart PC Keylogger"; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Smart%20Pc%20Keylogger&threatid=48645; reference:url,www.ca.com/ca/en/securityadvisor/pest/pest.aspx?id=453124511; classtype:successful-recon-limited; sid:13494; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger findnot guarddog 4.0 runtime detection"; flow:to_server,established; flowbits:isset,FindNotGuardDog_detection; content:"X-Mailer|3A|"; nocase; content:"FindNot"; distance:0; nocase; content:"GuardDog"; distance:0; nocase; pcre:"/^X\x2DMailer\x3A[^\r\n]*FindNot\s+GuardDog/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=FindNot%20GuardDog&threatid=41463; reference:url,www.findnot.eu/pg_guarddog.htm; classtype:successful-recon-limited; sid:13480; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger findnot guarddog 4.0 runtime detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"|22|FindNot"; distance:0; nocase; content:"GuardDog|22|"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*\x22FindNot\s+GuardDog\x22/smi"; flowbits:set,FindNotGuardDog_detection; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:13479; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger email spy monitor 6.9 runtime detection"; flow:to_server,established; flowbits:isset,EmailSpyMonitor_detection; content:"<title>"; nocase; content:"Email"; distance:0; nocase; content:"Spy"; distance:0; nocase; content:"Monitor"; distance:0; nocase; content:"Logging"; distance:0; nocase; content:"Report"; distance:0; nocase; content:"</title>"; distance:0; nocase; pcre:"/\x3CTitle\x3EEmail\s+Spy\s+Monitor\s+Logging\s+Report\x3C\x2Ftitle\x3E/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453122634; reference:url,www.spywareremove.com/removeEmailSpyMonitor.html; classtype:successful-recon-limited; sid:13281; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger email spy monitor 6.9 runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"Chilkat"; distance:0; nocase; content:"Software"; distance:0; nocase; content:"Inc"; distance:0; nocase; pcre:"/^X\x2DMailer\x3A[^\r\n]*Chilkat\s+Software\s+Inc/smi"; flowbits:set,EmailSpyMonitor_detection; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:13280; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger advanced spy 4.0 runtime detection"; flow:to_server,established; flowbits:isset,AdvancedSpy_detection; content:"filename="; nocase; content:"|22|as_report_"; distance:0; nocase; content:".zip|22|"; distance:0; nocase; pcre:"/filename\s*\x3D\s*\x22as\x5Freport\x5F[^\x22]+\x2Ezip\x22/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Advanced%20Spy&threatid=127939; reference:url,www.advancedspy.net/; classtype:successful-recon-limited; sid:13279; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger advanced spy 4.0 runtime detection"; flow:to_server,established; content:"Advanced"; nocase; content:"Spy"; distance:0; nocase; content:"Report"; distance:0; nocase; content:"for"; distance:0; nocase; pcre:"/Advanced\s+Spy\s+Report\s+for/smi"; flowbits:set,AdvancedSpy_detection; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:13278; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger computer monitor 1.1 by lastcomfort runtime detection"; flow:to_server,established; flowbits:isset,ComputerMonitor11_detection; content:"Computer"; nocase; content:"Monitor"; distance:0; nocase; content:"by"; distance:0; nocase; content:"Lastcomfort"; distance:0; nocase; pcre:"/Computer\s+Monitor\s+by\s+Lastcomfort/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Computer%20Monitor&threatid=48576; classtype:successful-recon-limited; sid:13244; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger computer monitor 1.1 by lastcomfort runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"Computer"; distance:0; nocase; content:"Monitor"; distance:0; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*Computer\s+Monitor/smi"; flowbits:set,ComputerMonitor11_detection; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:13243; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger active Keylogger 3.9.2 runtime detection"; flow:to_server,established; flowbits:isset,ActiveKeylogger392_detection; content:"filename=|22|"; nocase; content:"akllogs.zip|22|"; distance:0; nocase; pcre:"/filename\x3D\x22[^\r\n]*akllogs\x2Ezip\x22/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Active%20Key%20Logger&threatid=1622; classtype:successful-recon-limited; sid:13237; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger active Keylogger 3.9.2 runtime detection"; flow:to_server,established; content:"Attached"; nocase; content:"|28|ZIP"; distance:0; nocase; content:"file|29|"; distance:0; nocase; content:"to"; distance:0; nocase; content:"this"; distance:0; nocase; content:"email"; distance:0; nocase; content:"are"; distance:0; nocase; content:"the"; distance:0; nocase; content:"activity"; distance:0; nocase; content:"logs"; distance:0; nocase; content:"that"; distance:0; nocase; content:"you"; distance:0; nocase; content:"have"; distance:0; nocase; content:"requested."; distance:0; nocase; pcre:"/Attached\s+\x28ZIP\s+file\x29\s+to\s+this\s+email\s+are\s+the\s+activity\s+logs\s+that\s+you\s+have\s+requested\x2E/smi"; flowbits:set,ActiveKeylogger392_detection; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:13236; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spy lantern Keylogger pro 6.0 runtime detection"; flow:to_server,established; flowbits:isset,SpyLanternKeylogger6_detection; content:"filename=|22|"; nocase; content:".ltr"; distance:0; nocase; pcre:"/filename\x3D\x22[^\r\n]*\x2Eltr\x22/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Spy%20Lantern%20Keylogger&threatid=29156; classtype:successful-recon-limited; sid:12793; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spy lantern Keylogger pro 6.0 runtime detection"; flow:to_server,established; content:"Attachment"; nocase; content:"contains"; distance:0; nocase; content:"Spy"; distance:0; nocase; content:"Lantern"; distance:0; nocase; content:"Keylogger"; distance:0; nocase; content:"log"; distance:0; nocase; content:"file"; distance:0; nocase; pcre:"/Attachment\s+contains\s+Spy\s+Lantern\s+Keylogger.*log\s+file\x2E/smi"; flowbits:set,SpyLanternKeylogger6_detection; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:12792; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware partypoker runtime detection"; flow:to_server,established; content:"/utility/client/images/ProductVersion.txt"; fast_pattern; nocase; http_uri; content:"Host|3A| www.partycasino.com"; nocase; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PartyPoker&threatid=44086; classtype:successful-recon-limited; sid:12790; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger powered Keylogger 2.2 runtime detection"; flow:to_server,established; flowbits:isset,PoweredKeylogger22_detection; content:"Please,"; nocase; content:"find"; distance:0; nocase; content:"the"; distance:0; nocase; content:"log"; distance:0; nocase; content:"file"; distance:0; nocase; content:"|28|PKL|29|"; distance:0; nocase; content:"attached"; distance:0; nocase; content:"to"; distance:0; nocase; content:"this"; distance:0; nocase; content:"e-mail."; distance:0; nocase; pcre:"/Please\x2C\s+find\s+the\s+log\s+file\s+\x28PKL\x29\s+attached\s+to\s+this\s+e\x2Dmail\x2E/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453097852; classtype:successful-recon-limited; sid:12761; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger powered Keylogger 2.2 runtime detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"Powered"; distance:0; nocase; content:"Keylogger"; distance:0; nocase; content:"Logs"; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*Powered\s+Keylogger\s+Logs/smi"; flowbits:set,PoweredKeylogger22_detection; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:12760; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger/RAT digi watcher 2.32 runtime detection"; flow:to_server,established; flowbits:isset,DigiWatcher232_detection; content:"Motion"; nocase; content:"detected!"; distance:0; nocase; content:"Watcher"; distance:0; nocase; content:"PC"; distance:0; nocase; content:"IP"; distance:0; nocase; content:"address|3A|"; distance:0; nocase; pcre:"/Motion\s+detected\x21/smi"; pcre:"/Watcher\s+PC\s+IP\s+address\x3A/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.ca.com/ca/en/securityadvisor/pest/pest.aspx?id=453119363; classtype:successful-recon-limited; sid:12759; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger/RAT digi watcher 2.32 runtime detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"Digi-Watcher.com"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*Digi\x2DWatcher\x2Ecom/smi"; flowbits:set,DigiWatcher232_detection; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:12758; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger net vizo 5.2 runtime detection"; flow:to_server,established; content:"This is an alert notification from NetVizor"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453097457; classtype:successful-recon-limited; sid:12698; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware browser accelerator runtime detection - pass user information to server"; flow:to_server,established; content:"/data/track.aspx"; nocase; http_uri; content:"Host|3A| data.browseraccelerator.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/spydet_1253_browseracclerator.html; classtype:successful-recon-limited; sid:12697; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger windows family safety 2.0 runtime detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"Windows Supervisor Report"; distance:0; nocase; content:"<title>Windows Family Safety</title>"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453117306; classtype:successful-recon-limited; sid:12625; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger inside website logger 2.4 runtime detection"; flow:to_server,established; content:"Subject|3A| Email Reports from Inside Website Logger"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.programurl.com/inside-website-logger.htm; classtype:successful-recon-limited; sid:12480; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 20 (msg:"MALWARE-OTHER Keylogger PaqKeylogger 5.1 runtime detection - ftp"; flow:to_client,established; content:"version 4.0 key|3A 0D 0A|~~~~~~~~~~~~~~~~~~~~~~~~~~"; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=2709; classtype:successful-recon-limited; sid:12379; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger mg-shadow 2.0 runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"Mailer"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*Mailer/smi"; content:"+++ MG-Shadow 2.0"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,tweakyourwindows.com/Software-Details/19993/MGShadow-Computer-monitoring-software.html; reference:url,www.softpedia.com/progDownload/MGShadow-Download-44651.html; classtype:successful-recon-limited; sid:12372; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger overspy runtime detection"; flow:to_server,established; content:"Subject|3A| OverSpy Surveillance Data"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,secunia.com/virus_information/27591/spyware-overspy/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-021412-4303-99; classtype:successful-recon-limited; sid:12226; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger logit v1.0 runtime detection"; flow:to_server,established; content:"Subject|3A| Logger Results"; nocase; content:"|0D 0A 0D 0A|<|7C|"; distance:0; content:"|7C|>|0D 0A 0D 0A|"; distance:0; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.trojanfrance.com/index.php?dir=KeyLoggers/; classtype:successful-recon-limited; sid:12141; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Trackware stealth website logger 3.4 runtime detection"; flow:to_server,established; content:"Subject|3A| Email Reports from Stealth Website Logger"; fast_pattern:only; metadata:service smtp; reference:url,www.programurl.com/stealth-website-logger.htm; classtype:successful-recon-limited; sid:12139; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger Keylogger king home 2.3 runtime detection"; flow:to_server,established; content:"<TIT=|0D 0A|LE>|0D 0A|King log|0D 0A|</TITLE>|0D 0A|"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097591; classtype:successful-recon-limited; sid:12137; rev:7;)
+# alert tcp $HOME_NET 456 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger remotekeylog.b runtime detection - fun"; flow:to_client,established; flowbits:isset,RemoteKeyLog.b.Fun_detection; content:"WND"; depth:3; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Remote%20Keylogger&threatid=10445; reference:url,www.downloadtopc.com/spywareadware/993/3560/Win32RemoteKeyLogb.html; classtype:successful-recon-limited; sid:12136; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 456 (msg:"MALWARE-OTHER Keylogger remotekeylog.b runtime detection - fun"; flow:to_server,established; content:"fun"; depth:3; flowbits:set,RemoteKeyLog.b.Fun_detection; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:12135; rev:4;)
+# alert tcp $HOME_NET 456 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger remotekeylog.b runtime detection - open url"; flow:to_client,established; flowbits:isset,RemoteKeyLog.b.Url_detection; content:"WND"; depth:3; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Remote%20Keylogger&threatid=10445; reference:url,www.downloadtopc.com/spywareadware/993/3560/Win32RemoteKeyLogb.html; classtype:successful-recon-limited; sid:12134; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 456 (msg:"MALWARE-OTHER Keylogger remotekeylog.b runtime detection - open url"; flow:to_server,established; content:"url"; depth:3; flowbits:set,RemoteKeyLog.b.Url_detection; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:12133; rev:4;)
+# alert tcp $HOME_NET 456 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger remotekeylog.b runtime detection - keylogging"; flow:to_client,established; flowbits:isset,RemoteKeyLog.b.Keylogging_detection; content:"KEY"; depth:3; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Remote%20Keylogger&threatid=10445; reference:url,www.downloadtopc.com/spywareadware/993/3560/Win32RemoteKeyLogb.html; classtype:successful-recon-limited; sid:12132; rev:5;)
+alert tcp $HOME_NET 456 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger remotekeylog.b runtime detection - keylogging"; flow:to_client,established; content:"WND"; depth:3; flowbits:set,RemoteKeyLog.b.Keylogging_detection; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:12131; rev:4;)
+# alert tcp $HOME_NET 456 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger remotekeylog.b runtime detection - get sys info"; flow:to_client,established; flowbits:isset,RemoteKeyLog.b.Info_detection; content:"Product Name"; depth:12; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Remote%20Keylogger&threatid=10445; reference:url,www.downloadtopc.com/spywareadware/993/3560/Win32RemoteKeyLogb.html; classtype:successful-recon-limited; sid:12130; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 456 (msg:"MALWARE-OTHER Keylogger remotekeylog.b runtime detection - get sys info"; flow:to_server,established; content:"info"; depth:4; flowbits:set,RemoteKeyLog.b.Info_detection; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:12129; rev:4;)
+# alert tcp $HOME_NET 456 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger remotekeylog.b runtime detection - init connection"; flow:to_client,established; content:"WNDkServer"; depth:10; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Remote%20Keylogger&threatid=10445; reference:url,www.downloadtopc.com/spywareadware/993/3560/Win32RemoteKeyLogb.html; classtype:successful-recon-limited; sid:12128; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger apophis spy 1.0 runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"A-Spy"; distance:0; nocase; content:"Server"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*A-Spy[^\r\n]*Server/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072636; classtype:successful-recon-limited; sid:12049; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger computer Keylogger runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"ComputerKeylogger.com"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*ComputerKeylogger\x2Ecom/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098303; classtype:successful-recon-limited; sid:12048; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware uplink runtime detection"; flow:to_server,established; content:"/Response2.aspx"; fast_pattern; nocase; http_uri; content:"mac="; nocase; http_uri; content:"myadid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"uplink.co.kr"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*uplink\x2Eco\x2Ekr/smiH"; metadata:service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-031317-1701-99&tabid=1; classtype:successful-recon-limited; sid:11312; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Keylogger pcsentinelsoftware Keylogger runtime detection - upload infor"; flow:to_server,established; content:"/upload.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.pcsentinelsoftware.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Epcsentinelsoftware\x2Ecom/smiH"; metadata:service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.pcsentinelsoftware.com; classtype:successful-recon-limited; sid:11311; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger sskc v2.0 runtime detection"; flow:to_server,established; content:"SSKC"; nocase; content:"v2.0"; distance:0; nocase; content:"Startup"; distance:0; nocase; content:"at"; distance:0; nocase; pcre:"/^SSKC[^\r\n]*v2\x2E0[^\r\n]*Startup[^\r\n]*at/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076545; classtype:successful-recon-limited; sid:11309; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger computer monitor Keylogger runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"Computer"; distance:0; nocase; content:"Monitor"; distance:0; nocase; content:"Keylogger"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*Computer[^\r\n]*Monitor[^\r\n]*Keylogger/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097349; classtype:successful-recon-limited; sid:11307; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger pc black box runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"PC"; distance:0; nocase; content:"Black"; distance:0; nocase; content:"Box"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*PC[^\r\n]*Black[^\r\n]*Box/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PC%20Black%20Box&threatid=117239; classtype:successful-recon-limited; sid:10440; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger keyspy runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"mail"; distance:0; nocase; content:"function"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*mail\s+function/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3266; classtype:successful-recon-limited; sid:10436; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware admedia runtime detection"; flow:to_server,established; content:"/hzyt/client/procpost.aspx"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.ccnnlc.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eccnnlc\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098012; classtype:successful-recon-limited; sid:10435; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger activity Keylogger runtime detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"Activity"; distance:0; nocase; content:"Keylogger"; distance:0; nocase; content:"Logs"; distance:0; nocase; pcre:"/^Subject\x3a[^\r\n]*Activity[^\r\n]*Keylogger[^\r\n]*Logs/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097325; classtype:successful-recon-limited; sid:10183; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger systemsleuth runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"SystemSleuth"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*SystemSleuth/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097306; classtype:successful-recon-limited; sid:10181; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 20 (msg:"MALWARE-OTHER Keylogger radar spy 1.0 runtime detection - send html log"; flow:to_client,established; content:"<title>New Page 1</title>"; nocase; content:"Log Started |3A|"; distance:0; fast_pattern; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453079942; classtype:successful-recon-limited; sid:10167; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware baigoo runtime detection"; flow:to_server,established; content:"/sszsex.html"; nocase; http_uri; content:"src="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"dm="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"client.baigoo.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*client\x2Ebaigoo\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098801; classtype:successful-recon-limited; sid:10166; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger mybr Keylogger runtime detection"; flow:to_server,established; content:"From|3A D0 C5 CF A2|"; fast_pattern:only; content:"Subject|3A|"; nocase; pcre:"/^From\x3a\xd0\xc5\xcf\xa2.*Subject\x3a[^\r\n]*\d+\x2d\d+\x2d\d+\x2d\d+\x3a\d+\x3a\d+/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.hack77.com/Soft/hkgj/jpjl/200701/2844.html; classtype:successful-recon-limited; sid:10165; rev:8;)
+# alert tcp $HOME_NET 456 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - open website"; flow:to_client,established; flowbits:isset,Win32.RemoteKeylog.b.website; content:"WNDMicrosoft"; depth:12; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075959; classtype:successful-recon-limited; sid:10100; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 456 (msg:"MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection"; flow:to_server,established; content:"url"; depth:3; nocase; flowbits:set,Win32.RemoteKeylog.b.website; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:10099; rev:5;)
+# alert tcp $HOME_NET 456 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - get system info"; flow:to_client,established; flowbits:isset,Win32.RemoteKeylog.b.info; content:"Product"; depth:7; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075959; classtype:successful-recon-limited; sid:10098; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 456 (msg:"MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection"; flow:to_server,established; content:"info"; depth:4; nocase; flowbits:set,Win32.RemoteKeylog.b.info; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:10097; rev:5;)
+# alert tcp $HOME_NET 456 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - keylog"; flow:to_client,established; content:"KEY"; depth:3; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075959; classtype:successful-recon-limited; sid:10096; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware bydou runtime detection"; flow:to_server,established; content:"/pra.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.bydou.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Ebydou\x2Ecom/smiH"; metadata:service http; reference:url,bbs.360safe.com/viewthread.php?tid=58707; classtype:successful-recon-limited; sid:10095; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware russian searchbar runtime detection"; flow:to_server,established; content:"referer="; nocase; http_uri; content:"show="; nocase; http_uri; content:"Host|3A| bar-navig.yandex.ru"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079056; classtype:successful-recon-limited; sid:10092; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger beyond Keylogger runtime detection - log sent by ftp"; flow:to_server,established; content:"Open Beyond Keylogger"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453097340; classtype:successful-recon-limited; sid:10089; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger beyond Keylogger runtime detection - log sent by smtp"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"Beyond"; distance:0; nocase; content:"Keylogger"; distance:0; nocase; content:"Report"; distance:0; nocase; pcre:"/^Subject\x3a[^\r\n]*Beyond\s+Keylogger\s+Report\x2E\s+Id\x3d\x5b.*\x5d/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097340; classtype:successful-recon-limited; sid:10088; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER W32.Nuwar.AY smtp propagation detection"; flow:to_server,established; content:"i45MQBVUFghDQkCCOqHqPmgGbzTU9IAAA1jAAAArAAAJgAACWwe"; metadata:service smtp; classtype:trojan-activity; sid:10083; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER W32.Nuwar.AY smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA76VO"; metadata:service smtp; classtype:trojan-activity; sid:10082; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER W32.Nuwar.AY smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA7/2n"; metadata:service smtp; classtype:trojan-activity; sid:10081; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER W32.Nuwar.AY smtp propagation detection"; flow:to_server,established; content:"i45MQBVUFghDQkICEywTzzbc2+gVYUVAIGpAAAA2AAAJgAARC1i"; metadata:service smtp; classtype:trojan-activity; sid:10080; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER W32.Nuwar.AY smtp propagation detection"; flow:to_server,established; content:"i45MQBVUFghDQkICEywTzzbc2+gVYUVAIGpAAAA2AAAJgAARIj9"; metadata:service smtp; classtype:trojan-activity; sid:10079; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER W32.Nuwar.AY smtp propagation detection"; flow:to_server,established; content:"i45MQBVUFghDQkICKDx6PZ9cWtlZzUVAMY0AAAAZAAAJgAAqwTm"; metadata:service smtp; classtype:trojan-activity; sid:10078; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger supreme spy runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"Supreme"; distance:0; nocase; content:"Spy"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*Supreme\s+Spy/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097729; classtype:successful-recon-limited; sid:9830; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware relevantknowledge runtime detection"; flow:to_server,established; content:"/oss/"; nocase; http_uri; content:"X-OSSProxy|3A|"; nocase; http_header; content:"OSSProxy"; nocase; http_header; pcre:"/^X-OSSproxy\x3a[^\r\n]*OSSProxy/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097949; classtype:successful-recon-limited; sid:9829; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 20 (msg:"MALWARE-OTHER Keylogger paq keylog runtime detection - ftp"; flow:to_client,established; content:"version"; nocase; content:"key"; distance:0; nocase; pcre:"/^version\s+\d+\x2E\d+\s+key\x3a/smi"; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098520; classtype:successful-recon-limited; sid:9828; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger paq keylog runtime detection - smtp"; flow:to_server,established; content:"Subject|3A|"; nocase; content:".l|0D 0A|"; within:200; fast_pattern; nocase; pcre:"/^Subject\x3a[^\r\n]*20\d{3,4}\x5f[123]?\d\x2El/mi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098520; classtype:successful-recon-limited; sid:9827; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger ghost Keylogger runtime detection"; flow:to_server,established; flowbits:isset,ghost_keylogger_start; content:"[Static"; nocase; content:"Text]"; distance:0; nocase; pcre:"/^\s*\x5BStatic\s+Text\x5D/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=70892; classtype:successful-recon-limited; sid:9650; rev:9;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger ghost Keylogger runtime detection - flowbit set"; flow:to_server,established; content:"|23|"; nocase; content:"Ghost"; distance:0; nocase; content:"keylogger"; distance:0; nocase; content:"has"; distance:0; nocase; content:"started"; distance:0; nocase; pcre:"/^\x23\s+Ghost\s+Keylogger\s+has\s+started\x2E/smi"; flowbits:set,ghost_keylogger_start; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=70892; classtype:successful-recon-limited; sid:9649; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger emailspypro runtime detection"; flow:to_server,established; content:"X-FILTERED-BY-GHOST|3A|"; fast_pattern:only; content:"1"; pcre:"/^X-FILTERED-BY-GHOST\x3a[^\r\n]*1/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083347; classtype:successful-recon-limited; sid:9648; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger system surveillance pro runtime detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"System"; distance:0; nocase; content:"Surveillance"; distance:0; nocase; content:"Log"; distance:0; nocase; content:"Open"; nocase; content:"log"; distance:0; nocase; content:"file"; distance:0; nocase; content:"import"; distance:0; nocase; pcre:"/^Subject\x3a[^\r\n]*System\s+Surveillance\s+Log/smi"; pcre:"/^Open\s+log\s+file\s+to\s+import/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098658; classtype:successful-recon-limited; sid:9647; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mydoom.ap attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"Received message is available at"; metadata:service smtp; classtype:trojan-activity; sid:9426; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"OsrkDtNPNg9Xj38hSOB7pKSR+RzaaUnt5GIvg8wXTYQPiLhBPWmLUXYLSN2KDpF0AWHCd8Po"; metadata:service smtp; classtype:trojan-activity; sid:9425; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"MALWARE-OTHER /winnt/explorer.exe unicode klez infection"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,&,2,28,little,relative; content:"|5C 00|w|00|i|00|n|00|n|00|t|00 5C 00|e|00|x|00|p|00|l|00|o|00|r|00|e|00|r|00|.|00|e|00|x|00|e|00 00 00|"; within:41; distance:51; nocase; classtype:trojan-activity; sid:9424; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"MALWARE-OTHER lovegate attempt"; flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"F|00|X|00|N|00|B|00|F|00|X|00|F|00|X|00|N|00|B|00|F|00|X|00|F|00|X|00|F|00|X|00|F|00|X|00|"; content:"|9F|u|18 00|"; within:4; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:trojan-activity; sid:9423; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"MALWARE-OTHER msblast attempt"; flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"F|00|X|00|N|00|B|00|F|00|X|00|F|00|X|00|N|00|B|00|F|00|X|00|F|00|X|00|F|00|X|00|F|00|X|00|"; content:"|9D 13 00 01|"; within:4; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:trojan-activity; sid:9422; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"MALWARE-OTHER zotob attempt"; flow:to_server,established; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:54; dce_stub_data; content:"|C0 07 00 00 00 00 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:trojan-activity; sid:9421; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"MALWARE-OTHER korgo attempt"; flow:to_server,established; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data; content:"|AD 0D 00 00|"; depth:4; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:trojan-activity; sid:9420; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"MALWARE-OTHER sasser attempt"; flow:to_server,established; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data; content:"|EC 03 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:trojan-activity; sid:9419; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER bagle.a smtp propagation detection"; flow:to_server,established; content:"aWNyb3NvZnQAQGF2cC4AACVzP3A9JWx1JmlkPSVzAGh0dHA6Ly93d3cuZWxyYXNzaG9wLmRl|0D 0A|LzEucGhwAGh0dHA6Ly93d3cuaXQtbXNjLmRlLzEucGhwAGh0dHA6Ly93d3cuZ2V0eW91cmZy"; metadata:service smtp; reference:url,www.sophos.com/virusinfo/analyses/w32baglea.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-011815-3332-99&tabid=2; classtype:trojan-activity; sid:9417; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER bagle.at smtp propagation detection"; flow:to_server,established; content:"CFzisjUEyJsg4LLn9YPllwezsmCH/FoLDp8ttt5rlq2cy18Y2O3lemS1iy+B35D9veT2X3ys|0D 0A|6mupMisPtw82NJQBvU4U30nV3kdI4KNtHjiz9AUOmU+oQYcw9M3v9pJHb2MNmFxxkYvyqDWc"; metadata:service smtp; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AT; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41539; classtype:trojan-activity; sid:9416; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER plexus.a smtp propagation detection"; flow:to_server,established; content:"YGVjaG9yIHdwdW4zJXMGZNs+6WEKUxRsRxYMIXDnZ2d04XN1cMku+XjqlhcKcXVpdA9HZoxeLSBzOowm80FoWlbIUi0/SXKAZnZiYTogMQYuMA"; metadata:service smtp; reference:url,vil.nai.com/vil/content/v_126116.htm; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39272; classtype:trojan-activity; sid:9415; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER lovelorn.a smtp propagation detection"; flow:to_server,established; content:"dGpuby9meWYAT1VUTE9PSy5FWEVOZXRDYXB0b3IuZXhlbWlyYzMyLmV4ZWFpbS5leGVZcGFnZXIu|0D 0A|ZXhlAHV2anNidWRpYm9kdnBkZXBqb2J6QXpiaXBwL2RwbgBOUUhfTE9WRQBsb3ZlX2xvcm5AeWFo|0D 0A|b28uY29tAE5RSF9MT1ZFTE9STgB0aHV5cXV5ZW5AeWFob28uY29tAE5RSABsb3ZlbG9ybkB5YWhv"; metadata:service smtp; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=35041; classtype:trojan-activity; sid:9414; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER ganda smtp propagation detection"; flow:to_server,established; content:"cXJ1dmFiemFickBob3RtYWlsLmNvbT4NCgA8cmVkQGZuYS5zZT4N|0D 0A|CgA8ZGViYXR0QHN2dC5zZT4NCgA8c3VzYW5uZS5zam9zdGVkdEB0aWRuaW5nZW4udG8+DQoAPHNr|0D 0A|b2x2ZXJrZXRAc2tvbHZlcmtldC5zZT4NCgA8bWFyeS5tYXJ0ZW5zc29uQGFmdG9uYmxhZGV0LnNl"; metadata:service smtp; reference:url,www.sophos.com/security/analyses/w32gandaa.html; classtype:trojan-activity; sid:9413; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"MALWARE-OTHER sinmsn.b msn propagation detection"; flow:to_server,established; content:"Application-File|3A| smb.exe"; nocase; content:"Application-FileSize|3A| 163840"; nocase; reference:url,www.f-secure.com/v-descs/smibag.shtml; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=23776; classtype:trojan-activity; sid:9412; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mimail.f smtp propagation detection"; flow:to_server,established; content:"on0MCbCSCWxk8BZK8Pbft5+D4wPB489V8IHiOMH6BAnTW7+wrVyDUyk0xgQ+PTmyb2URwUKK|0A|"; metadata:service smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-110414-0652-99&tabid=2; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMIMAIL%2EF&VSect=T; classtype:trojan-activity; sid:9411; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.z smtp propagation detection"; flow:to_server,established; content:"CpDwPVgF2ygS8h34dA18deYVsUYkiCjCrsbvJAcQwjPoYwKqVdMfCFQH/RrpYmxALn3s4A8S|0D 0A|hAMBMRpXBAZoVgfiM0gukIQZD8YQg+h6M3huCoaqDMuXcF0x"; metadata:service smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-042110-2302-99&tabid=2; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=38949; classtype:trojan-activity; sid:9410; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER atak.b smtp propagation detection"; flow:to_server,established; content:"OsJMFEHYgBh19HlTYBliOtoPlfhIFVsjwTiRgBgMU+ZVSARWhclXidGWdED5LdJLArJcQ1DSfENl|0D 0A|cmgc0ooDhxdHUODyQ//V6tBJVtc2IBPS7SAmCAw7wXUWiRzJMEgI5UA/pM45Gl1qDJkPuJI/4V6j"; metadata:service smtp; reference:url,www.sophos.com/security/analyses/w32atakb.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-120309-3312-99&tabid=2; classtype:trojan-activity; sid:9409; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER lacrow smtp propagation detection"; flow:to_server,established; content:"ZT0iTVMtNTYwOTVNX1BBVENILmV4ZSINCgAAAP////8XAAAAQ29udGVudC1JRDogPFNPTUVDSUQ+DQoA/////w4AAAAtLS0tQUJDREVGLS0NCgAA/////wUAAAANCi4NCgAAAP////8GAAAAUVVJVA0KAABDOlxNUy01NjA5NU1fUEFUQ0guZXhlAAD/////EwAAAEM6XExpc3Rl"; metadata:service smtp; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=W32.Lacrow@mm&threatid=53187; classtype:trojan-activity; sid:9408; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"MALWARE-OTHER lovgate.b netshare propagation detection"; flow:to_server,established; content:"|F7|F|DA C4|D|22|A|AB E6 0D AA 10 17 A5 9F|=|90 B6|D7|AD F6 EE|UN|E5 17|rx|B7|v|E1 94 C7 8C|Q9y|A1 D9 C9|wL|E2 94|Q|7C 0F|6QA6|02|Y|D4 D2 B0 C9|k|C5|r|B9|m|81 DE|'|08 D8 DB 1B A4 99 AC EB 08 BD A7 24|G|8C BC 07 0D E5 06 7F|3|80 0A|T3|90|B|7F 0F|V|95|m|0D 16|g|0A|Y|CB CF 18 FF CB CA|Z|01|_|DE|Z52|0C|Y|CE|Y|1F|&|8C|W|B0 14|u|5C 88 B1 B0 EB C3|<|84 B4|h|D4|>|B8 1E 0F A6|~"; reference:url,www.sophos.com/virusinfo/analyses/w32lovgateb.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-021922-4852-99&tabid=2; classtype:trojan-activity; sid:9407; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER lovgate.e smtp propagation detection"; flow:to_server,established; content:"OziaMMstyp3ZvEfNLZDdGUotsJcU9AUzGyIbVCkkslc8AX44pHVQ7cFVd7zMsneJSAaBvoS3iUeo|0D 0A|hlEQ24NXuyvw8X2q88Vmjnqxjk0ouK8Fqb71DLdEZ2FbTDGrGuRodeFwiNi+pKq863l"; metadata:service smtp; reference:url,www.sophos.com/virusinfo/analyses/w32lovgatee.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-030416-4942-99&tabid=2; classtype:trojan-activity; sid:9406; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.ac smtp propagation detection"; flow:to_server,established; content:"cG51RlelhMtbU7QpjWKxOTvQLS+4wB20IzjrIlOWMc5XP3AcIgGMOETE8DI5fRIUfhDaJzhT|0D 0A|RPRpWWAQFKHEl02LHRYUHOqsbkd8SKZGHURgndMOfSCyIMVz/7cu1hIk3EZ8IEmLghDkO9/D"; metadata:service smtp; reference:url,www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=46889; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39026; classtype:trojan-activity; sid:9404; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.aa smtp propagation detection"; flow:to_server,established; content:"NNQX1qMoBi2hCzN5hBb/0LqoYbyhKHgQBVpTEUeLLRgDTO6MTZFsBeto+Gr/qFzvz1uPXM5c|0D 0A|j1s8XFzuo1yuz1ysXPhc81zPXDxcXPNcz1w6XOs7XDxcXPNcz1yuzl7jXu4+XTpePF1d8136"; metadata:service smtp; reference:url,www.sophos.com/security/analyses/w32netskyaa.html; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNETSKY%2EAA&VSect=T; classtype:trojan-activity; sid:9403; rev:11;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-OTHER welchia tftp propagation detection"; flow:to_server; content:"C|BB 0E|Gy3a38DM4|EC|5e|C2 0A 86 0B|Yde|02 EE|s|EB 18 0A B9|S9Cb|05|Zk|ED|F|29|cf|0D|dl|08|5u@|EB E7|8sm-95|23 AC|p+%|1D|3f|F1|s|FF 03|-|09 CD 00|q -i %s <|02 03 F2|get  nSVC|80 C0 CA 96|/|29 D6|b|80 C0| |9E CF 24 BE|-|EB D6|w&k |A9|8Shar|F0 D6 80 DD|+g|00|l|00 EC|DTCo|24 D0|L|07|B|FA 13|j|EF|"; reference:url,www.pchell.com/virus/welchia.shtml; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-081815-2308-99&tabid=2; classtype:trojan-activity; sid:9402; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER gokar http propagation detection"; flow:to_client,established; file_data; content:"|0B|Bp|D6|p|00 C2 91 C5 83 DE 3B 08 C9| Ll|F8|l|18 F0 80|K!|89|.*|B0 AC 0C C8 08 88 93 E4|d1%7|DF BA 84 3A 3B|,|02 0C E7|,,8|80 D1 24 B1|j|10 D4 E0 E8|>B|C1 29 D3|I|F7 D8 1B C0 05 96 A4 D6 03 01 AE 7C 91 0F 9D A5 BA 95|F|8D 02|'n|99 8F E0 15 98 A0|j|FF FD BE|G|BE B3 EC A3 E1 17 C4|h|DC 3A|f|B8 02 F9 0E 81 CE E2 1B E4 10 13 C8 E7 E3 0C 3B E4 0C C6 01|`6h|D3|h|C0 98 99 87 8C 3B|V|D3|"; fast_pattern:only; metadata:service http; reference:url,www.f-secure.com/v-descs/gokar.shtml; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=10606; classtype:trojan-activity; sid:9401; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER abotus smtp propagation detection"; flow:to_server,established; content:"cPf//1ChHGtAAFDokPv//6Eca0AAUOh1+///i0UIuhhnQAC5AAQAAOhn9v//M8BaWVlkiRBonzpA|0D 0A|AI1F+LoCAAAA6E31///D6b/v///r61tZWV3CBACLwFWL7DPAVWjHOkAAZP8wZIkgM8BaWVlkiRBo"; metadata:service smtp; reference:url,www.isecuritysource.com/threats/worm/w32-abotus-worm-m.aspx; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2001-082919-3906-99&tabid=2; classtype:trojan-activity; sid:9400; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER hanged smtp propagation detection"; flow:to_server,established; content:"AExhWABYYUwAWGFMAE5ld19GYW1vdVNfR2lyTHMAQS5TLk4uAFNNVFA6VGhlX0hhbmdlZEBqYXp6|0D 0A|ZnJlZS5jb20AU01UUDpUaGVfSGFuZ2VkQGhvdG1haWwuY29tAFNleF9TcGFtXyxfRXhjdXNFX01l"; metadata:service smtp; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Email-Worm.Win32.Hanged&threatid=81170; reference:url,www.emsisoft.com/en/malware/?Worm.Win32.Hanged; classtype:trojan-activity; sid:9399; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER totilix.a smtp propagation detection"; flow:to_server,established; content:"YjpDKytIT09LkOkckUAAoQ+RQADB4AKjE5FAAFJqAOglfQAAi9DoMhgAAFroyAsAAOgrGAAAagDo|0D 0A|PCQAAFlouJBAAGoA6P98AACjF5FAAGoA6ddeAADpaiQAADPAoAGRQADDoReRQADDYLsAULC8U2it"; metadata:service smtp; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Worm.Totilix.a&threatid=6703; reference:url,www.viruslist.com/en/viruslist.html?id=4097; classtype:trojan-activity; sid:9398; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER neysid smtp propagation detection"; flow:to_server,established; content:"1eO8sLlq7UIor1GwCmto7XsiMt9GchrcNlbVPh1GT18n0EDLTWKdYxpB5nZPeoxCHDzQuKOyEtsb|0D 0A|MCqnv2Y1wJoGWMGEslVIzj05hLSGDTLIbGy0uaslY66ENTqEiiXk5HxsL8KRnL2EpjwzDZScLR3G"; metadata:service smtp; reference:url,www.logiguard.com/spyware/i/i-worm-neysid.htm; reference:url,www.spywareremove.com/removeIWormNeysid.html; classtype:trojan-activity; sid:9397; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"MALWARE-OTHER deborm.t netshare propagation detection"; flow:to_server,established; content:"C|80 EA 01 A1 EC|GB|00 8B|H|10 88|QC|8B 15 EC|GB|00 8B|B|10 0F BE|HC|85 C9|u|14 8B 15 EC|GB|00 8B|B|04 24 FE 8B 0D EC|GB|00 89|A|04 8B 15 EC|GB|00 83|z|08 FF 0F 85 92 00 00 00|h|00 80 00 00|j|00 A1 EC|GB|00 8B|H|0C|Q|FF 15 1C|cB|00 8B 15 EC|GB|00 8B|B|10|Pj|00 8B 0D E4|]B|00|Q|FF 15|4cB|00 8B 15 F0|GB|00|k|D2 14 A1 F4|GB|00 03 C2 8B 0D EC|GB|00 83 C1 14|+|C1|P|8B 15 EC|GB|00 83 C2 14|R|A1 EC|GB|00|P|E8|Z%|00 00 83 C4 0C 8B 0D F0|GB|00 83 E9 01 89 0D F0|GB|00 8B|U|08 3B 15 EC|GB|00|v"; reference:url,www.softwaretipsandtricks.com/virus/64865-DebormT.html; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=24669; classtype:trojan-activity; sid:9396; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"MALWARE-OTHER deborm.j netshare propagation detection"; flow:to_server,established; content:"@|00|@|3B C7|v|F5|AA|80|9|00|u|D4 FF|E|FC 83 C3 08 83|}|FC 04|r|C1 8B|E|08 C7 05 5C|}@|00 01 00 00 00|P|A3|L}@|00 E8 C6 00 00 00 8D B6 EC|x@|00 BF|P}@|00 A5 A5|Y|A3|d|7F|@|00 A5 EB|UAA|80|y|FF 00 0F 85|H|FF FF FF|j|01|X|80 88|a~@|00 08|@=|FF 00 00 00|r|F1|V|E8 8C 00 00 00|Y|A3|d|7F|@|00 C7 05 5C|}@|00 01 00 00 00 EB 06 89 1D 5C|}@|00|3|C0 BF|P}@|00 AB AB AB EB 0D|"; reference:url,www.viruslist.com/ru/viruses/encyclopedia?virusid=24659; reference:url,www3.cai.com/securityadvisor/virusinfo/virus.aspx?ID=30328; classtype:trojan-activity; sid:9395; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER bagle.n smtp propagation detection"; flow:to_server,established; content:"UwFU9VVzpIrXAls0zlhDNOHldmMULkXDsJRNQZiPekC47DW5vF9mS3gKhBe2I0JSPouRMRBl|0D 0A|w8AJvAcDlRprEHbYgf+GOmWVzZa5XNbrM7AlDCyZfmBiCbABUFgAlCxXE2JRonBJRXLSoLAA"; metadata:service smtp; reference:url,www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=45593; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE%5FBAGLE%2EN&VSect=T; classtype:trojan-activity; sid:9394; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER bagle.k smtp propagation detection"; flow:to_server,established; content:"RcJ0RFKbuZlqeaaoQ76D0Tf6ESD+RgjrN6QDtvvsvNXbR6BlXZviaG3d1NJtmU++UEmRCixX|0D 0A|RCaDz8IzdWIidAq1dzJwwTvIJglu/0IQwX8WrLD6EheQRlQhil5PQbv9oC3Y0HgAfIERnIb5"; metadata:service smtp; reference:url,www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=45304; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBAGLE%2EK&VSect=T; classtype:trojan-activity; sid:9393; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER bagle.j smtp propagation detection"; flow:to_server,established; content:"AFM8bJHtPFvDEkEXcUExflY49kR1cEEIUkM9CVRyaW0/TddNAkkvfRRVUkxRaCWgRLFeZa2d|0D 0A|ppsmHIgcP6Qp8ve2TB1lRQtVcHAiPE23aXCUdGYrkyxJZUtwfXxuCusU7RVxrDNuboGBhT0s"; metadata:service smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-030214-1700-99&tabid=2; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBAGLE%2EJ&VSect=T; classtype:trojan-activity; sid:9392; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mimail.i smtp propagation detection"; flow:to_server,established; content:"A8Hjz"; content:"A8Hjz1XwgeLbymX/OMH6BAnTW4NTKTT7VvYLxgQ+PRHBjYpIBpIj7OxkWZbl8A8C7MD+SqZkBhTr|0A|VP9NDD+w5chL7D866BN1I2Vn7giaB2cqOQ1LZIaFNwpjlXTaJQ+TCqW4q6H"; metadata:service smtp; reference:url,www.sophos.com/virusinfo/analyses/w32mimaili.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-111317-1701-99&tabid=2; classtype:trojan-activity; sid:9391; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"MALWARE-OTHER deborm.d netshare propagation detection"; flow:to_server,established; content:"E|F4 00 00 00 00 8B 8D E8 FB FF FF 89|M|F0 EB 09 FF 15|dsB|00 89|E|F4 83|}|F0 00|uy|83|}|F4 00|t,|83|}|F4 05|u|15 C7 05|DVB|00 09 00 00 00 8B|U|F4 89 15|HVB|00 EB 0C 8B|E|F4|P|E8|*I|00 00 83 C4 04 83 C8 FF EB|P|8B|M|08 C1 F9 05 8B|U|08 83 E2 1F 8B 04 8D|@nB|00 0F BE|L|D0 04 83 E1|@|85 C9|t|0F 8B|U|0C 0F BE 02 83 F8 1A|u|04|3|C0 EB 22 C7 05|DVB|00 1C 00 00 00 C7 05|HVB|00 00 00 00 00 83 C8 FF EB 09 8B|E|F0|+|85 E0 FB|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=24653; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=30322; classtype:trojan-activity; sid:9390; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER bagle.i smtp propagation detection"; flow:to_server,established; content:"H3Vi96OpogVHcLpTQXO9Nsx0cnR1FCErIXOpKbYFbDzudjBsaQIXui4IaYZfDmRymAFceHlQ|0D 0A|RUwBBGJkRWT5f0ie4AAPAQsBBQwAMlZy9r13ED8EMA1ACwIn3SzYBDMHDMA9b2BnsYMeNBAH"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/bagle_i.shtml; reference:url,www.sarc.com/avcenter/venc/data/w32.beagle.i@mm.html; classtype:trojan-activity; sid:9389; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mimail.g smtp propagation detection"; flow:to_server,established; content:"VdBjl"; content:"VdBjlpmHLVfqaPUitmytmlPwIiJiViqPhDwHsP8fO2CDfCpkZVVqQCfFgXUtB+gfgDUcrZZOjpqX|0A|l20NIkQDEwEOAOwgy2VA5OSAJBx7JeRs391cnLJAlivkZdzcmZBvNipSWthsl41k2B3UrdTsguvQ"; metadata:service smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-110414-0646-99; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=37467; classtype:trojan-activity; sid:9388; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER klez.j web propagation detection"; flow:to_server,established; content:"1|03|3-|3B|+|B5 23|!|03 E9 0B 03 23 23|5i9|23|1|3B 19 B5|/73|B5|9?|E9 1B|+|1B|+i|07|%/|B5|/73|B5 01 07 E9|+|01|7|1D|i|8D 9B 8B 8B B5|5|23 01 E9|+5|01 3B|i9|23|1|3B 19 B5|/73|B5|9?|E9|'|0D|+|09|9i9|23|1|3B 19 B5|/73|B5|9?|E9 0F 01 0D 23 23 01|i|05 23 0D 3B 1D|75|B5|5|23 01 E9 0F|+5|3B|i|8D 9B 8B 8B B5|5|23 01 E9|=+?|1B|i|01 23 0D 0D|+|B5 23 0F E9|"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=376; classtype:trojan-activity; sid:9387; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER bagle.f smtp propagation detection"; flow:to_server,established; content:"LkRMTAAAAEdldFByb2NBZGRyZXNzAAAATG9hZExpYnJhcnlBAAAARXhpdFByb2Nlc3MAAABW|0D 0A|aXJ0dWFsQWxsb2MAAABWaXJ0dWFsRnJlZQAAAE1lc3NhZ2VCb3hBAAAAAABqe5M2t6ajjak1"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/bagle_f.shtml; reference:url,www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=45199; classtype:trojan-activity; sid:9386; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER collo.a smtp propagation detection"; flow:to_server,established; content:"UP8VWBIAAYPEDI1FoFBoAgEAAP91cP8VVBIAAf91cP8VUBIAAenf/v//aHQTAAFqCv81XIAAAf91|0D 0A|eOsTi0V8aHQTAAFqDP81XIAAAf9wDP8VCBIAATPAX15bg8VoycIQAFeLfCQMM8CD/wF2U1aLdCQM"; metadata:service smtp; reference:url,www.emsisoft.com/en/malware/?Worm.Win32.Collo.a; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=23787; classtype:trojan-activity; sid:9385; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER beglur.a smtp propagation detection"; flow:to_server,established; content:"bszmmP1TlDRGFDA1uDG1GyF3fw7zQae3hTJk7dtK0xmjv339SvtDPLhswsFAGUQX34naqqcKxEjp|0A|yns2FwCn9oiRtoiyYFfwAsT6v/2SvioeIkj2WAb6lQoNyzLUhbQtpekiV9ZUpOW2u4Lv73FPrkud"; metadata:service smtp; reference:url,www.hacksoft.com.pe/virus/w32_beglur_a.htm; reference:url,www.viruslibrary.com/virusinfo/I-Worm.Beglur.a.htm; classtype:trojan-activity; sid:9384; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.y smtp propagation detection"; flow:to_server,established; content:"SzXgMkNWL9sVG+tK+PAvoGAHIBs6uGCk+LimunCOdVZetTLfshMihnVwSZSOMgbeJ1nQ2VuH|0D 0A|OE0A6SCpjgS431+O+Uwr0hbFwC0Tt9gjk5n006G2DLQ93fwnPbO2fmzcaPYFYNhTijcHgc6u"; metadata:service smtp; reference:url,www.sophos.com/virusinfo/analyses/w32netskyy.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-042011-2621-99&tabid=2; classtype:trojan-activity; sid:9383; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER fearso.c smtp propagation detection"; flow:to_server,established; content:"W4niV2CNlkzNbJ91T1IgkFpIUag2/cL3Sy5za4C8BhwOwEDr72oCP3sBuUkp0D0NoEh1djz3tvfr|0D 0A|PY2GLMgIGNbPfqP9LTUUqLLXdKC4DoH+8FHNt922QnUL9OtN9dKAdLrOtrM5zrElF1Bw9RA101DY"; metadata:service smtp; reference:url,www.sophos.com/security/analyses/w32noferc.html; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=35646; classtype:trojan-activity; sid:9382; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER lara smtp propagation detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"Lara Wallpaper Download Software"; distance:0; nocase; content:"I found on the net a new interesting software about Lara Croft"; nocase; metadata:service smtp; reference:url,www.sophos.com/security/analyses/mirclara.html; classtype:trojan-activity; sid:9381; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"MALWARE-OTHER jitux msn messenger propagation detection"; flow:to_server,established; content:"http|3A|//www.home.no/"; nocase; content:"/jituxramon.exe"; distance:0; nocase; reference:url,vil.nai.com/vil/content/v_100931.htm; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-123116-3525-99&tabid=2; classtype:trojan-activity; sid:9380; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.s smtp propagation detection"; flow:to_server,established; content:"xAJ2g9vb5s6MgEwifAAA99d2k9vrFPl057JOQIiRxvTw54r4l64U/qrFiXxGSJOoS9u77/mo|0D 0A|T/01iESEpu/wemHvlfNyYs+hogBpkojHr6r1w6r5OLdqdovbvwQmcoqsu7aPznGT+6qsCYET"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/netsky_s.shtml; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-040512-2436-99&tabid=2; classtype:trojan-activity; sid:9379; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.q smtp propagation detection"; flow:to_server,established; content:"Zacc/sWcQrpGNGbPzJedST7hJMXZJVKNy7LLBP2V90UwX7IHSyhFxPPTlRpdlJtxYLAU3s+E|0D 0A|ekcFyTLIwRYHVjWm16JZXIxAhQROCT/c+L5SU8juIBBaGTg21xUr52qxnAfzmZdzLksQUE+0"; metadata:service smtp; reference:url,www.sophos.com/virusinfo/analyses/w32netskyq.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-032913-5722-99&tabid=2; classtype:trojan-activity; sid:9378; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mydoom.g smtp propagation detection"; flow:to_server,established; content:"B0QnUGCDNE08WiwoB4MNMsggGBAnBHf27GA//CMX7CNH5A/y7CBNQdTAI5e4I0jTDHaoB5xkkCCD|0D 0A|DTaIF4QvfIMNMth0H2xkB1wMMsggVExEMthgg0B/MEco0jSDDRwPFFoIybODDQAH/CIv9CLBXjPY"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/mydoom_g.shtml; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-030213-0918-99&tabid=2; classtype:trojan-activity; sid:9377; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER fishlet.a smtp propagation detection"; flow:to_server,established; content:"AAACAAAAQAAAAAQAAAANAAoAAAAAABgAAABcAGYAaQBzAGgAbABlAHQALgBiAGkAbgAAAAAAVgAA|0D 0A|AFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwASQBuAHQAZQByAG4AZQB0ACAA"; metadata:service smtp; reference:url,www.sophos.com/security/analyses/w32fishleta.html; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=12285; classtype:trojan-activity; sid:9376; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER duksten.c smtp propagation detection"; flow:to_server,established; content:"+QAEAE1FhFEAAaABBIAD/VCMgIADcAAAABJnSlP+aThqAAKRKqKioqDQAAABA|0D 0A|Q/hAAQDQfAIgACn/KoVAQACjzQ0IAE0AocDVAACa//81cw0IAP9RJUBAADNaKVL/qebQEAAaEtAQAP+opCAgAIUMdAYaEtAQAP+oxCAgADSQGoAA/xXkICAAQJ5EiAgA"; metadata:service smtp; reference:url,www.hftonline.com/forum/archive/index.php/t-11044.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-122016-4223-99&tabid=2; classtype:trojan-activity; sid:9375; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER creepy.b smtp propagation detection"; flow:to_server,established; content:"i8iFyXUFM8BeW8OhUIREAIkBiQ1QhEQAM9KLwgPAjUTBBIseiRiJ|0D 0A|BkKD+mR17IsGixCJFl5bw5CJAIlABMOLwFNWi/KL2Oid////hcB1BTPAXlvDixaJUAiLVgSJUAyL"; metadata:service smtp; reference:url,vil.nai.com/vil/content/v_112739.htm; reference:url,www.emsisoft.com/en/malware/?Email-Worm.Win32.Creepy.b; classtype:trojan-activity; sid:9374; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER clepa smtp propagation detection"; flow:to_server,established; content:"S|23|L1GP]U%A!BA-RBY5.|0A|ME>|24|20PNL^|3A|79|24|U|3A|1'G`.+BZ6VD,4|5C|Q,T?!TID7%|3A|+T-SH5|23|K.7|24|^|22|G|5C|]NQ|22|=|0A|M'BUUUU@|5C|MBZ_D[^]<&L6R0/2B|3A|@8|23|!T`"; metadata:service smtp; reference:url,vil.nai.com/vil/content/v_120502.htm; reference:url,www.logiguard.com/spyware/i/i-worm-clepa.htm; classtype:trojan-activity; sid:9373; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER blebla.a smtp propagation detection"; flow:to_server,established; content:"JfzwQACLwP8lnPFAAIvA/yWY8UAAi8D/JZTxQACLwP8lkPFAAIvA/yWM8UAAi8D/JYjxQACLwFOD|0D 0A|xLy7CgAAAFToYf////ZEJCwBdAUPt1wkMIvDg8REW8OLwP8l+PBAAIvA/yX08EAAi8D/JfDwQACL"; metadata:service smtp; reference:url,vil.nai.com/vil/content/v_98894.htm; reference:url,www.sophos.com/security/analyses/w32bleblaa.html; classtype:trojan-activity; sid:9372; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER bagle.e smtp propagation detection"; flow:to_server,established; content:"ndAzKAZ0SFmzPdMu6kksSBpMnHn8vHAZLueGBstFWTfqLp3bQgJcaVOxM0W4oc81kinf/QiC|0D 0A|+bYxBaedDbd49u4ktkyUTrFK2ic8FKQI9pXU8vrTcz6RnwRxwAqTRZrKIhN6nL2ivbJIRTmf"; metadata:service smtp; reference:url,www.sophos.com/virusinfo/analyses/w32baglee.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-022809-3232-99&tabid=2; classtype:trojan-activity; sid:9371; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER bagle.b smtp propagation detection"; flow:to_server,established; content:"22cYrYFsp1tV//KXbPbtRRQ4EnUCswFdIl62BQ6BxjtHcmMEwQ573GF0vGNi9B8wPXivfVoL|0D 0A|N9j04cZWzkL7aT31JBRq3/LZM/lJiQo0hUcu9GPvsGExeAQ1eAxsh/8gV4B9/iB1C7h0dRD3"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/bagle_b.shtml; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-021713-3625-99&tabid=2; classtype:trojan-activity; sid:9370; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER atak.a smtp propagation detection"; flow:to_server,established; content:"OwT4dgXDeVgnYHMODdBsTCbwmeciQpDLT1c3bLF1CDPoOT4eiUYEQgtW6Dyq/V0eWdlNFpXqMULp|0D 0A|QSWsmyBXNyoMu5xxWfoEcA/D8fxQV4hosCndivKbkCHoTCa6MLVnCwngBJFJlBHr7ka36Cpo/Mib"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/atak_a.shtml; reference:url,www.sophos.com/security/analyses/w32ataka.html; classtype:trojan-activity; sid:9369; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER agist.a smtp propagation detection"; flow:to_server,established; content:"0ZpkFIcReXCdLfAeEs4k5jglICV+BEij4zH+Xi5QwyfgLb+rO0XnE1xMuyBdVbgW95IPgAVLAnSC|0D 0A|g/5gJes8k0qLVgSAmSvKuNMATWIQ9+HB6gYajUIFsMBdgfogIBxSfyxQ0g6YSxpQiQ8WSQnT55rV"; metadata:service smtp; reference:url,secunia.com/virus_information/10752/agist.a/; reference:url,www.sarc.com/avcenter/venc/data/w32.agist.a@mm.html; classtype:trojan-activity; sid:9368; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER anset.b smtp propagation detection"; flow:to_server,established; content:"i9iF2w+EggAAAItrCIvFA0MMi9CNDDcr0YP6DH8Ei/gr/ovGK8WD+Ax9FI1M|0D 0A|JAGL1itTCAPXi8Xoxfv//+sRjUwkAYvXg+oEjUYE6LL7//+LbCQBhe10NIvV"; metadata:service smtp; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/199/worm_anset.b.html; reference:url,www.bullguard.com/virus/default.aspx?id=51; classtype:trojan-activity; sid:9367; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mimail.s smtp propagation detection"; flow:to_server,established; content:"AAAAAAAAAAx|0A|AMBAi0wkBPdB5gbhjwJ0D69ErgiOVIAQiQK4A8Ejw1NWV78nh1Bq/mgOzkADZP81Yi0OiSUTOj Ug|0A|MFhgcAyDHv7/dNw7//HsGgONNHaLDLNkqzBID3x"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/mimail_m.shtml; reference:url,www.sophos.com/virusinfo/analyses/w32mimailm.html; classtype:trojan-activity; sid:9366; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER cult.c smtp propagation detection"; flow:to_server,established; content:"wJ0D69ErgiOVIAQiQK4|0D 0A|A8Ejw1NWV78nh1Bq/mgOzkADZP81Yi0OiSUTOjUgMFhgcAyDHv7/dNw7//Hs|0D 0A|GgONNHaLDLNkqzBID3xOBAF11/9U3/Dr0WQojwU2AIPEDF9eW8NVN4nlu2dq"; metadata:service smtp; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/72/worm_cult.c.html; reference:url,www.sophos.com/security/analyses/w32cultc.html; classtype:trojan-activity; sid:9365; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER klez.e web propagation detection"; flow:to_server,established; content:"|F2 99 00 00 03|+|16|-|A8 90 BA 8A 9A 29|0PH|80|@8` Z|00 08 80|+|A0 80 00 00|X|29|h|00|H`|E8|Z0P@Zhp+|E0| |E0| |29 90 18|0Z0P@Z|88 90|+ |88|P|F8 29 BA E2 A2 A2|ZX|00 88|+ X|88|`|29|h|00|H`|E8|Z0P@Zhp+|10 B8| |A8|h|29|h|00|H`|E8|Z0P@Zhp+|B0 88 B8 00 00 88 29 98 00 B8|`|F8|PXZ"; metadata:service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-011716-2500-99&tabid=2; classtype:trojan-activity; sid:9364; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER klez.d web propagation detection"; flow:to_server,established; content:"agzyrywelb@igdupgdu.fgs|00|klgfp@yswma.fgs.fd|00|pyaab@igdupgdu.fgs|00|rywelb@163.fgs|00|bwdbwd@yswma.fgs.fd|00|ca1980@163.fgs|00|lmlm@igdupgdu.fgs|00|"; metadata:service http; reference:url,www.sophos.com/security/analyses/w32klezd.html; classtype:trojan-activity; sid:9363; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mimail.m smtp propagation detection"; flow:to_server,established; content:"f+xt2OHdR5d|0A|oYEgACjEdRRHXvYmP9iDPXUL7TXuZkm+6wfHeTAGsEn3sfxyGYt9/GE5yHe7tcZ/Hhj4ORt835ps|0A|Mx+zk+UMO/RnXp7d+QBQQEz4gFL098fbv+3/G3"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/mimail_m.shtml; reference:url,www.sophos.com/virusinfo/analyses/w32mimailm.html; classtype:trojan-activity; sid:9362; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mimail.l smtp propagation detection"; flow:to_server,established; content:"Subject|3A| Re[2]"; nocase; content:"Hi Greg its Wendy."; distance:0; nocase; content:"I was shocked, when I found out that it wasn't you but|0D 0A|your twin brother!!!"; distance:0; nocase; content:"name=|22|wendy.zip|22|"; distance:0; nocase; metadata:service smtp; reference:url,www.f-secure.com/v-descs/mimail_l.shtml; reference:url,www.sophos.com/virusinfo/analyses/w32mimaill.html; classtype:trojan-activity; sid:9361; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER cult.b smtp propagation detection"; flow:to_server,established; content:"HgAAAAAAAAAAAAAAAAAAQAAA|0D 0A|wDEuMjIAVVBYIQwJAgkUTDlhQxNezL9kAACkGQAAIEAAACYAABn+//L/McBA|0D 0A|i0wkBPdBBAYAdA+LRCQIi1QkEIkCuAO5/3fvEMNTVlc"; metadata:service smtp; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/72/worm_cult.b.html; reference:url,www.sophos.com/security/analyses/w32cultb.html; classtype:trojan-activity; sid:9360; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER zafi.b smtp propagation detection"; flow:to_server,established; content:"ogoKgD0WhnQSv/XEJq4JCv4wgevPaFDDmyXYndHSgSQEAaqXBpIrHzOgDxW/HTNqUNgsI75gYINA"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/zafi_b.shtml; reference:url,www.sophos.com/security/analyses/w32zafib.html; classtype:trojan-activity; sid:9359; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER fizzer smtp propagation detection"; flow:to_server,established; content:"i8Zew4tMJAQzwDgBdAdAgDwIAHX5w1WL7ItFDFOLXRRWVzP/M/aJRQyFwIldFHUM/3UI6Mz///9Z|0D 0A|iUUMhdt1DP91EOi8////WYlFFItFFDlFDHdqg30YAHQjhcB2Uzt1DHNTi00Qi1UIigwPOgwWdQNG"; metadata:service smtp; reference:url,www.sophos.com/virusinfo/analyses/w32fizzera.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-050821-0316-99&tabid=2; classtype:trojan-activity; sid:9358; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"MALWARE-OTHER deborm.r netshare propagation detection"; flow:to_server,established; content:"=X|A2|/|EF D1 BD C2 EB|0|5C 98|U|1A 08|c|AE|0|F1 06 C4 0B|m|D2 84|W|08|Z/|AD 02 0D|t|12|/|DA D7|>|C6|<|B2 DD 85 18 CF|,1j|8A F0 CF|Z|A4|`|87 D4|NP|89|@|F2 14 23 B8|R9|BF 0C B6 84|f|29 BA 02 0D F0 1D F6 B6|5C|04|n|99 10 BE 1D|j|0A DF 9A|P|BC CE DC C0|R9FlPT|BD CF|f|D4 CF F7|b|99 DD 8A 00 F0 E9 14|~b|9B EF C4 0C 24 96|,|14 89 D7|"; reference:url,www.sophos.com/security/analyses/w32debormr.html; classtype:trojan-activity; sid:9357; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"MALWARE-OTHER deborm.q netshare propagation detection"; flow:to_server,established; content:"|AB B4|+|F6 04 19 B8 9F CB|t|24|HpR|04 A6 8E|R|17 B1 7F 8A 1E|z|12 8C B8 0C|aVM|81 7C|0|AC|8|BA B5 EE 1A|B|9B|a*xe@|D1|q8|22|T|B7|.`|11 E0|iQ}|C7 CA C1 81 D9|i|B7 A4|C|BE|0|23|2X|9A DF 5C 3B|v|12 CC| |80 AD 7C|cT|19|.|AE|!|8E F8 84|R|F5|1n|D7 1B|8|E8 B0|<U1F|BE B7 16 8B 89 17|Z2|B0 ED|%ED|C4 07 8B B6 CF 92 B2 22|"; reference:url,www.sophos.com/security/analyses/w32debormq.html; classtype:trojan-activity; sid:9356; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"MALWARE-OTHER deborm.u netshare propagation detection"; flow:to_server,established; content:"|A3|Hp@|00 81|=Hp@|00 F0 00 00 00|~|0A C7 05|Hp@|00 0A 00 00 00|j|0A 8D|M|F0|Q|8B 15|Hp@|00|R|E8 E1|L|00 00 83 C4 0C 8D|E|F0|P|8B|M|08|Q|E8 DB 0D 00 00 83 C4 08|hlp@|00 8B|U|08|R|E8 DA 0D 00 00 83 C4 08|j|0A 8D|E|F0|P|8B 0D 90|{@|00|Q|E8 AB|L|00 00 83 C4 0C 8D|U|F0|R|8B|E|08|P|E8 B5 0D 00 00 83 C4 08|hpp@|00 8B|M|08|Q|E8|"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DEBORM.U; classtype:trojan-activity; sid:9355; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"MALWARE-OTHER deborm.y netshare propagation detection"; flow:to_server,established; content:"|B7 D6 B6 3B|?X4|00|h|94|[h|8F B3 B3|u@|80|*|0C|F|05 29 B3|=|CE|J|19|8V|EF 1E 10|n|90 9A|1|08 08|^X|A0 3A B6 D7|Kn^d|FE 85|h|9D|%|18|d|B7 E0|n|83 BD|x|0C|Lw|9E|`|FD|%Yr+?4|FC|y|24 07 F6 A3|Y|A4 C4|`|FD B6 06 C9 03|d|FE F3|d|8E 91 C6 DE|O|9C|jP[|90 AF 91|j|BA|{|C6|p|13 C4 8A 80 10 8B|@|0C|w|AB D5|P|FF 96|w|C2 10 04|"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DEBORM.Y; classtype:trojan-activity; sid:9354; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"MALWARE-OTHER deborm.x netshare propagation detection"; flow:to_server,established; content:"0@|00 0A 00 00 00|SV|8B|5|A8| @|00|W|8D|E|F0|j|0A|P|FF|5|28|0@|00 FF D6 8B|]|08 8D|E|F0|PS|E8 9D 08 00 00 BF|L0@|00|WS|E8 8B 08 00 00 8D|E|F0|j|0A|P|FF|5|D0|2@|00 FF D6 8D|E|F0|PS|E8|s|08 00 00|WS|E8|l|08 00 00 8D|E|F0|j|0A|P|FF|5|D4|2@|00 FF D6 83 C4|D|8D|E|F0|PS|E8|Q|08 00 00|WS|E8|J|08 00 00 8D|E|F0|j|0A|P|FF|5"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DEBORM.X; classtype:trojan-activity; sid:9353; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER lovgate.a smtp propagation detection"; flow:to_server,established; content:"+3UubBZU6QPutdRcZrPEvAZmzZcNakN47VPYbNzc7Nrua2tqc5hULfvf2fjX3Ec6W|0D 0A|bgNaUl7vgcZCDx77BhbeP1Jav5WWRj/8Tjd7mGGE798zp8rczW6tVaQvEyw5Ww3WpU0MwG5nq6G5"; metadata:service smtp; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=22549; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=31576; classtype:trojan-activity; sid:9352; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"MALWARE-OTHER lovgate.a netshare propagation detection"; flow:to_server,established; content:"M|D5 15 80 85 D9 1C 92|zE|3B|iy|C7|2|97|8|14|/8q|1B DA|^R|DA 15|- A|80|T|BC|EJ|A3 C1 AD 8F|+ya|D9 1B|e|A3|B5|29 BB EE EE C3 D9 15 B3|U|B7 B4|os|3A AF|?|87|s|05 CE E7|rC/{|80|^r|F6|@yY|05 BC|f|83 F8 90 AF 17|d|15 24 83|i|9B 06 A6|H<|A6|H|15 99 22 DA E6 C0 E5|2E|E5|2A|B5 C2|+|5C 90|Za|F8|[|92|@L |FE|0|90|W|01 FC E5|^|DE BF FF FF E9 F7 CF|<|F9 F3 EF|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=22549; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=31576; classtype:trojan-activity; sid:9351; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mimail.k smtp propagation detection"; flow:to_server,established; content:"QIi1QkEIkCuAMAAADDU1ZXi0QkEFBq/mgAEEAAZP81AAAAAGSJJQAAAACLRCQgi1gIi3AM|0A|g/7/dCA7dCQkdBqNNHaLDLOLTCQIi0gMg3yzBAB11/9Uswjr0WSPBQAAAACDxAxfXl"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/mimail_k.shtml; reference:url,www.sophos.com/virusinfo/analyses/w32mimailk.html; classtype:trojan-activity; sid:9350; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER plemood smtp propagation detection"; flow:to_server,established; content:"+FVQACNg1tXQABQV7hVQed3/9BWV7guaud3/9ALwHQW6IkPAADotxQAAOjqFAAA/7NPVkAAw42DZVVAAFBqAGoAuMTC53f/0I2DWVBAAGoAagBTUGoAagC4N6znd/"; metadata:service smtp; reference:url,www.2-spyware.com/remove-i-worm-plemood.html; classtype:trojan-activity; sid:9349; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER morbex smtp propagation detection"; flow:to_server,established; content:"X3uiXQhvcqrqewRXAmwUkkt+UZVKSCEfAJD16IpxOluoZPgwsCe6T1GNq38tD7G1LQylWfNIZQMc|0D 0A|9sKWsKp24Yz3UxXUVnc++jxshJFqXMM2hAlWyzoRY39o9hbXxNVHGfm7emXOlh8fZP2CLWIe1AHv"; metadata:service smtp; reference:url,www.www.f-secure.com/v-descs/morbex.shtml; classtype:trojan-activity; sid:9348; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"MALWARE-OTHER klez.b netshare propagation detection"; flow:to_server,established; content:"lwlw@21fd.fgs|00|lgsr@21fd.fgs|00|Wtzmkyj1978@21fd.fgs|00|wtzmkyj@bdswma.fgs|00|owfp@bdswma.fgs|00|lgs@bdswma.fgs|00|rywelb@bdswma.fgs|00|gebwduff@21fd"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-011716-2500-99&tabid=2; classtype:trojan-activity; sid:9347; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER klez.b web propagation detection"; flow:to_server,established; content:"lwlw@21fd.fgs|00|lgsr@21fd.fgs|00|Wtzmkyj1978@21fd.fgs|00|wtzmkyj@bdswma.fgs|00|owfp@bdswma.fgs|00|lgs@bdswma.fgs|00|rywelb@bdswma.fgs|00|gebwduff@21fd"; metadata:service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-011716-2500-99&tabid=2; classtype:trojan-activity; sid:9346; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER kipis.a smtp propagation detection"; flow:to_server,established; content:"xfs9Znq3mJL1CnQXg0epFP4RHBO0n6naXaPhHWdmQaxirccYvMqyYqxiVpY//VZeM7veQEB19ehg|0A|YFK0if9HLNsz9SBqjj/QOGh01hINh2u4f6VGfrwbNSTdzqkjQnZKcB1Ind/UezfRD6KGUHmZkXfy"; metadata:service smtp; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41312; classtype:trojan-activity; sid:9345; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER kindal smtp propagation detection"; flow:to_server,established; content:"LUiv0xc0fDsKfdy6TB2EYeFCZcNNW9Fcgwxvsi/DSNbYGn8xV1NBSNxudS4jtCC5C7sLb3Ox|0D 0A|0DUKCK6zY6tuhRdoiOEtaER0YnkD4HJsDytowG4HfAwFd6v4YW9h1I54fvsQwTeyUEUGTAEG"; metadata:service smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-073016-2910-99&tabid=2; classtype:trojan-activity; sid:9344; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER kadra smtp propagation detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"Bin Ladenov zivot"; distance:0; nocase; content:"filename="; nocase; content:"Bin Ladenov zivot"; distance:0; nocase; metadata:service smtp; reference:url,www.kaspersky.com/news?id=260&ipcountry=CA#kadra; classtype:trojan-activity; sid:9343; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER paroc.a smtp propagation detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"PROSAC"; distance:0; nocase; content:"DQoJV2Vs|0D 0A|Y29tZSB0byBQUk9TQUMgKG11bHRpbWVkaWEgcGFjaykNCgkt"; metadata:service smtp; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=W32.Paroc.Worm&threatid=53258; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-061121-1025-99&tabid=2; classtype:trojan-activity; sid:9342; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 9996 (msg:"MALWARE-OTHER sasser open ftp command shell"; flow:to_server,established; content:"cho off"; depth:7; nocase; content:"cmd.ftp"; distance:0; nocase; content:"_up.exe"; distance:0; nocase; reference:url,www.sophos.com/virusinfo/analyses/w32sassera.html; classtype:trojan-activity; sid:9341; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER klez.i web propagation detection"; flow:to_server,established; content:"E|5C 05|]d|9E|Z<s-d1`/d0j3d3q4k2ank-v.k/`.k.f5kn7.d+r4v>d3cpv|29|cpu/e|E6|"; metadata:service http; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=11837; classtype:trojan-activity; sid:9340; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER klez.g web propagation detection"; flow:to_server,established; content:"|0A 08|P|D8|{|18|0|D8 D8 18|Py80|D8|P|18 0A 08|P|D8|{@0@0y8P|18|0|B8 0A|`|00 10 0A|8 {hP|D8|y8P|18|0"; metadata:service http; reference:url,www.sophos.com/virusinfo/analyses/w32klezg.html; classtype:trojan-activity; sid:9339; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mydoom.i smtp propagation detection"; flow:to_server,established; content:"LjI2BDAAorXCxzNJTUVPLDRQ04B9WAN1VEJ5QE1mwWlkOx4gVjm42kp3LOx0Ni1UeepAb S3soFBE|0D 0A|2eN0L/d4UADTtkc7IQkKO a/NWrhyPSJSInMFcbG2vdotVqfZNTFPGIKG5hzoQwecasmOtdZACjEX"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/mydoom_i.shtml; classtype:trojan-activity; sid:9338; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.x smtp propagation detection"; flow:to_server,established; content:"g8QMhcB1Fv////+DffwCdA5qZP8VYHBAAEaD/gJ81jPAXsnD|0D 0A|i0QkDIHsKN5+97cBKlNVVos1bB1XM+1oABAQVccA7d9s7xYA/9ZQNWiL2DvdD4RWAhL2N7f2|0D 0A|ahFqAgEV"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/netsky_x.shtml; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.X; classtype:trojan-activity; sid:9337; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.t smtp propagation detection"; flow:to_server,established; content:"MS4yNAC20aXJDAkCCFGoGZhQ27pRMAYDAAE/AAAAfAAAJgUAOP//|0D 0A|//9Vi+yLRQxWV4t9CDPSM8kz9oA/AHQpU2oBWyvfiV0Iivf/7f8fgPsudQyIDAKLVSDJA9fr|0D 0A|BYhc"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/netsky_t.shtml; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.T; classtype:trojan-activity; sid:9336; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.b smtp propagation detection"; flow:to_server,established; content:"0UMVleLfQgz|0D 0A|0jPJM/aAPwB0KVNqAVsr34ldCIr3/+3/H4D7LnUMiAwCi1UgyQPX6wWIXAYBQUZHJ/v/bXd1|0D 0A|4VsYgGQPAI1GAV9eXcOLRCQIU0xv/3+7fCQQTYH6AAgAAH06D7YIhc"; metadata:service smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-021812-2454-99; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.B; classtype:trojan-activity; sid:9335; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER lovgate.c smtp propagation detection"; flow:to_server,established; content:"TeRqfPMR5vXWeeZ2NfAaLY1DVPPPFiBi5r34VPgF8sIEpG0shzV4b30euDVoQer6QFQy78snUIPq|0D 0A|EWuSIUAv+OGl1QNYkJXTV5/HzOViMIBfVAY2WQpM6/DVgZ5n8h0ILVu+fjHF1MpcoGgQjIjsDs68"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/lovgate.shtml; classtype:trojan-activity; sid:9334; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mimail.e smtp propagation detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"don't be late!"; distance:0; nocase; content:"gBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAA|0A|AABQRQAATAEDAEKhoz8AAAAAAAAAAOAADwELAQI3ADAAAAAQAAAAIAcA0FIHAAAwBwAA"; pcre:"/^Subject\x3A[^\r\n]*don't\sbe\slate!/smi"; metadata:service smtp; reference:url,www.sarc.com/avcenter/venc/data/w32.mimail.e@mm.html; reference:url,www.sophos.com/virusinfo/analyses/w32mimaile.html; classtype:trojan-activity; sid:9333; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mimail.a smtp propagation detection"; flow:to_server,established; content:"g8QMX15bw1WJ5VNWV1VqAGoAaJIQQAD/dQjoVkYAAF1fXluJ7F3D/FWJ5YPs|0A|CFNWV1WLXQyLRQijMEBHAIkdNEBHAPdABAYAAAB1colF+ItFEIlF/KM0QEcAjUX4iUP8"; metadata:service smtp; reference:url,www.sarc.com/avcenter/venc/data/w32.mimail.a@mm.html; reference:url,www.sophos.com/virusinfo/analyses/w32mimaila.html; classtype:trojan-activity; sid:9332; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mydoom.m smtp propagation detection"; flow:to_server,established; content:"lo5vuBR4VSCJ1pbUTU2ox8gc4A7MEBs3U817uUY7ImH0QRZX+0j2rTCxLjEuMiWWIIQOBqYHIChO|0D 0A|szw6IGwkHhEcctMplAHMtW17PTAB6V1wlG2EO/ggyW8ZTQYiUQdbzhMuIwM4aEvQxSUDthPd7S6"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/mydoom_m.shtml; classtype:trojan-activity; sid:9331; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mydoom.e smtp propagation detection"; flow:to_server,established; content:"o/lN3R5KdgmabpkbqcebrJGVMv/b3+ITcXF4dYrKKEjm3bi1PPcb8ZqKgf//hf6sWTRLdExjstH/|0D 0A|x69YBOSAkClWPEs4oEv//3+BfjW9C702c15JmOUe8W2ey1TAvxOujvc6/7/1/0UA4y/RTfLKo95+"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/mydoom_e.shtml; classtype:trojan-activity; sid:9330; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER zhangpo smtp propagation detection"; flow:to_server,established; content:"zhangpo"; fast_pattern:only; pcre:"/^X-Mailer\x3A[^\r\n]*zhangpo/smi"; metadata:service smtp; reference:url,www.spywareremove.com/removeZhangpo.html; classtype:trojan-activity; sid:9328; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.af smtp propagation detection"; flow:to_server,established; content:"QWxldmlydXMgTmV0U2t5LWIgQ3JhY2tlZCBBbmluaGFBTUFWQyE"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/netsky-af.shtml; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.AF; classtype:trojan-activity; sid:9327; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.p smtp propagation detection"; flow:to_server,established; content:"Yid5ICdT|0D 0A|J2sneSdOJ2UndCcuJ0MnWicgJ0MnbydyJ3AqJwAAJ0QncidvJ3AncCdlJ2QnUydrJ3knTidl|0D 0A|J3QnACdTJ2sneSdOJ2UndCdGJ2knZydoJ3QncydCJ2EnYydrAAAAAHVzZXJj"; metadata:service smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-032110-4938-99&tabid=2; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNETSKY%2EP&VSect=T; classtype:trojan-activity; sid:9326; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger nicespy runtime detection - smtp"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"JMail"; distance:0; nocase; content:"by"; distance:0; nocase; content:"Dimac"; distance:0; nocase; content:"NiceSpy's"; nocase; content:"email"; distance:0; nocase; content:"assistant"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*JMail[^\r\n]*by[^\r\n]*Dimac/smi"; pcre:"/^NiceSpy\x27s\s+email\s+assistant/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097309; classtype:successful-recon-limited; sid:8544; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware deluxecommunications runtime detection - display popup ads"; flow:to_server,established; content:"/ip"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"pck_id="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"info="; nocase; http_uri; content:"link="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"media.dxcdirect.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*media\x2Edxcdirect\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453099974; classtype:successful-recon-limited; sid:8543; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware deluxecommunications runtime detection - collect info"; flow:to_server,established; content:"/requestimpression.aspx"; fast_pattern; nocase; http_uri; content:"ver="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"host="; nocase; http_uri; content:"Host|3A| media.dxcdirect.com"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453099974; classtype:successful-recon-limited; sid:8542; rev:14;)
+# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger netobserve runtime detection - remote login response"; flow:established,to_client; content:"Server|3A|"; nocase; http_header; content:"NETObserve"; nocase; http_header; pcre:"/^Server\x3a[^\r\n]*NETObserve/smiH"; metadata:service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=354; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073490; classtype:successful-recon-limited; sid:8467; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger netobserve runtime detection - email notification"; flow:to_server,established; flowbits:isset,NETObserve_SMTP; content:"NETObserve"; nocase; content:"Requested"; distance:0; nocase; content:"Information"; distance:0; nocase; pcre:"/^NETObserve\s+Requested\s+Information/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=354; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073490; classtype:successful-recon-limited; sid:8466; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger netobserve runtime detection - email notification"; flow:to_server,established; content:"From|3A|"; nocase; content:"NETObserve"; distance:0; nocase; pcre:"/^From\x3a[^\r\n]*NETObserve/smi"; flowbits:set,NETObserve_SMTP; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=354; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073490; classtype:successful-recon-limited; sid:8465; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware duduaccelerator runtime detection - trace login info"; flow:to_server,established; content:"/login_cn.html"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"mid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"dddlogin.dudu.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*dddlogin\x2Edudu\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2550; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097969; classtype:successful-recon-limited; sid:8463; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware duduaccelerator runtime detection - trace info downloaded"; flow:to_server,established; content:"/rep/dlinfo.html"; fast_pattern; nocase; http_uri; content:"url="; nocase; http_uri; content:"page="; nocase; http_uri; content:"product="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"dddrep.dudu.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*dddrep\x2Edudu\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2550; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097969; classtype:successful-recon-limited; sid:8462; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware duduaccelerator runtime detection - send userinfo"; flow:to_server,established; content:"/ddd2/report_userinfo.asp"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"ddduser.dudu.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ddduser\x2Edudu\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2550; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097969; classtype:successful-recon-limited; sid:8461; rev:11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send alert out through email"; flow:to_server,established; flowbits:isset,SpyBuddy_SMTP; content:"SpyBuddy"; nocase; content:"Alert"; distance:0; nocase; pcre:"/^SpyBuddy\s+Alert/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=21; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097719; classtype:successful-recon-limited; sid:8357; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send log out through email"; flow:to_server,established; flowbits:isset,SpyBuddy_SMTP; content:"SpyBuddy"; nocase; content:"Activity"; distance:0; nocase; content:"Logs"; distance:0; pcre:"/^SpyBuddy\s+Activity\s+Logs/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=21; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097719; classtype:successful-recon-limited; sid:8356; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"SpyBuddy"; distance:0; nocase; pcre:"/^From\x3a[^\r\n]*SpyBuddy/smi"; flowbits:set,SpyBuddy_SMTP; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:8355; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger EliteKeylogger runtime detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"<logs@logs.com>"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*\x3Clogs\x40logs\x2Ecom\x3E/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=814; classtype:successful-recon-limited; sid:7857; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware winsysba-a runtime detection - track surfing activity"; flow:to_server,established; content:"/url_sp2.asp"; fast_pattern; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"url="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"vb"; nocase; http_header; content:"wininet"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*vb\s+wininet/smiH"; metadata:service http; reference:url,secunia.com/virus_information/26844/winsysba-a/; classtype:successful-recon-limited; sid:7856; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger clogger 1.0 runtime detection - send log through email"; flow:to_server,established; flowbits:isset,Clogger_SendLogOut2; content:"<----------- Fin du Fichier ----------- >"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=824; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068235; classtype:successful-recon-limited; sid:7847; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger clogger 1.0 runtime detection"; flow:to_server,established; flowbits:isset,Clogger_SendLogOut1; content:"|23 23 23 23|"; nocase; content:"Fen|EA|tre |3A|"; distance:0; nocase; content:"|23 23 23 23|"; distance:0; nocase; pcre:"/\x23\x23\x23\x23\s+Fen\xeatre\s+\x3a[^\r\n]*\x23\x23\x23\x23/smi"; flowbits:set,Clogger_SendLogOut2; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:7846; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger clogger 1.0 runtime detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"Keylogger"; distance:0; nocase; pcre:"/^Subject\x3a[^\r\n]*Keylogger/smi"; flowbits:set,Clogger_SendLogOut1; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:7845; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spyoutside runtime detection - email delivery"; flow:to_server,established; content:"From|3A|"; nocase; content:"SpyOuTSiDe@CurrenTChaoS.Tk"; distance:0; nocase; pcre:"/^From\x3A\s+SpyOuTSiDe\x40CurrenTChaoS\x2ETk/smi"; content:"Subject|3A|"; nocase; content:"SpYOuTSiDe"; distance:0; nocase; content:"transmission"; distance:0; nocase; content:"with"; distance:0; nocase; content:"log"; distance:0; nocase; pcre:"/^Subject\x3A\s+\x5B\d+\x5D\x2D\s+SpYOuTSiDe\s+transmission\s+with\s+log\s+\x2D/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.spyoutside.html; classtype:successful-recon-limited; sid:7837; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spy lantern keylogger runtime detection"; flow:to_server,established; flowbits:isset,LanternKeylogger; content:"filename="; nocase; content:".ltr"; distance:0; nocase; pcre:"/filename=\x22[^\r\n]*\x2Eltr\x22/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083297; classtype:successful-recon-limited; sid:7597; rev:9;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spy lantern keylogger runtime detection - flowbit set"; flow:to_server,established; content:"Hello."; nocase; content:"This"; distance:0; nocase; content:"letter"; distance:0; nocase; content:"contains"; distance:0; nocase; content:"logfile"; distance:0; nocase; content:"from"; distance:0; nocase; pcre:"/Hello\x2E\s+This\s+letter\s+contains\s+logfile\s+from/smi"; flowbits:set,LanternKeylogger; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083297; classtype:successful-recon-limited; sid:7596; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger keylogger pro runtime detection"; flow:to_server,established; flowbits:isset,KeyloggerPro_SMTP; content:"Keylogger"; nocase; content:"Pro"; distance:0; nocase; content:"Activity"; distance:0; nocase; content:"Logs"; distance:0; pcre:"/^Keylogger\s+Pro\s+Activity\s+Logs/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spyany.com/keylogger.html; classtype:successful-recon-limited; sid:7592; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger keylogger pro runtime detection - flowbit set"; flow:to_server,established; content:"From|3A|"; nocase; content:"Keylogger-Pro"; distance:0; nocase; pcre:"/^From\x3a[^\r\n]*Keylogger-Pro/smi"; flowbits:set,KeyloggerPro_SMTP; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:7591; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger proagent 2.0 runtime detection"; flow:to_server,established; content:"HELO"; nocase; content:"ProAgent"; distance:0; nocase; pcre:"/^HELO\s+ProAgent/smi"; content:"From|3A|"; nocase; content:"ProAgent"; distance:0; nocase; pcre:"/^From\x3A\s+\x22ProAgent\s+v\d+\x2E\d+\x22/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.2-spyware.com/remove-trojanspy-win32-proagent.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076925; classtype:successful-recon-limited; sid:7574; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware webhancer runtime detection"; flow:to_server,established; content:"POST"; depth:4; nocase; content:"X-AT|3A|"; nocase; http_header; content:"X-CI|3A|"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"webhancer.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*webhancer\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=26; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=43482; classtype:successful-recon-limited; sid:7568; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware purityscan runtime detection - opt out of interstitial advertising"; flow:to_server,established; content:"/ps/ps_uninstaller.exe"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.purityscan.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Epurityscan\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=618; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488; classtype:successful-recon-limited; sid:7561; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware purityscan runtime detection - self update"; flow:to_server,established; content:"/query.php"; fast_pattern; nocase; http_uri; content:"v="; nocase; content:"b="; distance:0; nocase; content:"vt="; distance:0; nocase; content:"c="; distance:0; nocase; content:"os="; distance:0; nocase; content:"lang="; distance:0; nocase; content:"pl="; distance:0; nocase; content:"z="; distance:0; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=618; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488; classtype:successful-recon-limited; sid:7560; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware purityscan runtime detection - track user activity and status"; flow:to_server,established; content:"/count.cgi?clickspring"; nocase; http_uri; content:"www.clickspring.net/cs/pop4/frame_ver2.html"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=618; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488; classtype:successful-recon-limited; sid:7559; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware purityscan runtime detection - installation notify"; flow:to_server,established; content:"/install/notify.php?"; fast_pattern; nocase; http_uri; content:"pid="; nocase; http_uri; content:"module="; nocase; http_uri; content:"v="; nocase; http_uri; content:"b="; nocase; http_uri; content:"result="; nocase; http_uri; content:"message="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=618; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488; classtype:successful-recon-limited; sid:7558; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware purityscan runtime detection - start up"; flow:to_server,established; content:"/cs/pop4/"; fast_pattern; nocase; http_uri; content:".html"; nocase; http_uri; pcre:"/\x2Fcs\x2Fpop4\x2F((frame_ver2)|(UI2))\x2Ehtml/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=618; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488; classtype:successful-recon-limited; sid:7557; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger ardamax keylogger runtime detection - ftp"; flow:to_server,established; content:"{D082139B-D5E4-4e63-B866-9BFC97880A48}"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=526; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094248; classtype:successful-recon-limited; sid:7552; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger ardamax keylogger runtime detection - smtp"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"ATL"; distance:0; nocase; content:"CSmtp"; distance:0; nocase; content:"Class"; distance:0; nocase; content:"Mailer"; distance:0; nocase; content:"by"; distance:0; nocase; content:"Robert"; distance:0; nocase; content:"Simpson"; distance:0; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*ATL\s+CSmtp\s+Class\s+Mailer\s+by\s+Robert\s+Simpson\s+\x28robert\x40blackcastlesoft\x2Ecom\x29/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=526; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094248; classtype:successful-recon-limited; sid:7551; rev:9;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 15165 (msg:"MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection"; content:"|1D BA 0B FB|d|5C 86 E1 DA 83|BC|B6 04 E0|^|0A|@|C5 D4 00 00 00 00 00 00 00 00|"; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=343; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=35592; classtype:successful-recon-limited; sid:7549; rev:8;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 15165 (msg:"MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection - agent up notification"; content:"|00 00 00 00 00 00 00 00|"; depth:8; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=343; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=35592; classtype:successful-recon-limited; sid:7548; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 15164 (msg:"MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection - agent status monitoring"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=343; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=35592; classtype:successful-recon-limited; sid:7547; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger PerfectKeylogger runtime detection"; flow:to_server,established; flowbits:isset,PerfectKeylogger2; content:"This is a Perfect Keylogger report"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=588; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073333; classtype:successful-recon-limited; sid:7546; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger PerfectKeylogger runtime detection - flowbit set 2"; flow:to_server,established; flowbits:isset,PerfectKeylogger1; content:"filename=|22|keystrokes.html|22|"; depth:300; nocase; flowbits:set,PerfectKeylogger2; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=588; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073333; classtype:successful-recon-limited; sid:7545; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger PerfectKeylogger runtime detection - flowbit set 1"; flow:to_server,established; content:"X-Mailer|3A| CSMTPConnection"; depth:256; nocase; flowbits:set,PerfectKeylogger1; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=588; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073333; classtype:successful-recon-limited; sid:7544; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger starlogger runtime detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"|22|StarLogger|22|"; distance:0; nocase; content:"Subject|3A| StarLogger information"; distance:0; nocase; content:"Please find attached the StarLogger log file named"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=922; classtype:successful-recon-limited; sid:7541; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger eye spy pro 1.0 runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"Eye"; distance:0; nocase; content:"Spy"; distance:0; nocase; content:"Pro"; distance:0; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*Eye\s+Spy\s+Pro/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.softslist.com/download-9-50-20783.html; classtype:successful-recon-limited; sid:7539; rev:9;)
+# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger watchdog runtime detection - remote monitoring"; flow:to_client,established; content:"Server|3A|"; nocase; http_header; content:"WatchDog"; fast_pattern:only; http_header; content:"Server"; nocase; http_header; pcre:"/Server\x3a[^\r\n]*WatchDog[^\r\n]*Server/smiH"; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:7515; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger watchdog runtime detection - send out info to server periodically"; flow:to_server,established; content:"S|3A|Users"; fast_pattern:only; pcre:"/^S\x3aUsers\x5c\d+\x2cSTATSTimeTotal/smi"; metadata:impact_flag red; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:7514; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger watchdog runtime detection - init connection"; flow:to_server,established; flowbits:isset,WatchDog_Init_Connection; content:"I|3A|NAME|3A|"; fast_pattern:only; pcre:"/^I\x3aNAME\x3a/smi"; metadata:impact_flag red; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:7513; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Keylogger watchdog runtime detection - init connection - flowbit set"; flow:to_client,established; content:"N|3A|UC|3A|"; fast_pattern:only; pcre:"/^N\x3aUC\x3a\d+\x2c\d+\x2e\d+\x2e\d+\x2e\d+\x2c/smi"; flowbits:set,WatchDog_Init_Connection; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098060; classtype:successful-recon-limited; sid:7512; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger actualspy runtime detection - smtp"; flow:to_server,established; content:"<title>"; nocase; content:"Actual"; distance:0; nocase; content:"Spy"; distance:0; nocase; content:"software"; distance:0; nocase; content:"report"; distance:0; nocase; content:"</title>"; distance:0; nocase; pcre:"/\<title\>Actual\s+Spy\s+software\s+report\<\x2Ftitle\>/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086496; classtype:successful-recon-limited; sid:7505; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 20 (msg:"MALWARE-OTHER Keylogger actualspy runtime detection - ftp-data"; flow:to_client,established; content:"<title>"; nocase; content:"Actual"; distance:0; nocase; content:"Spy"; distance:0; nocase; content:"software"; distance:0; nocase; content:"report"; distance:0; nocase; content:"</title>"; distance:0; nocase; pcre:"/\<title\>Actual\s+Spy\s+software\s+report\<\x2Ftitle\>/smi"; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086496; classtype:successful-recon-limited; sid:7504; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware shopathome runtime detection - setcookie request"; flow:to_server,established; content:"/setcookie.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"s="; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"discounts.shopathome.com/frameset.asp?"; nocase; http_header; pcre:"/^Referer\x3A[^\r\n]*http\x3A\x2F\x2Fdiscounts\x2Eshopathome\x2Ecom\x2Fframeset\x2Easp\?/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076082; classtype:successful-recon-limited; sid:7189; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger kgb Keylogger runtime detection"; flow:to_server,established; content:"filename="; nocase; content:"zip"; distance:0; nocase; pcre:"/filename\x3D\x22[^\r\n]*?\x2D\d+\x5F\d+\x5F\d+\x2D\d+\x5F\d+\x5F\d+\s+[AP]M\x2Ezip/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=1328; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096494; classtype:successful-recon-limited; sid:7186; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-OTHER Keylogger 007 spy software runtime detection - ftp"; flow:to_server,established; content:"STOR"; fast_pattern:only; pcre:"/^STOR\s+\x2E\x2F(kys|scr|Apps|Urls)[0-9]+\x2Etxt/smi"; metadata:service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=1137; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082794; classtype:successful-recon-limited; sid:7185; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger 007 spy software runtime detection - smtp"; flow:to_server,established; content:"From|3A| |22|007 Spy Agent|22|"; nocase; content:"Subject|3A| 007 Monitoring Log Report"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=1137; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082794; classtype:successful-recon-limited; sid:7184; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection"; flow:to_client,established; flowbits:isset,DesktopDetective_InitConnection2; content:"|FE FE FE FE|90|00 00|"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=349; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060318; classtype:successful-recon-limited; sid:7180; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection"; flow:to_server,established; flowbits:isset,DesktopDetective_InitConnection1; content:"|FE FE FE FE 00 00 00 00|"; depth:8; content:"DDController"; distance:0; nocase; flowbits:set,DesktopDetective_InitConnection2; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:7179; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection"; flow:to_client,established; content:"|FE FE FE FE|90|00 00|"; depth:8; content:"Private"; distance:0; nocase; content:"Server,"; distance:0; nocase; content:"Login"; distance:0; nocase; content:"Required"; distance:0; nocase; flowbits:set,DesktopDetective_InitConnection1; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:7178; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger ab system spy runtime detection - info send through email"; flow:to_server,established; content:"From|3A|"; nocase; content:"<logs@dummyserver.com>"; distance:0; content:"Subject|3A|"; nocase; content:"Logs"; distance:0; nocase; content:"X-Mailer|3A|"; nocase; content:"Built-in Mail"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=591; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076050; classtype:successful-recon-limited; sid:7177; rev:10;)
+# alert tcp $HOME_NET 868 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger ab system spy runtime detection - log retrieve"; flow:to_client,established; flowbits:isset,ABSystemSpy_LogRetrieve; content:"FILEINFO|7C|"; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=591; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076050; classtype:successful-recon-limited; sid:7176; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 868 (msg:"MALWARE-OTHER Keylogger ab system spy runtime detection - log retrieve"; flow:to_server,established; content:"Send me the logs, please"; flowbits:set,ABSystemSpy_LogRetrieve; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=591; classtype:successful-recon-limited; sid:7175; rev:6;)
+# alert tcp $HOME_NET 868 <> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange"; flow:established; flowbits:isset,ABSystemSpy_Inforetrieve4; content:"chkCtr"; depth:6; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=591; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076050; classtype:successful-recon-limited; sid:7169; rev:9;)
+alert tcp $HOME_NET 868 <> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 4"; flow:established; flowbits:isset,ABSystemSpy_Inforetrieve3; content:"chkCap"; depth:6; flowbits:set,ABSystemSpy_Inforetrieve4; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=591; classtype:successful-recon-limited; sid:7168; rev:7;)
+alert tcp $HOME_NET 868 <> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 3"; flow:established; flowbits:isset,ABSystemSpy_Inforetrieve2; content:"chkCli"; depth:6; flowbits:set,ABSystemSpy_Inforetrieve3; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=591; classtype:successful-recon-limited; sid:7167; rev:8;)
+alert tcp $HOME_NET 868 <> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 2"; flow:established; flowbits:isset,ABSystemSpy_Inforetrieve1; content:"chkShe"; depth:6; flowbits:set,ABSystemSpy_Inforetrieve2; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=591; classtype:successful-recon-limited; sid:7166; rev:8;)
+alert tcp $HOME_NET 868 <> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 1"; flow:established; content:"chkLis"; depth:6; flowbits:set,ABSystemSpy_Inforetrieve1; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=591; classtype:successful-recon-limited; sid:7165; rev:8;)
+# alert tcp $HOME_NET 10050 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger win-spy runtime detection - execute file server-to-client"; flow:to_client,established; flowbits:isset,winspy_execute_client-to-server; content:"/RF|16|"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.winspy.html; reference:url,www.spywareguide.com/product_show.php?id=715; classtype:successful-recon-limited; sid:7164; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 10050 (msg:"MALWARE-OTHER Keylogger win-spy runtime detection - execute file client-to-server"; flow:to_server,established; content:"/RF"; fast_pattern:only; pcre:"/\x2FRF[^\r\n]*\x16/smi"; flowbits:set,winspy_execute_client-to-server; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.winspy.html; reference:url,www.spywareguide.com/product_show.php?id=715; classtype:successful-recon-limited; sid:7163; rev:6;)
+# alert tcp $HOME_NET 10050 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger win-spy runtime detection - download file server-to-client"; flow:to_client,established; flowbits:isset,winspy_download_client-to-server; content:"/CU"; fast_pattern:only; pcre:"/\x2FCU[^\r\n]*\x18\d+\x18\x16/smi"; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.winspy.html; reference:url,www.spywareguide.com/product_show.php?id=715; classtype:successful-recon-limited; sid:7162; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 10050 (msg:"MALWARE-OTHER Keylogger win-spy runtime detection - download file client-to-server"; flow:to_server,established; content:"/CD"; fast_pattern:only; pcre:"/\x2FCD[^\r\n]*\x18\x16/smi"; flowbits:set,winspy_download_client-to-server; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.winspy.html; reference:url,www.spywareguide.com/product_show.php?id=715; classtype:successful-recon-limited; sid:7161; rev:6;)
+# alert tcp $HOME_NET 10050 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger win-spy runtime detection - upload file server-to-client"; flow:to_client,established; flowbits:isset,winspy_upload_client-to-server; content:"/CK|16|"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.winspy.html; reference:url,www.spywareguide.com/product_show.php?id=715; classtype:successful-recon-limited; sid:7160; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 10050 (msg:"MALWARE-OTHER Keylogger win-spy runtime detection - upload file client-to-server"; flow:to_server,established; content:"/CU"; nocase; content:"True"; distance:0; nocase; pcre:"/\x2FCU[^\r\n]*\x18\d+\x18True\x18\x16/smi"; flowbits:set,winspy_upload_client-to-server; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.winspy.html; reference:url,www.spywareguide.com/product_show.php?id=715; classtype:successful-recon-limited; sid:7159; rev:5;)
+# alert tcp $HOME_NET 10050 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger win-spy runtime detection - remote conn server-to-client"; flow:to_client,established; flowbits:isset,winspy_conn_client-to-server; content:"/CK|16|"; depth:4; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.winspy.html; reference:url,www.spywareguide.com/product_show.php?id=715; classtype:successful-recon-limited; sid:7158; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 10050 (msg:"MALWARE-OTHER Keylogger win-spy runtime detection - remote conn client-to-server"; flow:to_server,established; content:"/CLUserName|18|Password|16|"; depth:21; nocase; flowbits:set,winspy_conn_client-to-server; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.winspy.html; reference:url,www.spywareguide.com/product_show.php?id=715; classtype:successful-recon-limited; sid:7157; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger win-spy runtime detection - email delivery"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"_ANSMTP_"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"LOG"; distance:0; nocase; content:"FILE"; distance:0; nocase; content:"Current"; distance:0; nocase; content:"User|3A|"; distance:0; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*_\d+_ANSMTP_\d+_.*Subject\x3A[^\r\n]*LOG\s+FILE\s+Current\s+User\x3A/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.winspy.html; reference:url,www.spywareguide.com/product_show.php?id=715; classtype:successful-recon-limited; sid:7156; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger active keylogger home runtime detection"; flow:to_server,established; content:"Active"; nocase; content:"Keylogger"; distance:0; nocase; content:"Home"; distance:0; nocase; content:"Report"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=1720; classtype:successful-recon-limited; sid:7154; rev:9;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 15165 (msg:"MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent up notification"; content:"|00 00 00 00 0A 02 08 A6|"; depth:8; content:"|02 00 00|v"; distance:0; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=879; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075982; classtype:successful-recon-limited; sid:6386; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 15164 (msg:"MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent status monitoring"; content:"|0A 02 08 FE 00|"; depth:5; offset:4; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=879; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075982; classtype:successful-recon-limited; sid:6385; rev:8;)
+# alert udp $EXTERNAL_NET any -> 255.255.255.255 15164 (msg:"MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent discover broadcast"; flow:to_server; content:"|00|]B|00 0A 02 08 FE 01 FC 12 00|"; depth:12; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=879; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075982; classtype:successful-recon-limited; sid:6384; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 15163 (msg:"MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - tcp connection setup"; flow:to_server,established; content:"|04 00 00 00|"; depth:4; content:"|FF D8 FF E0 00 10|JFIF|00 01 01 00 00 00 00 00 00 00 FF DB 00|C|00 08 06 06 07 06 05 08 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 13 0F 14 1D 1A 1F 1E 1D 1A 1C 1C| |24|.' |22|,|23 1C 1C 28|7|29|,01444|1F|'9=82<.342|FF DB 00|C|01|"; distance:0; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=879; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075982; classtype:successful-recon-limited; sid:6383; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Sony rootkit runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"SecureNet"; fast_pattern; nocase; http_header; content:"Xtra"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*SecureNet\s+Xtra/smiH"; pcre:"/^Host\x3A[^\r\n]*sonymusic\x2Ecom/smiH"; metadata:service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096362; classtype:misc-activity; sid:6365; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger handy keylogger runtime detection"; flow:to_server,established; content:"Subject|3A| "; nocase; content:"Handy Keylogger|3A|"; distance:0; nocase; content:"PRODUCED BY HANDY KEYLOGGER LOG PARSER"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=1103; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096599; classtype:successful-recon-limited; sid:6340; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger computerspy runtime detection"; flow:to_server,established; content:"From|3A| keys<keys@hotpop.com>"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=449; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072991; classtype:successful-recon-limited; sid:6221; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger boss everyware runtime detection"; flow:to_server,established; content:"X-Mailer|3A| Boss Everyware"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.scanspyware.net/info/BossEveryWare.htm; reference:url,www.spywareguide.com/product_show.php?id=4; classtype:successful-recon-limited; sid:6220; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-OTHER Keylogger winsession runtime detection - ftp"; flow:to_server,established; content:"_WinSession Logger.clk"; fast_pattern:only; metadata:service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097713; classtype:successful-recon-limited; sid:6208; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger winsession runtime detection - smtp"; flow:to_server,established; content:"===========>"; nocase; content:"WinSession Logger"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097713; classtype:successful-recon-limited; sid:6207; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger eblaster 5.0 runtime detection"; flow:to_server,established; content:"X-SpectorSerial|3A|"; nocase; content:"X-SpectorMachineID|3A|"; fast_pattern:only; content:"X-SpectorBuild|3A|"; nocase; content:"eBlaster"; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=8; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090687; classtype:successful-recon-limited; sid:6190; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware e2give runtime detection - redirect affiliate site request 2"; flow:to_server,established; content:"/fs-bin/swat?"; nocase; http_uri; content:"lsnsig="; nocase; http_uri; content:"offerid="; nocase; http_uri; content:"Referer|3A| e2give.com"; fast_pattern; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5909; rev:11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware e2give runtime detection - redirect affiliate site request 1"; flow:to_server,established; content:"/fs-bin/click?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"offerid="; nocase; http_uri; content:"type="; nocase; http_uri; content:"Referer|3A| e2give.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5908; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware e2give runtime detection - check update"; flow:to_server,established; content:"/go/check?"; nocase; http_uri; content:"build="; nocase; http_uri; content:"source="; nocase; http_uri; content:"Host|3A| e2give.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5907; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spyagent runtime detect - alert notification"; flow:to_server,established; content:"This is an alert notification from SpyAgent"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=22; classtype:successful-recon-limited; sid:5882; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-OTHER Keylogger spyagent runtime detect - ftp delivery"; flow:to_server,established; content:"STOR spyagent-log"; fast_pattern:only; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert, service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=22; classtype:successful-recon-limited; sid:5881; rev:10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spyagent runtime detect - smtp delivery"; flow:to_server,established; content:"Computer IP Address|3A|"; nocase; content:"Attached to this email are the activity logs that you have requested"; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=22; classtype:successful-recon-limited; sid:5880; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware ucmore runtime detection - click sponsor/ad link"; flow:to_server,established; content:"/click.asp?"; nocase; http_uri; content:"Host|3A| sponsor2.ucmore.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=776; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; classtype:successful-recon-limited; sid:5839; rev:9;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware myway speedbar runtime detection - switch engines"; flow:to_server,established; content:"PG=SPEEDBAR"; nocase; http_uri; pcre:"/\.(jsp|html)\?[^\r\n]*PG=SPEEDBAR/Ui"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips drop, service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5805; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger pc actmon pro runtime detection - smtp"; flow:to_server,established; content:"X-Sender|3A| ActMon"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=1989; classtype:successful-recon-limited; sid:5790; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger runtime detection - hwae urls browsed log"; flow:to_server,established; content:"Subject|3A| "; nocase; content:"HWAE URLS Browsed LOG"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=436; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851; classtype:successful-recon-limited; sid:5784; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger runtime detection - hwae keystrokes log"; flow:to_server,established; content:"Subject|3A| "; nocase; content:"HWAE Keystrokes LOG"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=436; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851; classtype:successful-recon-limited; sid:5783; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger runtime detection - hwae word filtered echelon log"; flow:to_server,established; content:"Subject|3A| HWAE Word Filtered Echelon LOG"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=436; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851; classtype:successful-recon-limited; sid:5782; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger runtime detection - hwae windows activity logs"; flow:to_server,established; content:"Subject|3A| "; nocase; content:"HWAE Windows Activity LOG"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=436; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851; classtype:successful-recon-limited; sid:5781; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger runtime detection - hwpe word filtered echelon log"; flow:to_server,established; content:"Subject|3A| HWPE Word Filtered Echelon LOG"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=436; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851; classtype:successful-recon-limited; sid:5780; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger runtime detection - hwpe shell file logs"; flow:to_server,established; content:"Subject|3A| "; nocase; content:"HWPE Shell/File LOG"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=436; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851; classtype:successful-recon-limited; sid:5779; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger runtime detection - hwpe windows activity logs"; flow:to_server,established; content:"Subject|3A| "; nocase; content:"HWPE Windows Activity LOG"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=436; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851; classtype:successful-recon-limited; sid:5778; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger gurl watcher runtime detection"; flow:to_server,established; content:"X-Mailer|3A| GURL Watcher"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=503; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080847; classtype:successful-recon-limited; sid:5777; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-OTHER Keylogger fearlesskeyspy runtime detection"; flow:to_server,established; content:"STOR"; nocase; content:"FKS_"; distance:0; nocase; pcre:"/^STOR\s+FKS_\w+_\d+-\d+-\d+\.log/i"; metadata:service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=553; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076298; classtype:successful-recon-limited; sid:5759; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger activitylogger runtime detection"; flow:to_server,established; content:"X-Mailer|3A| SoftActivity Mailer"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=32; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080822; classtype:successful-recon-limited; sid:5742; rev:11;)
+# alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER mstream handler to client"; flow:to_client,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:10;)
+# alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER mstream handler to client"; flow:to_client,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"MALWARE-OTHER mstream client to handler"; flow:to_server,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"MALWARE-OTHER mstream agent pong to handler"; flow:to_server; content:"pong"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:246; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"MALWARE-OTHER mstream handler ping to agent"; flow:to_server; content:"ping"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"MALWARE-OTHER mstream handler to agent"; flow:to_server; content:"stream/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"MALWARE-OTHER mstream agent to handler"; flow:to_server; content:"newserver"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:243; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"MALWARE-OTHER shaft agent to handler"; flow:to_server; content:"alive"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:240; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"MALWARE-OTHER shaft handler to agent"; flow:to_server; content:"alive tijgu"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:239; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"MALWARE-OTHER Trin00 Master to Daemon default password attempt"; flow:to_server; content:"l44adsl"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:237; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:235; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:234; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:233; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"MALWARE-OTHER Trin00 Daemon to Master *HELLO* message detected"; flow:to_server; content:"*HELLO*"; metadata:ruleset community; reference:cve,2000-0138; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"MALWARE-OTHER Trin00 Daemon to Master message detected"; flow:to_server; content:"l44"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:231; rev:11;)
+# alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER shaft client login to handler"; flow:to_client,established; content:"login|3A|"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [31335,35555] (msg:"MALWARE-OTHER Trin00 Daemon to Master PONG message detected"; flow:to_server; content:"PONG"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:223; rev:13;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-OTHER self-signed SSL certificate with default Internet Widgits Pty Ltd organization name"; flow:established,to_client; ssl_state:server_hello; content:"|55 04 0A 13 18|Internet Widgits Pty Ltd"; fast_pattern:only; metadata:impact_flag red, service ssl; reference:url,attack.mitre.org/techniques/T1078; reference:url,blog.talosintel.com/2011/07/do-you-really-trust-that-certificate.html; reference:url,en.wikipedia.org/wiki/Self-signed_certificate; reference:url,security.ncsa.illinois.edu/research/grid-howtos/usefulopenssl.html; classtype:policy-violation; sid:19551; rev:11;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER OSX.Trojan.HackBack file upload attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"Interview_Venue_and_Questions.app/Contents/MacOS/FileBackupUX"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/172d54f2ed2c422ab063c57d00c8ed44fcb2f18aa068a289308a1207d79de42d/analysis/; classtype:trojan-activity; sid:27060; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.HackBack file download attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"Interview_Venue_and_Questions.app/Contents/MacOS/FileBackupUX"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/172d54f2ed2c422ab063c57d00c8ed44fcb2f18aa068a289308a1207d79de42d/analysis/; classtype:trojan-activity; sid:27059; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Win.Trojan.Yakes download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:":|5C|Motor Life|5C|Rotor.pdb"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/f0c7b3c9dfc89a45b4131974ea5a6ab0/analysis/; classtype:trojan-activity; sid:27056; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Yakes download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:":|5C|Motor Life|5C|Rotor.pdb"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/f0c7b3c9dfc89a45b4131974ea5a6ab0/analysis/; classtype:trojan-activity; sid:27055; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Trojan.Java.JVDrop.A jar file download attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"WebEnhancer.class"; fast_pattern:only; content:"META-INF/SIGNAPPL.SF"; content:"META-INF/SIGNAPPL.DSA"; within:30; distance:40; content:"win"; within:170; distance:150; nocase; content:"mac"; within:20; distance:60; nocase; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/53cd1d6a1cc64d4e8275a22216492b76db186cfb38cec6e7b3cfb7a87ccb3524/analysis/; classtype:trojan-activity; sid:27053; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Trojan.Java.JVDrop.A jar file download attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"WebEnhancer.class"; fast_pattern:only; content:"META-INF/SIGNAPPL.SF"; content:"META-INF/SIGNAPPL.DSA"; within:30; distance:40; content:"win"; within:170; distance:150; nocase; content:"mac"; within:20; distance:60; nocase; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/53cd1d6a1cc64d4e8275a22216492b76db186cfb38cec6e7b3cfb7a87ccb3524/analysis/; classtype:trojan-activity; sid:27052; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Win.Trojan.Dokstormac file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"wrUz2WzrY5v/P3E8LObWW7nrH4/a"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/9576c9d64a8eaefb1c76e099cba98813/analysis/; classtype:trojan-activity; sid:27051; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Dokstormac file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"wrUz2WzrY5v/P3E8LObWW7nrH4/a"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/9576c9d64a8eaefb1c76e099cba98813/analysis/; classtype:trojan-activity; sid:27050; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Win.Backdoor.Transhell file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Hello,Hell!"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/204c13f7ed2d3e5c78f3ef8a44eb561c/analysis/; classtype:trojan-activity; sid:27035; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Backdoor.Transhell file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Hello,Hell!"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/204c13f7ed2d3e5c78f3ef8a44eb561c/analysis/; classtype:trojan-activity; sid:27034; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER UNIX.Trojan.Netweird.A file download attempt"; flow:to_client,established; file_data; content:"/bin/sh|00|/bin/bash"; nocase; content:"libmozsqlite3"; within:100; nocase; content:"opera/wand.dat"; within:50; distance:400; nocase; content:"Exec=|22|%s|22|"; within:50; distance:500; nocase; content:"%.2d/%.2d/%d %.2d:%.2d:%.2d"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/257da8c8b296dac6b029004ed06253fe622c5438b4a47b7dfbb87323b64f50a1/analysis/1354885571/; classtype:trojan-activity; sid:27025; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.Netweird.A file download attempt"; flow:to_client,established; file_data; content:"/bin/sh|00|/bin/bash"; nocase; content:"Opera/wand.dat"; within:100; nocase; content:"libmozsqlite3.dylib"; within:50; distance:114; content:"select *  from moz_logins"; within:50; distance:679; content:"%.2d/%.2d/%d %.2d:%.2d:%.2d"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/257da8c8b296dac6b029004ed06253fe622c5438b4a47b7dfbb87323b64f50a1/analysis/1354885571/; classtype:trojan-activity; sid:27024; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.Pintsized file download attempt"; flow:to_client,established; file_data; content:"<plist><dict>"; depth:15; offset:8; nocase; content:"<string>/usr/bin/perl</string>"; within:256; nocase; content:"use Socket|3B|"; within:128; nocase; content:"open(STDIN"; within:512; nocase; content:"|3B|exec(|22|/bin/sh -i"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/490d6a45bd7e5ee265373f46fd00e98ff2eb854c0ceda024aa3adaefd947202f/analysis/; classtype:trojan-activity; sid:27198; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.Pintsized file download attempt"; flow:to_client,established; file_data; content:"<plist><dict>"; depth:15; offset:8; nocase; content:"<string>/Users/"; within:128; nocase; content:"/.cups/cupsd</string><string>-z</string>"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/3b829abe42252b2fa8d304b93a35090c23f3702ad048adfdd03942f77e0f5a66/analysis/; classtype:trojan-activity; sid:27197; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER IFRAMEr Tool code injection attack"; flow:to_client,established; file_data; content:"a=0|3B|z=|22|y|22 3B|try{a*=25}catch("; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27229; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.Janicab file download attempt"; flow:to_client,established; file_data; content:"RecentNews|2E E2 80 AE|fdp.app"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.f-secure.com/weblog/archives/00002576.html; classtype:attempted-admin; sid:27228; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Mac OSX FBI ransomware"; flow:to_client,established; file_data; content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; classtype:trojan-activity; sid:27246; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"<!--0c0896-->"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27550; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Osx.Trojan.Janicab file download attempt"; flow:to_server,established; flowbits:isset,file.pyc; file_data; content:"Libs/Starter"; fast_pattern:only; pcre:"/Libs\/Starter(CmdExec|NetUtils|Rec|ScreenShots|Settings)\.py/"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27549; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Osx.Trojan.Janicab file download attempt"; flow:to_client,established; flowbits:isset,file.pyc; file_data; content:"Libs/Starter"; fast_pattern:only; pcre:"/Libs\/Starter(CmdExec|NetUtils|Rec|ScreenShots|Settings)\.py/"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27548; rev:3;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-OTHER self-signed SSL certificate with default MyCompany Ltd organization name"; flow:established,to_client; ssl_state:server_hello; content:"|55 04 0A|"; content:"|0E|MyCompany Ltd"; within:14; distance:1; metadata:impact_flag red, ruleset community, service ssl; reference:url,attack.mitre.org/techniques/T1078; reference:url,en.wikipedia.org/wiki/Self-signed_certificate; reference:url,security.ncsa.illinois.edu/research/grid-howtos/usefulopenssl.html; classtype:policy-violation; sid:27538; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER HideMeBetter spam injection variant"; flow:to_client,established; file_data; content:"<div id=|22|HideMeBetter|22|>"; fast_pattern:only; content:"if(document|2E|getElementById(|22|HideMeBetter|22|)|20 21 3D 20|null)"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html; classtype:trojan-activity; sid:27565; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Fake Adobe Flash Player malware binary requested"; flow:to_server,established; content:"&filename=Flash Player "; http_uri; content:".exe"; within:8; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27595; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake Adobe Flash Player update warning enticing clicks to malware payload"; flow:to_client,established; file_data; content:"WARNING|21| You should update your Flash Player Immediately"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27594; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Kuluoz outbound download request"; flow:to_server,established; content:"?message="; fast_pattern:only; http_uri; pcre:"/(info|app)\x2ephp\x3fmessage\x3d/U"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,malwaremustdie.blogspot.com/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:28006; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt"; flow:to_server,established; file_data; content:"|22|opener: wrote LittleSnitch StartupParameters.plist |22| |3E 3E| |2F|.performance.txt"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b0ac156a6da66af84511438580a392608d4268f6f74caa32af6d693cbbeba0ab/analysis/; classtype:trojan-activity; sid:27961; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt"; flow:to_server,established; file_data; content:"|22|opener: Finished move to System Library StartupItems |22| |3E 3E| |2F|.performance.txt"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b0ac156a6da66af84511438580a392608d4268f6f74caa32af6d693cbbeba0ab/analysis/; classtype:trojan-activity; sid:27960; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt"; flow:to_server,established; file_data; content:"|22|opener: Finished gather system-wide info |22| |3E 3E| |2F|.performance.txt"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b0ac156a6da66af84511438580a392608d4268f6f74caa32af6d693cbbeba0ab/analysis/; classtype:trojan-activity; sid:27959; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt"; flow:to_client,established; file_data; content:"|22|opener: wrote LittleSnitch StartupParameters.plist |22| |3E 3E| |2F|.performance.txt"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b0ac156a6da66af84511438580a392608d4268f6f74caa32af6d693cbbeba0ab/analysis/; classtype:trojan-activity; sid:27958; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt"; flow:to_client,established; file_data; content:"|22|opener: Finished move to System Library StartupItems |22| |3E 3E| |2F|.performance.txt"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b0ac156a6da66af84511438580a392608d4268f6f74caa32af6d693cbbeba0ab/analysis/; classtype:trojan-activity; sid:27957; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt"; flow:to_client,established; file_data; content:"|22|opener: Finished gather system-wide info |22| |3E 3E| |2F|.performance.txt"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b0ac156a6da66af84511438580a392608d4268f6f74caa32af6d693cbbeba0ab/analysis/; classtype:trojan-activity; sid:27956; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Stoberox outbound communication attempt"; flow:to_server,established; urilen:17; content:"LSpJAIj4Xvni"; fast_pattern:only; content:"CONNECT"; http_method; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/daa4ea82294fa2c1a29a6e45feb67cfc06fa87e5e08d1f9333c989fa298e8d11/analysis/; classtype:trojan-activity; sid:28365; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER SimpleTDS - request to go.php"; flow:to_server,established; content:"/go.php?sid="; fast_pattern:only; http_uri; metadata:service http; reference:url,www.simpletds.com; classtype:misc-activity; sid:28348; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER SimpleTDS - page redirecting to a SimpleTDS"; flow:to_client,established; file_data; content:"/go.php?sid="; pcre:"/\x2Fgo\.php\?sid=\d+/"; metadata:impact_flag red, service http; reference:url,www.simpletds.com; classtype:misc-activity; sid:28347; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Magitart outbound communication attempt"; flow:to_server,established; content:"/nstart.aspx|3F|id|3D|"; fast_pattern:only; http_uri; content:"|26|id2|3D|"; depth:17; offset:28; http_uri; content:"|26|c|3D|"; within:28; distance:20; http_uri; content:"|3B|q|3D|0.1|0D 0A|Accept|2D|Language|3A 20|zh|2D|cn|2C|en|3B|q|3D|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/52cc53b8c6f77d59f3b677674aeeedc4542b5a7aa793253597dee3693f1a6842/analysis/; classtype:trojan-activity; sid:28483; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MALWARE-OTHER SQL Slammer worm propagation attempt inbound"; flow:to_server; content:"|04|"; depth:1; content:"Qh.dll"; fast_pattern:only; content:"sock"; content:"send"; metadata:impact_flag red, ruleset community; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; classtype:trojan-activity; sid:28555; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Backdoor.Tavdig download attempt"; flow:to_server,established; file_data; content:"|76 61 62 6D 75 3F 00 53 68 6E 62 72 61 20 6B 68 77 64 79 61 6A 64 6F 62 20 6D 64 71 78 70 7A 6C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/0b97c87126578113050d8e014e8fefeb33146eebc40e75c070882ec31ae26aab/analysis/; classtype:trojan-activity; sid:28848; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Backdoor.Tavdig download attempt"; flow:to_client,established; file_data; content:"|76 61 62 6D 75 3F 00 53 68 6E 62 72 61 20 6B 68 77 64 79 61 6A 64 6F 62 20 6D 64 71 78 70 7A 6C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/0b97c87126578113050d8e014e8fefeb33146eebc40e75c070882ec31ae26aab/analysis/; classtype:trojan-activity; sid:28847; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER multi-hop iframe campaign client-side exploit attempt"; flow:to_client,established; file_data; content:"zc9rvR0pvLDME9FT61C471dmhns=|22|421412|22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2011-3402; reference:url,www.webroot.com/blog/2013/11/13/malicious-multi-hop-iframe-campaign-affects-thousands-of-web-sites-leads-to-cve-2011-3402/; reference:url,www.webroot.com/blog/2013/12/09/malicious-multi-hop-iframe-campaign-affects-thousands-web-sites-leads-cocktail-client-side-exploits-part-two/; classtype:trojan-activity; sid:29025; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER multi-hop iframe campaign client-side exploit attempt"; flow:to_client,established; file_data; content:"B|00|u|00|f|00|f|00|a|00|l|00|o|00 00 00 00 10 00|v|00|i|00|r|00|g|00|i|00|n|00|s"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2011-3402; reference:url,www.webroot.com/blog/2013/11/13/malicious-multi-hop-iframe-campaign-affects-thousands-of-web-sites-leads-to-cve-2011-3402/; reference:url,www.webroot.com/blog/2013/12/09/malicious-multi-hop-iframe-campaign-affects-thousands-web-sites-leads-cocktail-client-side-exploits-part-two/; classtype:trojan-activity; sid:29024; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER multi-hop iframe campaign client-side exploit attempt"; flow:to_client,established; file_data; content:"=|22|gd|22|+|22|asfg|22 3B|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2011-3402; reference:url,www.webroot.com/blog/2013/11/13/malicious-multi-hop-iframe-campaign-affects-thousands-of-web-sites-leads-to-cve-2011-3402/; reference:url,www.webroot.com/blog/2013/12/09/malicious-multi-hop-iframe-campaign-affects-thousands-web-sites-leads-cocktail-client-side-exploits-part-two/; classtype:trojan-activity; sid:29023; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Possible Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/xmlrpc/includes/logs/config.bin"; fast_pattern:only; http_uri; content:!"|0D 0A|Referer|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/url/689128c8dfa5e1db7dbf5400635ed4504dc9de8ebcda38549dd44aa15bd999e0/analysis/; classtype:trojan-activity; sid:29013; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Possible Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/xmlrpc/includes/logs/gate.php"; fast_pattern:only; http_uri; content:!"|0D 0A|Referer|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/url/689128c8dfa5e1db7dbf5400635ed4504dc9de8ebcda38549dd44aa15bd999e0/analysis/; classtype:trojan-activity; sid:29012; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.InstallMonster variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Opera/9.80 |28|Windows NT 6.1|3B| U|3B| ru|29| Presto/2.8.131 Version/11.10"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/527562368cd5ba3dd8dc41c51f0998ab225a8dd2273359c4ee7c939d7570d42f/analysis/; classtype:trojan-activity; sid:29124; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Win.Trojan.Esjey outbound communication attempt"; flow:to_server,established; dsize:>50; content:"Subject|3A 20|Server Run|0D 0A|"; fast_pattern:only; content:"Message-ID|3A 20 3C|"; offset:160; content:"|40|"; within:1; distance:40; content:"|3E 0D 0A 0D 0A|"; within:19; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/d8cc615398fdc81d1cbe6424565925f3da3ef8022a3158b043f9fba69a7171c0/analysis/; classtype:trojan-activity; sid:29364; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Java FileDialog heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java|2F|awt|2F|FileDialog"; fast_pattern:only; content:"|01 00 07|setFile|00 21|"; content:"|00 11 00 12 00 00 00 00 00 02 00 01 00 13 00 14 00 01 00 15 00 00 00 1D 00 01 00 01 00 00 00 05|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,48129; reference:cve,2011-0802; classtype:attempted-user; sid:29643; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Java FileDialog heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java|2F|awt|2F|FileDialog"; fast_pattern:only; content:"|01 00 07|setFile|00 21|"; content:"|00 10 00 11 00 00 00 00 00 02 00 01 00 12 00 13 00 01 00 14 00 00 00 1D 00 01 00 01 00 00 00 05|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,48129; reference:cve,2011-0802; classtype:attempted-user; sid:29642; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Java FileDialog heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java|2F|awt|2F|FileDialog"; fast_pattern:only; content:"|01 00 07|setFile|00 21|"; content:"|00 11 00 12 00 00 00 00 00 02 00 01 00 13 00 14 00 01 00 15 00 00 00 1D 00 01 00 01 00 00 00 05|"; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,48129; reference:cve,2011-0802; classtype:attempted-user; sid:29641; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Java FileDialog heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java|2F|awt|2F|FileDialog"; fast_pattern:only; content:"|01 00 07|setFile|00 21|"; content:"|00 10 00 11 00 00 00 00 00 02 00 01 00 12 00 13 00 01 00 14 00 00 00 1D 00 01 00 01 00 00 00 05|"; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,48129; reference:cve,2011-0802; classtype:attempted-user; sid:29640; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 100 (msg:"MALWARE-OTHER Win.Keylogger.Vacky system information disclosure"; flow:to_server,established; content:"|00 00 00 00 00 00 00|"; depth:7; offset:1; content:"|AA AA AA AA|"; within:4; distance:4; fast_pattern; dsize:16; metadata:impact_flag red, policy security-ips drop; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/cb461e5a7891e357dd1be81b68229bb909648fe27c993adab26c0be7508f2c4f/analysis/; classtype:trojan-activity; sid:29918; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established; urilen:22; content:"/android/sms/index.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header; content:"bot_id="; http_client_body; content:"&number=&iccid=&model="; distance:0; http_client_body; content:"&imei="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&control_number="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30072; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established; urilen:21; content:"POST"; http_method; content:"/android/sms/ping.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30071; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established; urilen:21; content:"/android/sms/sync.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header; content:"bot_id="; http_client_body; content:"&imei="; distance:0; http_client_body; content:"&iscallhack="; distance:0; http_client_body; content:"&issmshack="; distance:0; http_client_body; content:"&isrecordhack="; distance:0; http_client_body; content:"&isadmin="; distance:0; http_client_body; content:"&control_number="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30070; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER TDS Sutra - RULEZ cookie"; flow:to_server,established; content:"sutraRULEZcookies"; fast_pattern:only; content:"sutraRULEZcookiessupport"; http_cookie; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:30138; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - RULEZ cookie set"; flow:to_client,established; content:"sutraRULEZcookies"; fast_pattern:only; content:"sutraRULEZcookiessupport"; http_cookie; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:30137; rev:1;)
+# alert udp $HOME_NET 53 -> any any (msg:"MALWARE-OTHER Unix.Trojan.Onimiki DNS compromised server response"; flow:to_client; byte_test:1,&,0x04,2; content:"|00 01 00 01 00 01 00 00 38|"; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00/Ris"; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,github.com/eset/malware-ioc; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30273; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"MALWARE-OTHER Unix.Trojan.Onimiki redirected client DNS request"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 01 00 00 00 00 00 00 38|"; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00/Ris"; metadata:policy security-ips drop, service dns; reference:url,github.com/eset/malware-ioc; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30272; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER malicious iframe injection redirect attempt"; flow:to_client,established; file_data; content:"document.write|28 27|<script src=|22|"; content:"type=|22|text/javascript|22|></script>|27 29 3B 20|/*/"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30325; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Agent Funeral ceremony phishing attempt"; flow:to_client,established; content:"filename=FuneralCeremony_"; fast_pattern:only; http_header; content:".zip"; nocase; http_header; file_data; content:"FuneralCeremony_"; content:".exe"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/285ec7e2f8cbaed5d8cebde56bb6d44a921eb4e8384981832822329d8ccfb125/analysis/1395241815/; classtype:trojan-activity; sid:30569; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt"; flow:to_server,established; content:"/cache/pdf_efax_"; fast_pattern:only; http_uri; pcre:"/\/cache\/pdf\x5Fefax\x5F\d{8,15}\.zip$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694a9292c2c8a9749e5648ed4/analysis/; classtype:trojan-activity; sid:30568; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"pdf_efax_"; fast_pattern:only; content:"PK"; depth:2; content:".pif"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694a9292c2c8a9749e5648ed4/analysis/; classtype:trojan-activity; sid:30567; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Wysotot variant download attempt"; flow:to_server,established; content:"/dl/get_tab?type="; fast_pattern:only; http_uri; content:"User-Agent|3A| ElexNetDownload|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,blogs.technet.com/b/mmpc/archive/2014/03/11/msrt-march-2014-wysotot.aspx; classtype:trojan-activity; sid:30946; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.ZBerp variant download attempt"; flow:to_server,established; file_data; content:"|53 00 6E 00 52 00 52 00 20 00 53 00 74 00 75 00 64 00 69 00 6F 00 6E 00 20 00 52 00 65 00 70 00 6F 00 72 00 74 00 20 00 52 00 65 00 6E 00 65 00 77 00 65 00 72 00 69 00 6E 00 67 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/34a06446088d82f9a3c488352d35e7a4c8df9f0c9a042b5af60e013c7ef89c80/analysis/; classtype:trojan-activity; sid:31185; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.ZBerp variant download attempt"; flow:to_client,established; file_data; content:"|53 00 6E 00 52 00 52 00 20 00 53 00 74 00 75 00 64 00 69 00 6F 00 6E 00 20 00 52 00 65 00 70 00 6F 00 72 00 74 00 20 00 52 00 65 00 6E 00 65 00 77 00 65 00 72 00 69 00 6E 00 67 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/34a06446088d82f9a3c488352d35e7a4c8df9f0c9a042b5af60e013c7ef89c80/analysis/; classtype:trojan-activity; sid:31184; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zbot variant download attempt"; flow:to_client,established; file_data; content:"w|00|i|00|g|00|a|00|s|00|t|00|o|00|p|00|o|00|e|00|l|00|a|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/96f42fa992d719c8ca7a84565702458e31b99ee35b2f058691b2477ccc555005/analysis/1403275557/; classtype:trojan-activity; sid:31329; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Game Over Zeus executable download detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|60 2E 72 64 61 74 61 00 00 0A 13 00 00 00 50 00 00 00 20 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2E 64 61 74 61 00 00|"; content:"|54 02 00 00 00 70 00 00 00 10 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0|"; within:32; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/3FF49706E78067613AA1DCF0174968963B17F15E9A6BC54396A9F233D382D0E6/analysis/; classtype:trojan-activity; sid:31488; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Game Over Zeus executable download detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|60 2E 72 64 61 74 61 00 00 0A 13 00 00 00 50 00 00 00 20 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2E 64 61 74 61 00 00|"; content:"|54 02 00 00 00 70 00 00 00 10 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0|"; within:32; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/3FF49706E78067613AA1DCF0174968963B17F15E9A6BC54396A9F233D382D0E6/analysis/; classtype:trojan-activity; sid:31487; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Injector outbound traffic"; flow:to_server,established; content:"/feed.php?q="; http_uri; content:"&cur.x="; fast_pattern:only; http_uri; content:"cur.y="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/62CAA81EA8D60BDFDC5AE3390AB73560226AC6C353AD8C02814689BEFF83CBB9/analysis/; classtype:trojan-activity; sid:31510; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Graftor variant retrieval of a DLL hosted as a JPG"; flow:to_server,established; urilen:18; content:"/ads/NetSyst67.jpg"; fast_pattern:only; http_uri; content:" Mozilla/4.0 |28|compatible|29|"; nocase; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/38eb7b8b802b0357c0191be4634b2ec6a7d957beac6bfde076532703623991da/analysis/; classtype:trojan-activity; sid:31817; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake Delta Ticket HTTP Response phishing attack"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"DeltaTicket_ET-RM-"; distance:0; nocase; content:".exe"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.satinfo.es/blog/tag/deltaticket_et-rm-0hj423891156-exe; classtype:trojan-activity; sid:32008; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Sinkhole reply - irc-sinkhole.cert.pl"; flow:to_client,established; content:"|3A|irc|2D|sinkhole|2E|cert|2E|pl"; fast_pattern:only; content:"|3A|End of MOTD command|2E|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:32260; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Adobe License Key email scam phishing attempt"; flow:to_server,established; content:"Content-Disposition|3A 20|attachment"; nocase; content:"License_Key_"; within:50; fast_pattern; nocase; content:".zip"; within:4; distance:6; nocase; metadata:impact_flag red, service smtp; reference:url,attack.mitre.org/techniques/T1192; reference:url,virustotal.com/en/file/cd0da726e7bd8a15e67f1088c2e94d3f8ca721ada0b3b1063235582a61b1be0b/analysis/; classtype:trojan-activity; sid:32772; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Adobe Invoice email scam phishing attempt"; flow:to_server,established; content:"Content-Disposition|3A 20|attachment"; nocase; content:"adb-"; within:50; nocase; content:"-invoice.zip"; within:12; distance:6; fast_pattern; nocase; metadata:impact_flag red, service smtp; reference:url,attack.mitre.org/techniques/T1192; reference:url,virustotal.com/en/file/e9a0eded5337ea14ffd6b0da0810c9cd3fba447360949519d582908bd5ee1e1c/analysis/; classtype:trojan-activity; sid:32771; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Download of executable screensaver file"; flow:to_client,established; flowbits:isset,file.screensaver; file_data; content:"MZ"; depth:2; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1180; reference:url,www.virustotal.com/en/file/cb7a29d1dec378f94b394ba4df3dc1fe5fe3b8d1d4ca3e70da3a611b67588ae7/analysis/; classtype:policy-violation; sid:32949; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 C2 4E 80 F2 79 88 10|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32935; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 EA 62 80 F2 B4 88 10|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32934; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|0C 1F 1F 1F 4F 50 4C 4B 3F 57 4B 4B 4F 3F 4D 5A 4E 4A 5A 4C 4B 20|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32933; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|17 08 14 13 67 0F 13 13 17 67 15 02 16 12 02 14 13 78|"; depth:18; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32932; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|D1 CE D2 D5 A1 C9 D5 D5 D1 A1 D3 C4 D0 D4 C4 D2 D5 BE|"; depth:18; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32931; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|43 47 47 47 42 67 47 47 43 47 47 47 4F 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4E 67 47 47|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32930; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|43 47 47 47 45 67 47 47 43 47 47 47 44 67 47 47|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32929; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|13 2F 22 35 22 67 26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32928; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|09 22 33 30 28 35 2C|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32927; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|15 02 14 17 08 09 14 02 67 75 77 77 67 08 0C 66 66 66|"; depth:22; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32926; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|4F 50 4C 4B 3F 57 4B 4B 4F 3F 4D 5A 4E 4A 5A 4C 4B 20 1F|"; depth:23; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32925; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|17 08 14 13 67 0F 13 13 17 67 15 02 16 12 02 14 13 78 47 47|"; depth:24; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32924; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|D3 C4 D2 D1 CE CF D2 C4 A1 B3 B1 B1 A1 CE CA A0 A0 A0|"; depth:18; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32923; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|0C 1F 1F 1F 4D 5A 4C 4F 50 51 4C 5A 3F 2D 2F 2F 3F 50 54 3E 3E 3E|"; depth:22; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32922; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|AA 74 BA F2 B9 75|"; depth:74; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32921; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|AA 64 BA F2 56|"; depth:50; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32920; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|C9 06 D9 96 FC 37 23 5A FE F9 40 BA 4C 94 14 98|"; depth:16; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32919; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Bladbindi obfuscated with Yano Obfuscator download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"YanoAttribute"; fast_pattern:only; content:"ObfuscationAttribute"; content:"StripAfterObfuscation"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/b9cf049a38d52f79e2a9c2d84b9bbc5ad39263a8b663cceda5cae12a3bdb65b8/analysis/; classtype:trojan-activity; sid:33208; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.CTB-Locker download attempt"; flow:established,to_server; flowbits:isset,file.exe; file_data; content:"|D6 09 D9 91 7A 29 69 46 49 F1 0F AE 48 15 A0 AB 1F 41 58 21 80 FB F7 8F C4 19 A9 F7 E7 A4 AE B9|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/f8549c7f866cc31c7ee379134383f96ff38c0a6d7ffbfe93ffedf97351cf254f/analysis/; classtype:trojan-activity; sid:33759; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.CTB-Locker download attempt"; flow:established,to_client; flowbits:isset,file.exe; file_data; content:"|D6 09 D9 91 7A 29 69 46 49 F1 0F AE 48 15 A0 AB 1F 41 58 21 80 FB F7 8F C4 19 A9 F7 E7 A4 AE B9|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/f8549c7f866cc31c7ee379134383f96ff38c0a6d7ffbfe93ffedf97351cf254f/analysis/; classtype:trojan-activity; sid:33758; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Downloader.Latekonsul Runtime Detection"; flow:to_server,established; content:"/vod/brig.almador/data.cfg"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6348dd70583de2d740bf861a2892b462446b9a0fd32eb814906516b01c3b08ec/analysis/; classtype:trojan-activity; sid:33874; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Executable control panel file download request"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"PK|03 04|"; content:".cpl"; within:50; distance:26; fast_pattern; nocase; content:!"bin/javacpl.cpl"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1196; reference:url,support.microsoft.com/en-us/kb/149648; classtype:misc-activity; sid:33943; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Executable control panel file download request"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"PK|03 04|"; content:".cpl"; within:50; distance:26; fast_pattern; nocase; content:!"bin/javacpl.cpl"; metadata:policy security-ips alert, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1196; reference:url,support.microsoft.com/en-us/kb/149648; classtype:misc-activity; sid:33942; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Executable control panel file download request"; flow:to_server,established; content:".cpl"; fast_pattern:only; http_uri; pcre:"/\x2ecpl([\?\x5c\x2f]|$)/smiU"; metadata:policy security-ips alert, service http; reference:url,attack.mitre.org/techniques/T1196; reference:url,support.microsoft.com/en-us/kb/149648; classtype:misc-activity; sid:33941; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Executable control panel file attachment detected"; flow:to_server,established; content:".cpl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2ecpl[\x22\x27\s]/si"; metadata:policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1196; reference:url,support.microsoft.com/en-us/kb/149648; classtype:misc-activity; sid:33940; rev:2;)
+# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"MALWARE-OTHER Executable control panel file attachment detected"; flow:to_client,established; content:".cpl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2ecpl[\x22\x27\s]/si"; metadata:policy security-ips drop, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1196; reference:url,support.microsoft.com/en-us/kb/149648; classtype:misc-activity; sid:33939; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Html.Phishing.Crea outbound connection attempt"; flow:to_server,established; content:"SSN3="; http_client_body; content:"CARDEXPYYYY="; fast_pattern:only; http_client_body; content:"mysubmitbutton="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a4eb48cb408a72cf3596151d6211c0430c60233a010dd943a29dd5eb8a62ee57/analysis/; classtype:trojan-activity; sid:34336; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Downloader.Temvice outbound communication attempt"; flow:to_server,established; content:"User|2D|Agent|3A 20|InetURL"; fast_pattern:only; http_header; content:"|3F|action|3D|"; http_uri; content:"|26|id|3D|"; within:10; http_uri; content:"|3C 3E|"; within:2; distance:23; http_uri; content:"|26|pass|3D|"; within:6; distance:29; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/83CD7C60A97A9E6849713A4F8AB768BB9C72942D9B416A78FF1758D357DB3A29/analysis/; classtype:trojan-activity; sid:28381; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Urausy outbound traffic attempt"; flow:to_server,established; urilen:110<>150; content:"/"; http_uri; content:!"/"; distance:0; http_uri; content:".html"; distance:100; content:"|0D 0A|User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|Host: "; fast_pattern:only; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/1e58f55d35c71f42c56ddd3b50f3ee32a8632dbd6ced812882f20a8228902a39/analysis/; classtype:trojan-activity; sid:34930; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Adobe Flash exploit download attempt - Group 6"; flow:to_server,established; content:"/en/?1"; fast_pattern:only; http_uri; urilen:6; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-14.html; classtype:trojan-activity; sid:34992; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Group 6 Adobe Flash exploit download attempt"; flow:to_server,established; content:"/en/"; depth:4; nocase; http_uri; content:"=.jpg"; fast_pattern:only; http_uri; content:!"&"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-14.html; classtype:trojan-activity; sid:34991; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Adobe Flash exploit download attempt - Group 6"; flow:to_server,established; content:"/en/.jpg"; fast_pattern:only; http_uri; urilen:8; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-14.html; classtype:trojan-activity; sid:34990; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Malumpos malware download attempt"; flow:to_server,established; file_data; content:"|69 00 00 00 28 28|b|7C|B|29 5B|0-9|5D 7B|13,19|7D 5C 5E 5B|A-Za-z|5C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/29e45b1b9bdbe9cbc6da7e52259c214143c8322b63759a2d779d2d8c758f7d45/analysis/; classtype:trojan-activity; sid:35004; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Malumpos malware download attempt"; flow:to_client,established; file_data; content:"|69 00 00 00 28 28|b|7C|B|29 5B|0-9|5D 7B|13,19|7D 5C 5E 5B|A-Za-z|5C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/29e45b1b9bdbe9cbc6da7e52259c214143c8322b63759a2d779d2d8c758f7d45/analysis/; classtype:trojan-activity; sid:35003; rev:1;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-OTHER self-signed SSL certificate transfer for EXEPROXY attempt"; flow:to_client,established; ssl_state:server_hello; content:"WashingTon"; fast_pattern:only; content:"WebMaster@Microsoft.com"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; classtype:trojan-activity; sid:36241; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Apple iTunes Connect HTTP response phishing attempt"; flow:to_client,established; file_data; content:"<!-- PHOEN!X -->"; fast_pattern:only; content:"apass"; content:"submit.x"; within:100; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,virustotal.com/en/url/7eb12819634b67b80fbb6d1cfd3193100b1fbc162e5ff76cfdc31e0a899c0086/analysis/; classtype:trojan-activity; sid:36338; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Worm.Pixipos Outbound Connection Attempt"; flow:to_server,established; content:"/s/gate.php"; fast_pattern:only; http_uri; content:"form-data|3B| name=|22|osc|22||3B| filename=|22|"; offset:64; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e21fd5ef81573c76276072b9c2c7456c0630bfa823a013dc379530cbdd090922/analysis/1450816646/; classtype:trojan-activity; sid:37222; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Samas variant download attempt"; flow:to_server,established; file_data; content:"M|00|t|00|A|00|e|00|S|00|K|00|e|00|Y|00|F|00|o|00|r|00|F|00|i|00|l|00|e"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac/analysis/; classtype:trojan-activity; sid:38280; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Samas variant download attempt"; flow:to_client,established; file_data; content:"M|00|t|00|A|00|e|00|S|00|K|00|e|00|Y|00|F|00|o|00|r|00|F|00|i|00|l|00|e"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac/analysis/; classtype:trojan-activity; sid:38279; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Samas variant download attempt"; flow:to_server,established; file_data; content:"M|00|M|00|t|00|t|00|_|00|A|00|e|00|S|00|_|00|K|00|e|00|Y|00|_|00|F|00|o|00|r|00|_|00|F|00|i|00|l|00|e"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac/analysis/; classtype:trojan-activity; sid:38361; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Samas variant download attempt"; flow:to_client,established; file_data; content:"M|00|M|00|t|00|t|00|_|00|A|00|e|00|S|00|_|00|K|00|e|00|Y|00|_|00|F|00|o|00|r|00|_|00|F|00|i|00|l|00|e"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac/analysis/; classtype:trojan-activity; sid:38360; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Maktub variant download attempt"; flow:to_server,established; file_data; content:"|B8 4F EC C4 4E F7 E1 C1 EA 02 6B D2 0D 8B C1 2B C2 83 F8 08 0F 9F C0 8B D1 C1 FA 05 80 E2 F8 F6 EA 88 84 31|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/f5ab764c439a45ed892a3346f228d36f24d7f2377d4cddc5e82a0566f8521082/analysis/; classtype:trojan-activity; sid:38377; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Maktub variant download attempt"; flow:to_server,established; file_data; content:"|8D 30 8B 00 68 78 86 01 10 89 45 D0 FF 15 20 30 01 10 8B 46 08 8D 55 FC 8D 4D E8 C7 45 E8 7C 86 01 10 FF 70|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/9328e0a1c45d7ac10e796f351f749b4b5258a1f9beff70f410a27179a6a876a7/analysis/; classtype:trojan-activity; sid:38376; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Maktub variant download attempt"; flow:to_server,established; file_data; content:"|8B 4C 24 0C 8D 84 24 B8 02 00 00 89 44 24 6C B8 00 00 00 80 89 44 24 74 89 44 24 78 89 44 24 7C 89 84 24 80|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0210a8f8e729d1b81bf81e39874af98c379f92fcdf802d6d925eb9e65186dfd3/analysis/; classtype:trojan-activity; sid:38375; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Maktub variant download attempt"; flow:to_client,established; file_data; content:"|B8 4F EC C4 4E F7 E1 C1 EA 02 6B D2 0D 8B C1 2B C2 83 F8 08 0F 9F C0 8B D1 C1 FA 05 80 E2 F8 F6 EA 88 84 31|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/f5ab764c439a45ed892a3346f228d36f24d7f2377d4cddc5e82a0566f8521082/analysis/; classtype:trojan-activity; sid:38374; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Maktub variant download attempt"; flow:to_client,established; file_data; content:"|8D 30 8B 00 68 78 86 01 10 89 45 D0 FF 15 20 30 01 10 8B 46 08 8D 55 FC 8D 4D E8 C7 45 E8 7C 86 01 10 FF 70|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/9328e0a1c45d7ac10e796f351f749b4b5258a1f9beff70f410a27179a6a876a7/analysis/; classtype:trojan-activity; sid:38373; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Maktub variant download attempt"; flow:to_client,established; file_data; content:"|8B 4C 24 0C 8D 84 24 B8 02 00 00 89 44 24 6C B8 00 00 00 80 89 44 24 74 89 44 24 78 89 44 24 7C 89 84 24 80|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0210a8f8e729d1b81bf81e39874af98c379f92fcdf802d6d925eb9e65186dfd3/analysis/; classtype:trojan-activity; sid:38372; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"Bewerbungsunterlagen.PDF.exePK"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/37112f3d0def0006ca1445799547a2b501a0b7b6939bba304863fcc76949138f/analysis/; classtype:trojan-activity; sid:38454; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_server,established; file_data; content:"|76 48 18 89 FF E0 4F C1 CE 1A 41 33 DD 2B CB C1 C0 04 E8 A4 D8 FF FF C1 C1 13 89 0D 08 B6 43 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/7e3aae38e1a43dc043910d86412b5fbd7fb0ee1b027ec4d822dc50533624879c/analysis/; classtype:trojan-activity; sid:38453; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"Bewerbungsmappe-gepackt.exePK"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/019a6fda29af707476b2c58e5b6bbf306e8c248671c8f4dc7424e474018376a1/analysis/; classtype:trojan-activity; sid:38452; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_server,established; file_data; content:"|9B 75 F2 81 28 54 2A 88 A9 C0 48 C7 8B 67 D1 33 BF B2 C1 E6 0C 39 B1 51 D8 35 F8 4E 24 E9 75 37|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/542a38bf52afa6a4a008089a6fbf22c9d68ef5d6c634dd2c0773d859a8ae2bbf/analysis/; classtype:trojan-activity; sid:38451; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_server,established; file_data; content:"|C1 CE 11 03 F0 89 3D 60 75 49 00 C1 C6 05 40 81 EE 53 17 DB F6 C1 CA 1B 46 C1 C1 01 4E F7 D3 81|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c/analysis/; classtype:trojan-activity; sid:38450; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_server,established; file_data; content:"|81 F6 FE AE 8E 27 81 F6 FE AE 8E 27 49 87 D7 33 F9 87 D6 2B C1 81 C6 84 F0 65 D1 C1 C2 12 2B F0|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/50d27af49a2e50baa47f13c59625fa0a29938253f1f46e6ffb2aacbc2dc196d1/analysis/; classtype:trojan-activity; sid:38449; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_server,established; file_data; content:"|C1 CF 19 C1 C7 19 33 D5 C1 C8 08 81 C2 2D A8 5D 00 46 F7 D3 03 F0 F7 DF 4A 2B D5 C1 C1 09 81 F6|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/E99eccfc1473800ea6e2e730e733c213f18e817c0c6501209f4ee40408f94951/analysis/; classtype:trojan-activity; sid:38448; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"Bewerbungsunterlagen.PDF.exePK"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/37112f3d0def0006ca1445799547a2b501a0b7b6939bba304863fcc76949138f/analysis/; classtype:trojan-activity; sid:38447; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"BewerbungsmappePDF.exePK"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/7e3aae38e1a43dc043910d86412b5fbd7fb0ee1b027ec4d822dc50533624879c/analysis/; classtype:trojan-activity; sid:38446; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_client,established; file_data; content:"|76 48 18 89 FF E0 4F C1 CE 1A 41 33 DD 2B CB C1 C0 04 E8 A4 D8 FF FF C1 C1 13 89 0D 08 B6 43 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/019a6fda29af707476b2c58e5b6bbf306e8c248671c8f4dc7424e474018376a1/analysis/; classtype:trojan-activity; sid:38445; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_client,established; file_data; content:"|9B 75 F2 81 28 54 2A 88 A9 C0 48 C7 8B 67 D1 33 BF B2 C1 E6 0C 39 B1 51 D8 35 F8 4E 24 E9 75 37|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/542a38bf52afa6a4a008089a6fbf22c9d68ef5d6c634dd2c0773d859a8ae2bbf/analysis/; classtype:trojan-activity; sid:38444; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_client,established; file_data; content:"|C1 CE 11 03 F0 89 3D 60 75 49 00 C1 C6 05 40 81 EE 53 17 DB F6 C1 CA 1B 46 C1 C1 01 4E F7 D3 81|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c/analysis/; classtype:trojan-activity; sid:38443; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_client,established; file_data; content:"|C1 CF 19 C1 C7 19 33 D5 C1 C8 08 81 C2 2D A8 5D 00 46 F7 D3 03 F0 F7 DF 4A 2B D5 C1 C1 09 81 F6|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/50d27af49a2e50baa47f13c59625fa0a29938253f1f46e6ffb2aacbc2dc196d1/analysis/; classtype:trojan-activity; sid:38442; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_client,established; file_data; content:"|81 F6 FE AE 8E 27 81 F6 FE AE 8E 27 49 87 D7 33 F9 87 D6 2B C1 81 C6 84 F0 65 D1 C1 C2 12 2B F0|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/E99eccfc1473800ea6e2e730e733c213f18e817c0c6501209f4ee40408f94951/analysis/; classtype:trojan-activity; sid:38441; rev:2;)
+# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"MALWARE-OTHER samsam sqlsrvtmg1.exe file load attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"|5C 00|s|00|q|00|l|00|s|00|r|00|v|00|t|00|m|00|g|00|1|00|.|00|e|00|x|00|e|00 00 00|"; fast_pattern:only; metadata:impact_flag red, service netbios-ssn; classtype:trojan-activity; sid:38502; rev:1;)
+# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"MALWARE-OTHER samsam samsam.exe file load attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"|5C 00|s|00|a|00|m|00|s|00|a|00|m|00|.|00|e|00|x|00|e|00 00 00|"; fast_pattern:only; metadata:impact_flag red, service netbios-ssn; classtype:trojan-activity; sid:38501; rev:1;)
+# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"MALWARE-OTHER samsam delfiletype.exe file load attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"|5C 00|d|00|e|00|l|00|f|00|i|00|l|00|e|00|t|00|y|00|p|00|e|00|.|00|e|00|x|00|e|00 00 00|"; fast_pattern:only; metadata:impact_flag red, service netbios-ssn; classtype:trojan-activity; sid:38500; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER samsam sqlsrvtmg1.exe file load attempt"; flow:to_server,established; content:"|2F|sqlsrvtmg1.exe"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; sid:38499; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER samsam samsam.exe file load attempt"; flow:to_server,established; content:"|2F|samsam.exe"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; sid:38498; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER samsam delfiletype.exe file load attempt"; flow:to_server,established; content:"|2F|delfiletype.exe"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; sid:38497; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER XBot CC Social Engineering"; flow:to_server,established; content:"Referer: http://melon25.ru/gp/gp_ru.html"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/; classtype:trojan-activity; sid:38529; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Troll dropper document file detected"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"HYPERLINK |22|https|3A|//support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6|22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/intelligence/search/?query=morelikestoday.com%2Foffice.exe; classtype:trojan-activity; sid:38526; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Troll dropper document file detected"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"HYPERLINK |22|https|3A|//support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6|22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/intelligence/search/?query=morelikestoday.com%2Foffice.exe; classtype:trojan-activity; sid:38525; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_server,established; file_data; content:"|F6 0C 4E A3 B5 1E 76 42 26 4A AC CE C5 02 40 00 A8 38 61 78 B8 D8 19 00 33 36 98 3A 94 EE 7A 81 03 22 BA 09|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/10c73a405d2fb8c5b13854f736c394e5e155709993228c7f56a43ea92c9ac463/analysis/; classtype:trojan-activity; sid:38665; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_server,established; file_data; content:"|CA 76 0B DC E7 16 56 1F A0 C9 16 F7 BB BD 6F 3E 10 06 C7 47 20 06 A7 C9 42 57 52 F8 1E A9 BA D0 2E 07 00 6C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/a5816c5d456f9e4b952caca6b45be0717f4c66bbd8ebc1e61ebc45e723ad8dfd/analysis/; classtype:trojan-activity; sid:38664; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_server,established; file_data; content:"|9C 85 A5 F6 F7 C5 5F 0F 89 6C 0A F7 D9 83 D3 3C 14 15 D0 2B A3 08 68 40 42 9F 10 F7 23 E0 D9 B8 F4 29 D8 D3|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/316d9e2cc232e8baa8c533468919c11a41f09772419eb517d4e0599edc5251bf/analysis/; classtype:trojan-activity; sid:38663; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_server,established; file_data; content:"|8D 85 D0 FE FF FF 89 44 24 08 C7 44 24 04 64 40 40 00 C7 04 24 00 00 00 00 E8 9C 08 00 00 83 EC 18 FF 45 F4|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/179eeacbd6e860b59d35312f5a9e72e1a5cd9cb147aaf482514d681a8bc7d16b/analysis/; classtype:trojan-activity; sid:38662; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_server,established; file_data; content:"|8B 45 0C C7 44 24 04 64 70 42 00 89 04 24 E8 B8 46 02 00 C7 44 24 04 12 27 00 00 89 1C 24 89 C6 8B 45 08 89|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/78db0d5c2752770814b17925239914e9075b5950b1ec2ce8415bfb46769b1028/analysis/; classtype:trojan-activity; sid:38661; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_server,established; file_data; content:"|82 1C 82 41 3B 14 6C 03 05 2C 11 B9 F4 B6 59 F0 88 44 EE FD 6A AC F1 7D 2E 16 8B 69 70 16 96 2A ED 1C E1 16|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/32363684303ff69b7049a86253895a5184a98c247b0919e03b33d87241111fe6/analysis/; classtype:trojan-activity; sid:38660; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_server,established; file_data; content:"|24 68 0B 1C 82 E6 AC 94 69 A6 04 E0 69 D5 56 E0 0A 4E 0C B5 85 0C 88 57 4C 8B BC 04 07 7B 58 3F 15 2C AB 95|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/1c797967d2948ccb92cc7e939b80f18e1cb8dab35418ac51348e3fd1825a3696/analysis/; classtype:trojan-activity; sid:38659; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_server,established; file_data; content:"|22 E5 8E 5B E9 10 DB C2 74 3C 39 10 F8 D0 62 86 1F 0C 8E 1D 87 33 BC A7 84 24 54 5A F5 E2 10 23 B3 7E 48 28|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/373f91994b684b056f77958b40155cf34b1f24b401831d7a1dd53b2e6ba92ce9/analysis/; classtype:trojan-activity; sid:38658; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_client,established; file_data; content:"|F6 0C 4E A3 B5 1E 76 42 26 4A AC CE C5 02 40 00 A8 38 61 78 B8 D8 19 00 33 36 98 3A 94 EE 7A 81 03 22 BA 09|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/10c73a405d2fb8c5b13854f736c394e5e155709993228c7f56a43ea92c9ac463/analysis/; classtype:trojan-activity; sid:38657; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_client,established; file_data; content:"|CA 76 0B DC E7 16 56 1F A0 C9 16 F7 BB BD 6F 3E 10 06 C7 47 20 06 A7 C9 42 57 52 F8 1E A9 BA D0 2E 07 00 6C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/a5816c5d456f9e4b952caca6b45be0717f4c66bbd8ebc1e61ebc45e723ad8dfd/analysis/; classtype:trojan-activity; sid:38656; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_client,established; file_data; content:"|9C 85 A5 F6 F7 C5 5F 0F 89 6C 0A F7 D9 83 D3 3C 14 15 D0 2B A3 08 68 40 42 9F 10 F7 23 E0 D9 B8 F4 29 D8 D3|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/316d9e2cc232e8baa8c533468919c11a41f09772419eb517d4e0599edc5251bf/analysis/; classtype:trojan-activity; sid:38655; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_client,established; file_data; content:"|8D 85 D0 FE FF FF 89 44 24 08 C7 44 24 04 64 40 40 00 C7 04 24 00 00 00 00 E8 9C 08 00 00 83 EC 18 FF 45 F4|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/179eeacbd6e860b59d35312f5a9e72e1a5cd9cb147aaf482514d681a8bc7d16b/analysis/; classtype:trojan-activity; sid:38654; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_client,established; file_data; content:"|8B 45 0C C7 44 24 04 64 70 42 00 89 04 24 E8 B8 46 02 00 C7 44 24 04 12 27 00 00 89 1C 24 89 C6 8B 45 08 89|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/78db0d5c2752770814b17925239914e9075b5950b1ec2ce8415bfb46769b1028/analysis/; classtype:trojan-activity; sid:38653; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_client,established; file_data; content:"|82 1C 82 41 3B 14 6C 03 05 2C 11 B9 F4 B6 59 F0 88 44 EE FD 6A AC F1 7D 2E 16 8B 69 70 16 96 2A ED 1C E1 16|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/32363684303ff69b7049a86253895a5184a98c247b0919e03b33d87241111fe6/analysis/; classtype:trojan-activity; sid:38652; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_client,established; file_data; content:"|24 68 0B 1C 82 E6 AC 94 69 A6 04 E0 69 D5 56 E0 0A 4E 0C B5 85 0C 88 57 4C 8B BC 04 07 7B 58 3F 15 2C AB 95|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/1c797967d2948ccb92cc7e939b80f18e1cb8dab35418ac51348e3fd1825a3696/analysis/; classtype:trojan-activity; sid:38651; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_client,established; file_data; content:"|22 E5 8E 5B E9 10 DB C2 74 3C 39 10 F8 D0 62 86 1F 0C 8E 1D 87 33 BC A7 84 24 54 5A F5 E2 10 23 B3 7E 48 28|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/373f91994b684b056f77958b40155cf34b1f24b401831d7a1dd53b2e6ba92ce9/analysis/; classtype:trojan-activity; sid:38650; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Maktub variant download attempt"; flow:to_server,established; file_data; content:"|56 E8 C7 02 00 00 C1 F8 05 56 8D 3C 85 00 34 43 00 E8 B7 02 00 00 83 E0 1F 59 C1 E0 06 03 07 59 EB 05 B8 D0|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/61a12cf8f95e38e26f3f24c96ebf8d3a1c5e363f692aea6cc3297005c982fa2c/analysis/; classtype:trojan-activity; sid:38893; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Maktub variant download attempt"; flow:to_client,established; file_data; content:"|56 E8 C7 02 00 00 C1 F8 05 56 8D 3C 85 00 34 43 00 E8 B7 02 00 00 83 E0 1F 59 C1 E0 06 03 07 59 EB 05 B8 D0|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/61a12cf8f95e38e26f3f24c96ebf8d3a1c5e363f692aea6cc3297005c982fa2c/analysis/; classtype:trojan-activity; sid:38892; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Flopex outbound communication attempt"; flow:to_server,established; content:"/vip_asshole/"; http_uri; content:".zip"; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/535E4DC11B4F0FAF749957423CDACEE56EA6AF9357446ED6BFFB22C76CCD2FD2/analysis/; classtype:trojan-activity; sid:39357; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Lamer outbound communication attempt"; flow:to_server,established; content:"/kills.txt"; fast_pattern:only; http_uri; urilen:10; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/F9FE186D004EC0230DE6046FF2DBDEB7E0258F5238B8F66691E80239BDDE4DE1/analysis/; classtype:trojan-activity; sid:39356; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.Ranscam initial download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"RiRJLCalUypXCLPRiRJLCalUypXCLPERJuNBYECvZYdYUERJuNBYECvZYdYU"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/9541fadfa0c779bcbae5f2567f7b163db9384b7ff6d44f525fea3bb2322534de/analysis/; classtype:trojan-activity; sid:39637; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER MKVIS outbound communication attempt"; flow:to_server,established; content:"/panel/insert"; fast_pattern:only; http_uri; urilen:14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39713; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Xtrat outbound connection detected"; flow:to_server,established; content:"/plugin.xtr"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,virustotal.com/en/file/E7153E30727FD7BEFD7BE78CC3CB0F7D552B26E550BAB46D0CA91D363E09FDD3/analysis/; classtype:trojan-activity; sid:39734; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.Alfa download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"uVUcRZwMC8MDb1ozfB9"; fast_pattern:only; content:"K4WbE6jpTMBSY79c5M1"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/606a9e10404805fd67180adf9bbbf43e74f9c4784ad2d41d825c4e64bfccba85/analysis/; classtype:trojan-activity; sid:39769; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.Alfa download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"uVUcRZwMC8MDb1ozfB9"; fast_pattern:only; content:"K4WbE6jpTMBSY79c5M1"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/606a9e10404805fd67180adf9bbbf43e74f9c4784ad2d41d825c4e64bfccba85/analysis/; classtype:trojan-activity; sid:39768; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Downloader.Ogimant outbound connection detected"; flow:to_server,established; content:"/data_get_params"; fast_pattern:only; nocase; http_uri; content:"files="; nocase; http_uri; content:"name="; nocase; http_uri; content:"rnd="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/7A836A89AFE265CBD8D09656B7B6A70967667BDC9A0594BBAD29E78BADF8E590/analysis/; classtype:trojan-activity; sid:39766; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Retefe variant malicious certificate installation page"; flow:to_server,established; file_data; content:"icanhazip.com"; fast_pattern:only; content:"powershell"; nocase; content:"-Exec"; within:35; nocase; content:"Sleep"; nocase; content:"taskkill"; within:35; nocase; content:"iexplore"; within:35; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1086; reference:url,virustotal.com/en/file/0CF2C0165CDC3962AD8C3AC27258FDAB4DCECB7121BA97856B66D22FD77AEFCA/analysis/; classtype:trojan-activity; sid:39756; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Retefe variant malicious certificate installation page"; flow:to_client,established; file_data; content:"icanhazip.com"; fast_pattern:only; content:"powershell"; nocase; content:"-Exec"; within:35; nocase; content:"Sleep"; nocase; content:"taskkill"; within:35; nocase; content:"iexplore"; within:35; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1086; reference:url,virustotal.com/en/file/0CF2C0165CDC3962AD8C3AC27258FDAB4DCECB7121BA97856B66D22FD77AEFCA/analysis/; classtype:trojan-activity; sid:39755; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.Apocalypse download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|8A 0D 40 30 40 00 8A D0 80 EA 4B 32 D0 8A D8 02 DB 02 D3 02 D1 80 C2 2D 30 14 28 40 3B C7 72 E6|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/aab148f9445f8ea69a6992a245037919b96c7b6457d35732f4171e371359aee5/analysis/; classtype:trojan-activity; sid:39747; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.Apocalypse download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|8A 0D 40 30 40 00 8A D0 80 EA 4B 32 D0 8A D8 02 DB 02 D3 02 D1 80 C2 2D 30 14 28 40 3B C7 72 E6|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/aab148f9445f8ea69a6992a245037919b96c7b6457d35732f4171e371359aee5/analysis/; classtype:trojan-activity; sid:39746; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.FakeRean outbound connection detection"; flow:to_server,established; content:"/httpss/ldr123.php?"; fast_pattern:only; http_uri; content:"v="; nocase; http_uri; content:"step="; nocase; http_uri; content:"hostid="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/E60BD65D7AC152B595C3ABCC15BB5E0F63FA21B696F51C339B4AF1739B1CDCB6/analysis/; classtype:trojan-activity; sid:39745; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected"; flow:to_server,established; content:"/api_v2/json/send/executereport"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/3215E4CD183D9C35BACFF1791F67B89E83D7FA03E937D64BCC909D8E339B6DEB/analysis/; classtype:trojan-activity; sid:39806; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected"; flow:to_server,established; content:"/api_v2/json/send/analyticsreport"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/3215E4CD183D9C35BACFF1791F67B89E83D7FA03E937D64BCC909D8E339B6DEB/analysis/; classtype:trojan-activity; sid:39805; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected"; flow:to_server,established; content:"/api_v2/json/send/errorreport"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/3215E4CD183D9C35BACFF1791F67B89E83D7FA03E937D64BCC909D8E339B6DEB/analysis/; classtype:trojan-activity; sid:39804; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected"; flow:to_server,established; content:"/api_v2/"; nocase; http_uri; content:"/get/initialization"; within:30; http_uri; content:"data="; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/3215E4CD183D9C35BACFF1791F67B89E83D7FA03E937D64BCC909D8E339B6DEB/analysis/; classtype:trojan-activity; sid:39803; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-OTHER Win.Trojan.CrypMIC outbound connection detected"; flow:to_server,established; content:"|00|BOTIDB"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/fdbe8ae58b15a3d35edfa09cb46d0a5ec7b5836e59dad926244d410b7eccac44/analysis/; classtype:trojan-activity; sid:39830; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Lethic outbound connection detected"; flow:to_server,established; content:"/ip/header"; fast_pattern:only; http_uri; content:"id_ip="; nocase; http_uri; content:"id_provider="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/707B2ED8F4B6183E61FBD5057FB769E1623B08602DA70210E9AE65C32D8113C3/analysis/; classtype:trojan-activity; sid:39807; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Rtf.Dropper.Agent-1404614 SMTP upload attempt"; flow:to_server,established; file_data; content:"{|5C|rt"; nocase; content:"{|5C|object|5C|objemb{|5C|*|5C|objclass Package}"; distance:0; nocase; content:"2e65786500"; nocase; content:"004d5a"; within:6; distance:6; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/a9cafe63c7530e0ad5adba507e6406221c8971f6d93ec711d577605ec394f124/analysis/; classtype:trojan-activity; sid:39907; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Rtf.Dropper.Agent-1404614 download attempt"; flow:to_client,established; file_data; content:"{|5C|rt"; nocase; content:"{|5C|object|5C|objemb{|5C|*|5C|objclass Package}"; distance:0; nocase; content:"2e65786500"; nocase; content:"004d5a"; within:6; distance:6; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/a9cafe63c7530e0ad5adba507e6406221c8971f6d93ec711d577605ec394f124/analysis/; classtype:trojan-activity; sid:39906; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Rtf.Dropper.Agent-1404614 SMTP upload attempt"; flow:to_server,established; flowbits:isset,file.rtf.embed; file_data; content:"2e65786500"; nocase; content:"004d5a"; within:6; distance:6; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/a9cafe63c7530e0ad5adba507e6406221c8971f6d93ec711d577605ec394f124/analysis/; classtype:trojan-activity; sid:39905; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Rtf.Dropper.Agent-1404614 download attempt"; flow:to_client,established; flowbits:isset,file.rtf.embed; file_data; content:"2e65786500"; nocase; content:"004d5a"; within:6; distance:6; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/a9cafe63c7530e0ad5adba507e6406221c8971f6d93ec711d577605ec394f124/analysis/; classtype:trojan-activity; sid:39904; rev:1;)
+alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER pisloader DNS sinfo command response attempt"; flow:to_server; content:"|81 80|"; offset:2; content:"|01|"; distance:1; content:"|01|"; distance:2; content:"|08|"; content:"ONUWM3Y"; distance:1; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,www.virustotal.com/en/domain/ns1.logitech-usa.com/information/; classtype:trojan-activity; sid:39929; rev:1;)
+alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER pisloader DNS open command response attempt"; flow:to_server; content:"|81 80|"; offset:2; content:"|01|"; distance:1; content:"|01|"; distance:2; content:"|08|"; content:"N5YGK3Q"; distance:1; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,www.virustotal.com/en/domain/ns1.logitech-usa.com/information/; classtype:trojan-activity; sid:39928; rev:1;)
+alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER pisloader DNS list command response attempt"; flow:to_server; content:"|81 80|"; offset:2; content:"|01|"; offset:1; content:"|01|"; distance:2; content:"|08|"; content:"NRUXG5A"; distance:1; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,www.virustotal.com/en/domain/ns1.logitech-usa.com/information/; classtype:trojan-activity; sid:39927; rev:1;)
+alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER pisloader DNS drive command response attempt"; flow:to_server; content:"|81 80|"; offset:2; content:"|01|"; distance:1; content:"|01|"; distance:2; content:"|09|"; content:"MRZGS5TF"; distance:1; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,www.virustotal.com/en/domain/ns1.logitech-usa.com/information/; classtype:trojan-activity; sid:39926; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Andr.Trojan.KungFu variant download"; flow:to_server,established; file_data; content:"|FB 97 A0 BB EF C1 3F 84 F4 AE C0 B9 90 E7 7B E8 FD 13 D8 F3 2D B0 83 C5 B0 AF 7C B4 3B 00 1F D6 0E F0 16 DA|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/6c4aebf5043ea6129122ebf482366c9f7cb5fbe02e2bb776345d32d89b77a2e0/analysis/; classtype:trojan-activity; sid:39975; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Andr.Trojan.KungFu variant download"; flow:to_client,established; file_data; content:"|FB 97 A0 BB EF C1 3F 84 F4 AE C0 B9 90 E7 7B E8 FD 13 D8 F3 2D B0 83 C5 B0 AF 7C B4 3B 00 1F D6 0E F0 16 DA|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/6c4aebf5043ea6129122ebf482366c9f7cb5fbe02e2bb776345d32d89b77a2e0/analysis/; classtype:trojan-activity; sid:39974; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"function contains(healing, reproduce) {"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40057; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"function contains(healing, reproduce) {"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40056; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"function ProcessFolder(chickaPath)"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40055; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"WScript"; fast_pattern; content:"Quit"; within:25; content:"Windows_NT"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40054; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"WScript"; fast_pattern; content:"Quit"; within:25; content:"'+'"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40053; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"function ProcessFolder(chickaPath)"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40052; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"WScript"; fast_pattern; content:"Quit"; within:25; content:"Windows_NT"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40051; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"WScript"; fast_pattern; content:"Quit"; within:25; content:"'+'"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40050; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"String.prototype."; fast_pattern; content:"= function () { return this.substr(0, 1)|3B| }|3B|"; within:200; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40202; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"String.prototype."; fast_pattern; content:"= function () { return this.substr(0, 1)|3B| }|3B|"; within:200; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40201; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"WScript.Echo"; fast_pattern:only; content:"|3B|}()) + (function"; content:"(){return"; within:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40200; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"WScript.Echo"; fast_pattern:only; content:"|3B|}()) + (function"; content:"(){return"; within:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40199; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"WScript.CreateObject"; fast_pattern:only; content:"typeof WScript.StdErr"; content:"|22| + |22|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40198; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"WScript.CreateObject"; fast_pattern:only; content:"typeof WScript.StdErr"; content:"|22| + |22|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40197; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"WScript.Quit"; fast_pattern:only; content:"|22|+|22|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40196; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"WScript.Quit"; fast_pattern:only; content:"|22|+|22|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40195; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"String.fromCharCode"; fast_pattern:only; content:"this.x ="; content:"this.y ="; content:"this.selectedFrame = 0|3B|"; content:"this.getNew(index)|3B|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40194; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"String.fromCharCode"; fast_pattern:only; content:"this.x ="; content:"this.y ="; content:"this.selectedFrame = 0|3B|"; content:"this.getNew(index)|3B|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40193; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"CreateObject"; fast_pattern:only; content:"system32"; content:"|22|+|22|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40192; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"CreateObject"; fast_pattern:only; content:"system32"; content:"|22|+|22|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40191; rev:1;)
+# alert tcp $EXTERNAL_NET [80,65520] -> $HOME_NET any (msg:"MALWARE-OTHER Virut CnC command reply"; flow:to_client,established; content:":Hi virtu|0A|:irc"; fast_pattern:only; content:":End of /MOTD command."; metadata:impact_flag red, policy security-ips drop; reference:url,virustotal.com/en/file/56c0e8231989deb494559ac4e5589c504c31b9137f05ca8c75ffcb8cbef7b58d/analysis/; classtype:trojan-activity; sid:40871; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Flokibot variant download attempt"; flow:to_server,established; file_data; content:"Hash: 0x%x not loaded."; fast_pattern:only; content:"|00|B|00|O|00|T|00|3|00|2|00|"; nocase; content:"|00|K|00|E|00|Y|00|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0aa1f07a2ebcdd42896d3d8fdb5e9a9fef0f4f894d2501b9cbbe4cbad673ec03/analysis/; classtype:trojan-activity; sid:40913; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Flokibot variant download attempt"; flow:to_client,established; file_data; content:"Hash: 0x%x not loaded."; fast_pattern:only; content:"|00|B|00|O|00|T|00|3|00|2|00|"; nocase; content:"|00|K|00|E|00|Y|00|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0aa1f07a2ebcdd42896d3d8fdb5e9a9fef0f4f894d2501b9cbbe4cbad673ec03/analysis/; classtype:trojan-activity; sid:40912; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack"; flow:established,to_server; content:"U dun goofed"; fast_pattern:only; content:"U dun goofed"; depth:12; content:"U dun goofed"; content:"U dun goofed"; reference:url,attack.mitre.org/techniques/T1078; reference:url,sourceforge.net/projects/loic/; classtype:attempted-dos; sid:41440; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.MagicHound dropper document file detected"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"-window hidden -e cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABl"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/33ee8a57e142e752a9c8960c4f38b5d3ff82bf17ec060e4114f5b15d22aa902e/analysis/; classtype:trojan-activity; sid:41659; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.MagicHound dropper document file detected"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"-window hidden -e cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABl"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/33ee8a57e142e752a9c8960c4f38b5d3ff82bf17ec060e4114f5b15d22aa902e/analysis/; classtype:trojan-activity; sid:41658; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER VBScript potential executable write attempt"; flow:to_client,established; file_data; content:"CreateObject"; content:"Scripting.FileSystemObject"; within:50; fast_pattern; content:"CreateObject"; content:"WScript.Shell"; within:40; content:"</script"; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ecfb852662d8127673332939f8b062645797e91bce6acae0615e24334a3df2ad/analysis/; classtype:trojan-activity; sid:41660; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Downloader.Carp variant download attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"V1NjcmlwdC5TaGVsbA=="; content:"TWljcm9zb2Z0LlhNTERPTQ=="; content:"YmluLmJhc2U2NA=="; content:"QURPREIuU3RyZWFt"; content:"JUFQUERBVEEl"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/10f53502922bf837900935892fb1da28fc712848471bf4afcdd08440d3bd037f/analysis/; classtype:trojan-activity; sid:42825; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Downloader.Carp variant download attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"WEUxcFkzSnZjMjltZEM1T1JWUmNSbkpoYldWM2IzSnJYSFkwTGpBdU16QXpNVGxjWTNOakxtVjRaUT0"; fast_pattern:only; content:"TDNSaGNtZGxkRHAzYVc1bGVHVWdMMjkxZERvaQ=="; content:"TG1WNFpRPT0="; content:"TG1Oeg=="; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/10f53502922bf837900935892fb1da28fc712848471bf4afcdd08440d3bd037f/analysis/; classtype:trojan-activity; sid:42824; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Downloader.Carp variant download attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"V1NjcmlwdC5TaGVsbA=="; content:"TWljcm9zb2Z0LlhNTERPTQ=="; content:"YmluLmJhc2U2NA=="; content:"QURPREIuU3RyZWFt"; content:"JUFQUERBVEEl"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/10f53502922bf837900935892fb1da28fc712848471bf4afcdd08440d3bd037f/analysis/; classtype:trojan-activity; sid:42823; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Downloader.Carp variant download attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"WEUxcFkzSnZjMjltZEM1T1JWUmNSbkpoYldWM2IzSnJYSFkwTGpBdU16QXpNVGxjWTNOakxtVjRaUT0"; fast_pattern:only; content:"TDNSaGNtZGxkRHAzYVc1bGVHVWdMMjkxZERvaQ=="; content:"TG1WNFpRPT0="; content:"TG1Oeg=="; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/10f53502922bf837900935892fb1da28fc712848471bf4afcdd08440d3bd037f/analysis/; classtype:trojan-activity; sid:42822; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.NemucodAES variant outbound connection"; flow:to_server,established; content:"/counter?000000"; depth:15; http_uri; content:!"Referer|3A|"; nocase; http_header; content:"Accept: */*"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/1acf051c4d42f6fc2105a489b945e68c57e93a76f562263e2fc6376384fa57e3/analysis/; classtype:trojan-activity; sid:43686; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Nemucod variant outbound connection"; flow:to_server,established; content:"Connection|3A| Keep-Alive|0D 0A 0D 0A|"; fast_pattern:only; http_header; urilen:<25; content:"="; depth:10; http_client_body; content:"%"; within:5; http_client_body; content:"%"; within:10; http_client_body; content:"%"; within:10; http_client_body; content:"%"; within:10; http_client_body; content:"%"; within:10; http_client_body; content:!"Cookie: "; http_header; content:"x-requested-with|3A| XMLHttpRequest"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/af211ceb9cb5d507ec76f481b346241acd8f1107718840459c6e60367e23a4cc/analysis/; classtype:trojan-activity; sid:43685; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Nemucod variant file download"; flow:to_server,established; content:"/counter/"; http_uri; content:".exe"; within:10; http_uri; content:!"Referer|3A|"; nocase; http_header; content:"Accept: */*"; nocase; http_header; content:"Connection|3A| Keep-Alive|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/634c006c5932617264afe7bd916c48d2f2e8043f8cbd513182f46c8f05985b6c/analysis/; classtype:trojan-activity; sid:43684; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Win.Ransomware.Sorebrect download attempt"; flow:to_server,established; file_data; content:"|25 00 00 FF 00 81 F1 00 00 00 01 81 E1 00 00 00 FF 33 C8 8B C3 C1 E8 18 0F B6 04 85 68 1C 41 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/4142ff4667f5b9986888bdcb2a727db6a767f78fe1d5d4ae3346365a1d70eb76/analysis/; classtype:trojan-activity; sid:43443; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.Sorebrect download attempt"; flow:to_client,established; file_data; content:"|25 00 00 FF 00 81 F1 00 00 00 01 81 E1 00 00 00 FF 33 C8 8B C3 C1 E8 18 0F B6 04 85 68 1C 41 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/4142ff4667f5b9986888bdcb2a727db6a767f78fe1d5d4ae3346365a1d70eb76/analysis/; classtype:trojan-activity; sid:43442; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan-Downloader.Jadtree GET request of RAR file to server"; flow:to_server, established; content:"/aa/zz.rar"; fast_pattern:only; http_uri; content:"User-Agent|3A| "; http_header; pcre:"/User-Agent\x3A\x20\d+?\x0D\x0A/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/2be5f5f01cb308f6bafdc8e7060124abc73de518e2539f2309f1e002f7c6836b/analysis/; classtype:trojan-activity; sid:43221; rev:1;)
+alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Malware.Emotet variant lateral propagation"; flow:to_server,established; flowbits:isset,emotet.file_copy; content:"W|00|i|00|n|00|d|00|o|00|w|00|s|00 20 00|D|00|e|00|f|00|e|00|n|00|d|00|e|00|r|00 20 00|S|00|y|00|s|00|t|00|e|00|m|00 20 00|S|00|e|00|r|00|v|00|i|00|c|00|e|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/file/8d8b45aa8724458ea7711f13ee237bbd3e4c77669ebd91109b94620ecc52bc72/analysis/; classtype:trojan-activity; sid:43892; rev:1;)
+alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Malware.Emotet variant lateral propagation"; flow:to_server,established; content:"|00|"; depth:1; content:"|FE|SMB@|00|"; within:6; distance:3; content:"|05 00|"; within:2; distance:6; content:"|39 00 00|"; within:3; distance:50; byte_extract:2,41,filename_offset,relative,little; content:"m|00|y|00|.|00|e|00|x|00|e|00 00|"; within:filename_offset; distance:-97; flowbits:set,emotet.file_copy; flowbits:noalert; metadata:impact_flag red, service netbios-ssn; reference:url,www.virustotal.com/file/8d8b45aa8724458ea7711f13ee237bbd3e4c77669ebd91109b94620ecc52bc72/analysis/; classtype:trojan-activity; sid:43891; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Hermit variant malicious dropper download attempt"; flow:to_server,established; flowbits:isset,file.doc|file.docm; file_data; content:"OriginalDocumentID=|22|xmp.did:3398146C2C26E711A28FA3D548E093FD|22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/583ddb480b42d04c7a8f960d950c7d52b46ed840354ae5cfa44d3c49e5239cab/detection; classtype:trojan-activity; sid:43976; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Hermit variant malicious dropper download attempt"; flow:to_client,established; flowbits:isset,file.doc|file.docm; file_data; content:"OriginalDocumentID=|22|xmp.did:3398146C2C26E711A28FA3D548E093FD|22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/583ddb480b42d04c7a8f960d950c7d52b46ed840354ae5cfa44d3c49e5239cab/detection; classtype:trojan-activity; sid:43975; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Nemucod file download"; flow:to_server,established; content:"/counter/?"; depth:10; fast_pattern; nocase; http_uri; content:"="; within:3; http_uri; content:"&"; distance:33; http_uri; content:"="; within:4; http_uri; content:!"Referer|3A|"; nocase; http_header; pcre:"/^\/counter\/\?[ai]d?\x3D/iU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/ba5f5f144f1d1dc555f7abef1b55a44d9bc815f51398a849145aadc7ee285411/analysis/; reference:url,www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware/; classtype:trojan-activity; sid:44078; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-OTHER GHBkdr TLS Handshake spoof runtime detection"; flow:to_server,established; content:"|16 03 02 00 81 01 00 00 7D 03 02|"; content:"|00 00 18 C0 14 C0 13 00 39 00 33 00 35 00 2F C0 0A C0 09 00 38 00 32 00 0A 00 13 01 00 00 3C 00 00 00 16 00 14 00 00 11|www.microsoft.com|00 05 00 05 01 00 00 00 00 00 0A 00 06 00 04 00 17 00 18 00 0B 00 02 01 00 00 17 00 00 FF 01 00 01 00|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop; reference:url,attack.mitre.org/techniques/T1195; reference:url,blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html; classtype:trojan-activity; sid:44475; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection"; flow:to_server,established; content:"|14 03 02 00 01 01 16 03 02 00 40 9D 6D CF 97 6A A0 67 DE 89 7C D1 E4 E3 DB 85 84 BB DF 54 7D 86 D3 C6 C8 99 F6 05 BA 5B 41 DD 9E 9F E6 6E 49 38 9A 3D 50 DD 2E 9C 61 56 6E 4C 9F CF B9 57 EE 80 E8 57 77 F4 F2 47 11 B8 82 B0 D7|"; fast_pattern:only; rawbytes; metadata:impact_flag red, policy security-ips drop; reference:url,attack.mitre.org/techniques/T1195; reference:url,blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html; classtype:trojan-activity; sid:44474; rev:2;)
+alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB transfer attempt"; flow:to_server,established; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|09 00|cscc.dat|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/en/file/579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648/analysis/; classtype:trojan-activity; sid:44650; rev:2;)
+alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt"; flow:to_server,established; content:"|FE|SMB"; depth:4; offset:4; content:"|05 00|"; within:2; distance:8; content:"c|00|s|00|c|00|c|00|.|00|d|00|a|00|t"; nocase; content:!"|00 5C 00|"; within:3; distance:-18; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/en/file/579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648/analysis/; classtype:trojan-activity; sid:44649; rev:3;)
+alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB transfer attempt"; flow:to_server,established; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|0B 00|infpub.dat|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/en/file/579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648/analysis/; classtype:trojan-activity; sid:44648; rev:2;)
+alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt"; flow:to_server,established; content:"|FE|SMB"; depth:4; offset:4; content:"|05 00|"; within:2; distance:8; content:"i|00|n|00|f|00|p|00|u|00|b|00|.|00|d|00|a|00|t"; nocase; content:!"|00 5C 00|"; within:3; distance:-22; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/en/file/579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648/analysis/; classtype:trojan-activity; sid:44647; rev:3;)
+alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SVCCTL remote service attempt"; flow:to_server,established; content:"|FE|SMB"; depth:4; offset:4; content:"|5C 00|r|00|u|00|n|00|d|00|l|00|l|00|3|00|2|00|.|00|e|00|x|00|e"; fast_pattern:only; content:"|5C 00|i|00|n|00|f|00|p|00|u|00|b|00|.|00|d|00|a|00|t"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,www.virustotal.com/en/file/579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648/analysis/; classtype:trojan-activity; sid:44646; rev:4;)
+alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Win.Ransomware.Kristina encryption over SMB attempt"; flow:to_client,established; content:"|FF|SMB"; depth:4; offset:4; content:"|32|"; within:1; content:"p|00|r|00|o|00|t|00|o|00|n|00|m|00|a|00|i|00|l|00 2E 00|c|00|h|00 2E 00|c|00|r|00|y|00|p|00|t|00|1|00|2|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/#/file/2980f3d4b10436aeec95f5b96e52ac1248be6649d7cfa26bade4203fe1de88c7/detection; classtype:trojan-activity; sid:44982; rev:1;)
+alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Win.Ransomware.Kristina encryption over SMB attempt"; flow:to_client,established; content:"|FE|SMB"; depth:4; offset:4; content:"|0E 00|"; within:2; distance:8; content:"p|00|r|00|o|00|t|00|o|00|n|00|m|00|a|00|i|00|l|00 2E 00|c|00|h|00 2E 00|c|00|r|00|y|00|p|00|t|00|1|00|2|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/#/file/2980f3d4b10436aeec95f5b96e52ac1248be6649d7cfa26bade4203fe1de88c7/detection; classtype:trojan-activity; sid:44981; rev:1;)
+alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.Samsam upload attempt"; flow:to_server,established; content:"|00 00 0A 2C 08 06 16 9A 28|"; content:"|00 00 0A 02 16 9A 28 03 00 00 06 28|"; within:12; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/en/file/8eabfa74d88e439cfca9ccabd0ee34422892d8e58331a63bea94a7c4140cf7ab/analysis/; classtype:trojan-activity; sid:45486; rev:2;)
+alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB2 transfer attempt"; flow:to_server,established; content:"|FE|SMB"; depth:4; offset:4; content:"|05 00|"; within:2; distance:8; byte_jump:4,98,relative,little,from_beginning; content:".|00|s|00|t|00|u|00|b|00|b|00|i|00|n|00|"; within:16; distance:-18; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/en/file/8eabfa74d88e439cfca9ccabd0ee34422892d8e58331a63bea94a7c4140cf7ab/analysis/; classtype:trojan-activity; sid:45485; rev:2;)
+alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB transfer attempt"; flow:to_server,established; content:"|FF|SMB|A2|"; depth:5; offset:4; content:".stubbin|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/en/file/8eabfa74d88e439cfca9ccabd0ee34422892d8e58331a63bea94a7c4140cf7ab/analysis/; classtype:trojan-activity; sid:45484; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Ursnif variant download attempt"; flow:to_server,established; content:"/_private/php3.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/fb58d736c09fe1f05a36c2fe2c0ce3cfe03ece885ba8272000355e35600aef17/analysis/; classtype:trojan-activity; sid:45565; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt"; flow:to_server; flowbits:isset,file.exe; file_data; content:"Release|5C|Thanatos.pdb"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/fe1eafb8e31a84c14ad5638d5fd15ab18505efe4f1becaa36eb0c1d75cd1d5a9; classtype:trojan-activity; sid:45818; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt"; flow:to_client; flowbits:isset,file.exe; file_data; content:"Release|5C|Thanatos.pdb"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/fe1eafb8e31a84c14ad5638d5fd15ab18505efe4f1becaa36eb0c1d75cd1d5a9; classtype:trojan-activity; sid:45817; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER VBscript downloader detected"; flow:to_server,established; file_data; content:"CreateObject("; fast_pattern; content:"WScri"; within:10; content:"Shell"; within:20; content:"Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B|"; nocase; content:"XMLHTTP"; nocase; content:"Adodb.streaM"; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/22F04BD5408320E4F309AAECB0CAFB26A5740A66F50CF0356A1EDA46B77064E2/detection; classtype:trojan-activity; sid:46092; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER VBscript downloader detected"; flow:to_client,established; file_data; content:"CreateObject("; fast_pattern; content:"WScri"; within:10; content:"Shell"; within:20; content:"Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B|"; nocase; content:"XMLHTTP"; nocase; content:"Adodb.streaM"; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/22F04BD5408320E4F309AAECB0CAFB26A5740A66F50CF0356A1EDA46B77064E2/detection; classtype:trojan-activity; sid:46091; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.SynAck download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|6A 01 8B 44 24 30 33 44 24 38 50 48 8D 05|"; content:"|48 2D|"; within:2; distance:4; content:"|FF D0 50|"; within:3; distance:4; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/7b53a00b3a8859755f6144cb2149673fa17fdd6e439cbfdee21a7a513e6395b2/; classtype:trojan-activity; sid:46752; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.SynAck download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|6A 01 8B 44 24 30 33 44 24 38 50 48 8D 05|"; content:"|48 2D|"; within:2; distance:4; content:"|FF D0 50|"; within:3; distance:4; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/7b53a00b3a8859755f6144cb2149673fa17fdd6e439cbfdee21a7a513e6395b2/; classtype:trojan-activity; sid:46751; rev:1;)
+alert udp $HOME_NET any -> any 53 (msg:"MALWARE-OTHER DNS request for known malware domain toknowall.com - Unix.Trojan.Vpnfilter"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|toknowall|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/domain/toknowall.com/information/; classtype:trojan-activity; sid:46807; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Ransomware.Satan payload download"; flow:to_server,established; content:"/cab/sts.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee/analysis/; classtype:trojan-activity; sid:46819; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER GPON exploit download attempt"; flow:established,to_server; file_data; content:"/GponForm/diag_Form?images/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-10561; reference:url,vpnmentor.com/blog/critical-vulnerability-gpon-router/; classtype:trojan-activity; sid:46841; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER GPON exploit download attempt"; flow:to_client,established; file_data; content:"/GponForm/diag_Form?images/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-10561; reference:url,vpnmentor.com/blog/critical-vulnerability-gpon-router/; classtype:trojan-activity; sid:46840; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.MBRLock file download"; flow:to_server,established; file_data; content:"woshixiaoxuesheng"; fast_pattern; content:"taskkill"; distance:-150; nocase; content:"password"; within:150; nocase; content:"PhysicalDrive"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38/analysis/; classtype:trojan-activity; sid:46989; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.MBRLock file download"; flow:to_client,established; file_data; content:"woshixiaoxuesheng"; fast_pattern; content:"taskkill"; distance:-150; nocase; content:"password"; within:150; nocase; content:"PhysicalDrive"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38/analysis/; classtype:trojan-activity; sid:46988; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.Annabelle file download"; flow:to_server,established; file_data; content:"PhysicalDrive"; fast_pattern:only; content:"|6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 10|"; content:"|6A 00 8D 45 EC 50 68 00 80 00 00 8D 85 E4|"; within:50; content:"taskkill"; content:"shutdown"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/7a243bcbff4309eafd287ecc124606171724da76fc3c1896002e5f7392b13df3/analysis/; classtype:trojan-activity; sid:46987; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.Annabelle file download"; flow:to_client,established; file_data; content:"PhysicalDrive"; fast_pattern:only; content:"|6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 10|"; content:"|6A 00 8D 45 EC 50 68 00 80 00 00 8D 85 E4|"; within:50; content:"taskkill"; content:"shutdown"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/7a243bcbff4309eafd287ecc124606171724da76fc3c1896002e5f7392b13df3/analysis/; classtype:trojan-activity; sid:46986; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Portable Executable containing CoinHive download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"coinhive.min.js"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,coinhive.com/documentation/miner; classtype:policy-violation; sid:47021; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Portable Executable containing CoinHive download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"coinhive.min.js"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,coinhive.com/documentation/miner; classtype:policy-violation; sid:47020; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER HTA script hidden window execution attempt"; flow:to_client,established; file_data; content:"window.moveTo"; nocase; content:"-"; within:5; content:"window.resizeTo"; within:400; distance:-200; nocase; byte_test:8,<,1,1,relative,string,dec; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/240b7d2825183226af634d3801713b0e0f409eb3e1e48e1d36c96d2b03d8836b/analysis/; classtype:trojan-activity; sid:47077; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script"; flow:to_client,established; file_data; content:"chmod +x /tmp"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6/detection; classtype:trojan-activity; sid:47873; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script"; flow:to_server,established; file_data; content:"chmod +x /tmp"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6/detection; classtype:trojan-activity; sid:47872; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script"; flow:to_client,established; file_data; content:"chmod 777 /tmp"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6/detection; classtype:trojan-activity; sid:47871; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script"; flow:to_server,established; file_data; content:"chmod 777 /tmp"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6/detection; classtype:trojan-activity; sid:47870; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAA"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6/detection; classtype:trojan-activity; sid:47869; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAA"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6/detection; classtype:trojan-activity; sid:47868; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation"; flow:to_server,established; file_data; content:"|5C|x70|5C|x6F|5C|x77|5C|x65|5C|x72|5C|x73|5C|x68|5C|x65|5C|x6C|5C|x6C|5C|x2E|5C|x65|5C|x78|5C|x65|5C|x20|5C|x2D|5C|x65|5C|x78|5C|x65|5C|x63|5C|x75|5C|x74|5C|x69|5C|x6F|5C|x6E|5C|x70|5C|x6F|5C|x6C|5C|x69|5C|x63|5C|x79|5C|x20|5C|x62|5C|x79|5C|x70|5C|x61|5C|x73|5C|x73"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1086; reference:url,www.virustotal.com/#/file/f888dda9ca1876eba12ffb55a7a993bd1f5a622a30045a675da4955ede3e4cb8/detection; classtype:trojan-activity; sid:47867; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation"; flow:to_client,established; file_data; content:"|5C|x70|5C|x6F|5C|x77|5C|x65|5C|x72|5C|x73|5C|x68|5C|x65|5C|x6C|5C|x6C|5C|x2E|5C|x65|5C|x78|5C|x65|5C|x20|5C|x2D|5C|x65|5C|x78|5C|x65|5C|x63|5C|x75|5C|x74|5C|x69|5C|x6F|5C|x6E|5C|x70|5C|x6F|5C|x6C|5C|x69|5C|x63|5C|x79|5C|x20|5C|x62|5C|x79|5C|x70|5C|x61|5C|x73|5C|x73"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1086; reference:url,www.virustotal.com/#/file/f888dda9ca1876eba12ffb55a7a993bd1f5a622a30045a675da4955ede3e4cb8/detection; classtype:trojan-activity; sid:47866; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Downloader.DDECmdExec variant download"; flow:to_server,established; file_data; content:"cmd|7C 27|"; nocase; content:"|27 21|"; within:250; pcre:"/[=+-@](\w+\x28)?cmd\x7C\x27[^\x27]+\x27\x21\w+/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/wiki/Technique/T1173; classtype:trojan-activity; sid:47849; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Downloader.DDECmdExec variant download"; flow:to_client,established; file_data; content:"msiexec|7C 27|"; nocase; content:"|27 21|"; within:250; pcre:"/[=+-@](\w+\x28)?msiexec\x7C\x27[^\x27]+\x27\x21\w+/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/wiki/Technique/T1173; classtype:trojan-activity; sid:47848; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Downloader.DDECmdExec variant download"; flow:to_server,established; file_data; content:"powershell|7C 27|"; nocase; content:"|27 21|"; within:250; pcre:"/[=+-@](\w+\x28)?powershell\x7C\x27[^\x27]+\x27\x21\w+/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1086; reference:url,attack.mitre.org/wiki/Technique/T1173; classtype:trojan-activity; sid:47847; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Downloader.DDECmdExec variant download"; flow:to_client,established; file_data; content:"powershell|7C 27|"; nocase; content:"|27 21|"; within:250; pcre:"/[=+-@](\w+\x28)?powershell\x7C\x27[^\x27]+\x27\x21\w+/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1086; reference:url,attack.mitre.org/wiki/Technique/T1173; classtype:trojan-activity; sid:47846; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Downloader.DDECmdExec variant download"; flow:to_server,established; file_data; content:"msiexec|7C 27|"; nocase; content:"|27 21|"; within:250; pcre:"/[=+-@](\w+\x28)?msiexec\x7C\x27[^\x27]+\x27\x21\w+/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/wiki/Technique/T1173; classtype:trojan-activity; sid:47845; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Downloader.DDECmdExec variant download"; flow:to_client,established; file_data; content:"cmd|7C 27|"; nocase; content:"|27 21|"; within:250; pcre:"/[=+-@](\w+\x28)?cmd\x7C\x27[^\x27]+\x27\x21\w+/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/wiki/Technique/T1173; classtype:trojan-activity; sid:47844; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Gorgon attempted download"; flow:to_server,established; file_data; content:"iuuq|3B|00"; content:"/fyf"; within:100; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/eab34ac788bdb79377219faecd80f27d45981bc6ab203b868303aea1d278548c/detection; classtype:trojan-activity; sid:47454; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Gorgon attempted download"; flow:to_client,established; file_data; content:"iuuq|3B|00"; content:"/fyf"; within:100; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/eab34ac788bdb79377219faecd80f27d45981bc6ab203b868303aea1d278548c/detection; classtype:trojan-activity; sid:47453; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Unix.Trojan.Agent variant download attempt"; flow:to_server,established; file_data; content:"|48 8B 45 E0 48 83 C0 3E 48 89 C7 E8|"; fast_pattern:only; content:"|89 D6 89 C7 E8|"; content:"|89 45 F8 83 7D F8 00|"; within:15; content:"|8B 45 F8 89 C7 E8|"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/EBFFD115918F6D181DA6D8F5592DFFB3E4F08CD4E93DCF7B7F1A2397AF0580D9/analysis/; classtype:trojan-activity; sid:47381; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Unix.Trojan.Agent variant download attempt"; flow:to_client,established; file_data; content:"|48 8B 45 E0 48 83 C0 3E 48 89 C7 E8|"; fast_pattern:only; content:"|89 D6 89 C7 E8|"; content:"|89 45 F8 83 7D F8 00|"; within:15; content:"|8B 45 F8 89 C7 E8|"; within:20; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/EBFFD115918F6D181DA6D8F5592DFFB3E4F08CD4E93DCF7B7F1A2397AF0580D9/analysis/; classtype:trojan-activity; sid:47380; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER known malicious user-agent string - DanaBot"; flow:to_server,established; content:"User-Agent|3A| buyer v."; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4afad293675bcb39ac2a85307f074cc06410a48f2e14585718193648806521c4/analysis/; classtype:trojan-activity; sid:47326; rev:2;)
+alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.Gandcrab variant network share encryption attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"SMB"; within:3; distance:4; content:"|5C 00|K|00|R|00|A|00|B|00|-|00|D|00|E|00|C|00|R|00|Y|00|P|00|T|00|.|00|t|00|x|00|t|00|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/file/8d8b45aa8724458ea7711f13ee237bbd3e4c77669ebd91109b94620ecc52bc72/analysis/; classtype:trojan-activity; sid:47278; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Bondupdater payload delivery attempt"; flow:to_server,established; file_data; content:"|00|C:|5C|ProgramData|5C|WindowsAppPool|5C|AppPool.vbs"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00; classtype:trojan-activity; sid:48421; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Bondupdater payload delivery attempt"; flow:to_client,established; file_data; content:"|00|C:|5C|ProgramData|5C|WindowsAppPool|5C|AppPool.vbs"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00; classtype:trojan-activity; sid:48420; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.tRat variant inbound payload attempt"; flow:to_server,established; content:"/dat"; fast_pattern:only; http_uri; urilen:4; content:"User-Agent: Windows Installer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/cdb8a02189a8739dbe5283f8bc4679bf28933adbe56bff6d050bad348932352b; classtype:trojan-activity; sid:48469; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.tRat variant inbound payload attempt"; flow:to_server,established; content:"/nfile/ma1o.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/7c3e462113992570ab81bf4298b16b02fed9451218dd5ea4da48bde2e25a2453; classtype:trojan-activity; sid:48468; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Unix.Trojan.Fastcash download attempt"; flow:to_client,established; file_data; content:"|39 22 FD 04 81 29 00 00 7D 2A 07 B4 39 3F 00 74 7D 43 53 78 7D 24 4B 78 38 A0 01 84|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee/detection; classtype:trojan-activity; sid:48572; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"JkmokJxowpfxFkogHpjimkfdxoM"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/4dcd46e838bb7a764bc35b4e4a3a2e693fedcda5334d54b982bea29b5f4887a3; classtype:trojan-activity; sid:48743; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"JkmokJxowpfxFkogHpjimkfdxoM"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/4dcd46e838bb7a764bc35b4e4a3a2e693fedcda5334d54b982bea29b5f4887a3; classtype:trojan-activity; sid:48742; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt"; flow:to_client,established; file_data; content:"alert(|27|Please install new Font Manager to your Chrome!|27|)|3B|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/adfd949ac91187061b44d8c8415ec5003d26164ff57d6c47e4ecaf8c9b80795f; classtype:trojan-activity; sid:48741; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected"; flow:to_client,established; file_data; content:"camillesanz.com/lib/status.js"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/fa9b7233ce96b5fbff570b0550a1f1a36846aa0d3d99355a1719fab402508dbd; classtype:trojan-activity; sid:48720; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected"; flow:to_client,established; file_data; content:"siteverification.online/lib/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/fa9b7233ce96b5fbff570b0550a1f1a36846aa0d3d99355a1719fab402508dbd; classtype:trojan-activity; sid:48719; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Occamy inbound payload attempt"; flow:to_client,established; file_data; content:".wo.tc/js/lib/js.js"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/fa9b7233ce96b5fbff570b0550a1f1a36846aa0d3d99355a1719fab402508dbd; classtype:trojan-activity; sid:48718; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Js.Trojan.MagentoCore infected page detected"; flow:to_client,established; file_data; content:"magento.name/mage/mage.js"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/fa9b7233ce96b5fbff570b0550a1f1a36846aa0d3d99355a1719fab402508dbd; classtype:trojan-activity; sid:48717; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Js.Trojan.MagentoCore infected page detected"; flow:to_client,established; file_data; content:"magentocore.net/mage/mage.js"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/fa9b7233ce96b5fbff570b0550a1f1a36846aa0d3d99355a1719fab402508dbd; classtype:trojan-activity; sid:48716; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Js.Dropper.Ramnit payload drop attempt"; flow:to_client,established; file_data; content:"DropFileName = |22|svchost.exe|22|"; fast_pattern:only; content:"WriteData = |22|4D5A900003"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/a6f2d42c1a404ddcef4365623541089c6f8b9f4b17489f87de2460a10956548f; classtype:trojan-activity; sid:48715; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Ransomware SamSam variant detected"; flow:to_client,established; file_data; content:"hdfgkhioiugyfyghdseertdfygu"; fast_pattern:only; content:"ghtrfdfdewsdfgtyhgjgghfdg"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.us-cert.gov/ncas/analysis-reports/AR18-337A; classtype:trojan-activity; sid:48814; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Ransomware SamSam variant detected"; flow:to_client,established; file_data; content:"*|00|.|00|n|00|i|00|k|00|e|00|2|00|0|00|1|00|8"; fast_pattern:only; content:"Program"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.us-cert.gov/ncas/analysis-reports/AR18-337A; classtype:trojan-activity; sid:48813; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Ransomware SamSam variant detected"; flow:to_client,established; file_data; content:"proteusdlll"; fast_pattern:only; content:"Class1"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.us-cert.gov/ncas/analysis-reports/AR18-337A; classtype:trojan-activity; sid:48812; rev:1;)
+alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER SamSam associated file"; flow:to_server,established; content:"|FE|SMB"; depth:4; offset:4; content:"|05 00|"; within:2; distance:8; byte_jump:4,98,relative,little,from_beginning; content:".|00|n|00|i|00|k|00|e|00|2|00|0|00|1|00|8"; within:17; distance:-18; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.us-cert.gov/ncas/analysis-reports/AR18-337A; classtype:trojan-activity; sid:48811; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Ransomware SamSam variant detected"; flow:to_client,established; file_data; content:"_StaticArrayInitTypeSize=13"; fast_pattern:only; content:"Rijndael"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.us-cert.gov/ncas/analysis-reports/AR18-337D; classtype:trojan-activity; sid:48806; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Ransomware SamSam variant detected"; flow:to_client,established; file_data; content:"*|00|.|00|s|00|t|00|u|00|b|00|b|00|i|00|n"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.us-cert.gov/ncas/analysis-reports/AR18-337D; classtype:trojan-activity; sid:48805; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Ransomware SamSam variant detected"; flow:to_client,established; file_data; content:"H|00|E|00|L|00|P|00|_|00|D|00|E|00|C|00|R|00|Y|00|P|00|T|00|_|00|Y|00|O|00|U|00|R|00|_|00|F|00|I|00|L|00|E|00|S"; content:"selfdel.exe"; content:"del.exe"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.us-cert.gov/ncas/analysis-reports/AR18-337C; classtype:trojan-activity; sid:48804; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER samsam.exe file name detected"; flow:to_client,established; file_data; content:"s|00|a|00|m|00|s|00|a|00|m|00|.|00|e|00|x|00|e"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.us-cert.gov/ncas/analysis-reports/AR18-337C; classtype:trojan-activity; sid:48803; rev:1;)
+alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Shamoon propagation via SMB2 transfer attempt"; flow:to_server,established; content:"|FE|SMB"; depth:4; offset:4; content:"|05 00|"; within:2; distance:8; content:"P|00|r|00|o|00|g|00|r|00|a|00|m|00| |00|F|00|i|00|l|00|e|00|s|00 5C 00|I|00|n|00|t|00|e|00|r|00|n|00|e|00|t|00| |00|E|00|x|00|p|00|l|00|o|00|r|00|e|00|r|00 5C 00|s|00|i|00|g|00|n|00|i|00|n"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/file/35ceb84403efa728950d2cc8acb571c61d3a90decaf8b1f2979eaf13811c146b/analysis/; classtype:trojan-activity; sid:48784; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.L0rdix binary download attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"c|00|o|00|n|00|n|00|e|00|c|00|t|00|.|00|p|00|h|00|p|00|"; content:"L0rdix"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/504c6e964c591cd6b4aac5193600058863a5c3c3b9ae7e5756315114fb032a11/detection; classtype:trojan-activity; sid:48856; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Mimikatz inbound payload download"; flow:to_server,established; content:"/mimikatz.exe"; fast_pattern:only; http_uri; content:"mimikatz.exe HTTP/"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/6bfc1ec16f3bd497613f57a278188ff7529e94eb48dcabf81587f7c275b3e86d; classtype:trojan-activity; sid:48871; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Js.Dropper.Agent variant inbound payload download"; flow:to_server,established; file_data; content:"-----[ http://MegaCrypter.Us ]----"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/8fe18a768769342be49ac33d2ba0653ba7f105a503075231719c376b6ded8846; classtype:trojan-activity; sid:48870; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Js.Dropper.Agent variant inbound payload download"; flow:to_client,established; file_data; content:"-----[ http://MegaCrypter.Us ]----"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/8fe18a768769342be49ac33d2ba0653ba7f105a503075231719c376b6ded8846; classtype:trojan-activity; sid:48869; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Unix.Rocke.Evasion variant dropped bash script"; flow:to_client,established; file_data; content:"ps aux |7C| grep |2D|i"; content:"|5B|y|5D|unjing"; within:12; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/2e3e8f980fde5757248e1c72ab8857eb2aea9ef4a37517261a1b013e3dc9e3c4/detection; classtype:trojan-activity; sid:48939; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Unix.Rocke.Evasion variant dropped bash script"; flow:to_client,established; file_data; content:"ps aux |7C| grep |2D|i"; content:"|5B|a|5D|liyun"; within:12; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/2e3e8f980fde5757248e1c72ab8857eb2aea9ef4a37517261a1b013e3dc9e3c4/detection; classtype:trojan-activity; sid:48938; rev:1;)
+alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.Anatova variant network share encryption attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"SMB"; within:3; distance:4; content:"|5C 00|A|00|N|00|A|00|T|00|O|00|V|00|A|00|.|00|T|00|X|00|T|00|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/file/75371ff38823885b47aa21d2883792a5470e9bf1f3d2dc93f512725f35491820; classtype:trojan-activity; sid:49072; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.Anatova variant detected"; flow:to_server,established; file_data; content:"|44 69 69 25 7C 6A 70 77 25 63 6C 69 60 76 25 64 77 60 25 66 77 7C 75 71 60 61 2B 25 4A 6B 69 7C 25 70 76 25 66 64 6B 25 61 60 66 77 7C 75 71 25 7C 6A 70 77 25 63 6C 69 60 76 29 25 7C 6A 70 25 6B 60 60 61 25 75 64 7C 25 34 35 25 41 44 56 4D 25 6C 6B 25 71 6D 60 25 64 61 61 77 60 76 76 3F 25|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/gui/file/170fb7438316f7335f34fa1a431afc1676a786f1ad9dee63d78c3f5efd3a0ac0; reference:url,www.virustotal.com/gui/file/75371ff38823885b47aa21d2883792a5470e9bf1f3d2dc93f512725f35491820; reference:url,www.virustotal.com/gui/file/97fb79ca6fc5d24384bf5ae3d01bf5e77f1d2c0716968681e79c097a7d95fb93; reference:url,www.virustotal.com/gui/file/ab8a76b64448b943dc96a3e993b6e6b37af27c93738d27ffd1f4c9f96a1b7e69; reference:url,www.virustotal.com/gui/file/bd422f912affcf6d0830c13834251634c8b55b5a161c1084deae1f9b5d6830ce; classtype:trojan-activity; sid:49071; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.Anatova variant detected"; flow:to_client,established; file_data; content:"|44 69 69 25 7C 6A 70 77 25 63 6C 69 60 76 25 64 77 60 25 66 77 7C 75 71 60 61 2B 25 4A 6B 69 7C 25 70 76 25 66 64 6B 25 61 60 66 77 7C 75 71 25 7C 6A 70 77 25 63 6C 69 60 76 29 25 7C 6A 70 25 6B 60 60 61 25 75 64 7C 25 34 35 25 41 44 56 4D 25 6C 6B 25 71 6D 60 25 64 61 61 77 60 76 76 3F 25|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/gui/file/170fb7438316f7335f34fa1a431afc1676a786f1ad9dee63d78c3f5efd3a0ac0; reference:url,www.virustotal.com/gui/file/75371ff38823885b47aa21d2883792a5470e9bf1f3d2dc93f512725f35491820; reference:url,www.virustotal.com/gui/file/97fb79ca6fc5d24384bf5ae3d01bf5e77f1d2c0716968681e79c097a7d95fb93; reference:url,www.virustotal.com/gui/file/ab8a76b64448b943dc96a3e993b6e6b37af27c93738d27ffd1f4c9f96a1b7e69; reference:url,www.virustotal.com/gui/file/bd422f912affcf6d0830c13834251634c8b55b5a161c1084deae1f9b5d6830ce; classtype:trojan-activity; sid:49070; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Windows Management Instrumentation manipulation attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"wmic"; fast_pattern; pcre:"/wmic(\.exe)?\s+/i"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop; reference:url,attack.mitre.org/techniques/T1047/; classtype:trojan-activity; sid:49570; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"powershell"; fast_pattern; content:"bypass"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,attack.mitre.org/techniques/T1086/; classtype:trojan-activity; sid:49569; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.Yatron payload download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"yatronraas@mail.ru"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/7910b3f3a04644d12b8e656aa4934c59a4e3083a2a9c476bf752dc54192c255b; classtype:trojan-activity; sid:49536; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.Yatron payload download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"yatronraas@mail.ru"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/7910b3f3a04644d12b8e656aa4934c59a4e3083a2a9c476bf752dc54192c255b; classtype:trojan-activity; sid:49535; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Imminent variant download attempt"; flow:to_server,established; file_data; content:"|D9 CF 51 6E 74 71 4C 3B 62 64 6A B1 2F FB 30 25 6A 05 94 7A E4 B1 22 07 32 5D A8 2D 52 4D E7 EA|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/4b4e6ac65aa4105222ad5c80cdf7d42fe2c3535d28546a247ec1985c7a32c844/analysis/; classtype:trojan-activity; sid:49771; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Imminent variant download attempt"; flow:to_client,established; file_data; content:"|D9 CF 51 6E 74 71 4C 3B 62 64 6A B1 2F FB 30 25 6A 05 94 7A E4 B1 22 07 32 5D A8 2D 52 4D E7 EA|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/4b4e6ac65aa4105222ad5c80cdf7d42fe2c3535d28546a247ec1985c7a32c844/analysis/; classtype:trojan-activity; sid:49770; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.Cr1ptT0r download attempt"; flow:to_server,established; file_data; content:"_Cr1ptT0r_"; fast_pattern:only; content:"FILES_ENCRYPTED_README"; nocase; content:"cr1ptt0r_privkey.txt"; within:50; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/9a1de00dbc07271a27cb4806937802007ae5a59433ca858d52678930253f42c1/analysis/; classtype:trojan-activity; sid:49767; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.Cr1ptT0r download attempt"; flow:to_client,established; file_data; content:"_Cr1ptT0r_"; fast_pattern:only; content:"FILES_ENCRYPTED_README"; nocase; content:"cr1ptt0r_privkey.txt"; within:50; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/9a1de00dbc07271a27cb4806937802007ae5a59433ca858d52678930253f42c1/analysis/; classtype:trojan-activity; sid:49766; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt"; flow:to_server,established; file_data; content:"rzutBEZO3egDqfR5oJivHw/md8lN6fjshs2"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/gui/file/38e695287e8f00318c9009714baa096011bc690bf697d4f318a11af808d2f4a0/detection; classtype:trojan-activity; sid:49889; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt"; flow:to_client,established; file_data; content:"rzutBEZO3egDqfR5oJivHw/md8lN6fjshs2"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/gui/file/38e695287e8f00318c9009714baa096011bc690bf697d4f318a11af808d2f4a0/detection; classtype:trojan-activity; sid:49888; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.RogueRobin executable file download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"6|00|7|00|6|00|f|00|6|00|f|00|6|00|4|00|6|00|c|00|7|00|5|00|6|00|3|00|6|00|b|00|"; fast_pattern:only; content:"g|00|o|00|g|00|l|00|e|00|.|00|c|00|o|00|"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/eb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97/detection; classtype:trojan-activity; sid:49936; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.RogueRobin executable file download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"6|00|7|00|6|00|f|00|6|00|f|00|6|00|4|00|6|00|c|00|7|00|5|00|6|00|3|00|6|00|b|00|"; fast_pattern:only; content:"g|00|o|00|g|00|l|00|e|00|.|00|c|00|o|00|"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/eb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97/detection; classtype:trojan-activity; sid:49935; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Xls.Dropper.RogueRobin file download attempt"; flow:to_client,established; file_data; content:"|B5 94 70 71 DB 8A 0C 84 E9 19 67 8A 43 E1 FD 31 24 52 4A C9 98 31 ED F4 FA 2F 00 00 00 FF FF 03|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8/detection; classtype:trojan-activity; sid:49934; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Xls.Dropper.RogueRobin file download attempt"; flow:to_server,established; file_data; content:"|B5 94 70 71 DB 8A 0C 84 E9 19 67 8A 43 E1 FD 31 24 52 4A C9 98 31 ED F4 FA 2F 00 00 00 FF FF 03|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8/detection; classtype:trojan-activity; sid:49933; rev:1;)
--- a/docker/etc/rules/malware-tools.rules
+++ b/docker/etc/rules/malware-tools.rules
@@ -0,0 +1,157 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#---------------------
+# MALWARE-TOOLS RULES
+#---------------------
+
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| YoudaoBot/1.0|3B| http://www."; fast_pattern:31,20; http_header; content:!"youdao.com"; within:10; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25927; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| YesupBot/1.0|3B| +http://www."; fast_pattern:31,20; http_header; content:!"yesup.net"; within:9; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25926; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| Yahoo! Slurp China|3B| http://misc."; fast_pattern:37,20; http_header; content:!"yahoo.com.cn"; within:12; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25925; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| XTbot/1.0v|3B| +http://www."; fast_pattern:29,20; http_header; content:!"externaltest.com"; within:16; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25924; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| worio bot heritrix/1.10.0 +http://"; fast_pattern:39,20; http_header; content:!"worio.com"; within:9; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25923; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| Webduniabot/1.0|3B| +http://search."; fast_pattern:37,20; http_header; content:!"webdunia.com"; within:12; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25922; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| Synoobot/0.9|3B| http://www."; fast_pattern:30,20; http_header; content:!"synoo.com"; within:9; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25921; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| SummizeBot +http://www."; fast_pattern:28,20; http_header; content:!"summize.com"; within:11; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25920; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| ShunixBot/1.x|3B| http://www."; fast_pattern:31,20; http_header; content:!"shunix.com"; within:10; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25919; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| Scrubby/2.2|3B| http://www."; fast_pattern:29,20; http_header; content:!"scrubtheweb.com"; within:15; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25918; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| robtexbot/1.0|3B| http://www."; fast_pattern:31,20; http_header; content:!"robtex.com"; within:10; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25917; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| PWeBot/3.1|3B| http://www."; fast_pattern:28,20; http_header; content:!"programacionweb.net"; within:19; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25916; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| pmoz.info ODP link checker|3B| +http://"; fast_pattern:41,20; http_header; content:!"pmoz.info"; within:9; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25915; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| PEAR HTTP_Request class|3B| http://feed."; fast_pattern:42,20; http_header; content:!"moo.jp"; within:6; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25914; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| PagestackerBot|3B| http://www."; fast_pattern:32,20; http_header; content:!"pagestacker.com"; within:15; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25913; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| MojeekBot/2.0|3B| http://www."; fast_pattern:31,20; http_header; content:!"mojeek.com"; within:10; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25912; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"mozilla/5.0 |28|compatible|3B| genevabot http://www."; fast_pattern:26,20; http_header; content:!"healthdash.com"; within:14; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25911; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| egothor/8.0g|3B| +http://ego.ms."; fast_pattern:34,20; http_header; content:!"mff.cuni.cz"; within:11; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25910; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| de/1.13.2 +http://www."; fast_pattern:27,20; http_header; content:!"de.com"; within:6; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25909; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| archive.org_bot/1.13.1x http://"; fast_pattern:36,20; http_header; content:!"crawler.archive.org"; within:19; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25908; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|+http://www."; http_header; content:!"eurekster.com"; within:13; nocase; http_header; content:"/mammoth|29| Mammoth/"; within:40; fast_pattern; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25906; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/3.0 |28|compatible|3B| "; http_header; content:!"Webinator"; within:9; nocase; http_header; content:"/2.56|29 20 0D 0A|"; within:40; fast_pattern; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25905; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| Vagabondo/4.0Beta|3B| webcrawler at wise-guys dot nl|3B| http://"; fast_pattern:63,20; http_header; content:!"webagent.wise-guys.nl"; within:21; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25904; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| MSIE 6.0|3B| Podtech Network|3B| crawler_admin@"; fast_pattern:46,20; http_header; content:!"podtech.net"; within:11; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25903; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| LinksManager.com_bot http://"; fast_pattern:33,20; http_header; content:!"linksmanager.com"; within:16; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25902; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| Charlotte/1.0b|3B| http://www."; fast_pattern:32,20; http_header; content:!"betaspider.com"; within:14; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25901; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| Hermit Search. Com|3B| +http://www."; fast_pattern:37,20; http_header; content:!"hermitsearch.com"; within:16; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25900; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| FatBot 2.0|3B| http://www."; fast_pattern:28,20; http_header; content:!"thefind.com"; within:11; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25899; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| EARTHCOM.info/2.01|3B| http://www."; fast_pattern:36,20; http_header; content:!"earthcom.info"; within:13; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25898; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| DNS-Digger-Explorer/1.0|3B| +http://www."; fast_pattern:42,20; http_header; content:!"dnsdigger.com"; within:13; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25897; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| Crawling jpeg|3B| http://www."; fast_pattern:31,20; http_header; content:!"yama.info.waseda.ac.jp"; within:22; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25896; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| BecomeJPBot/2.3|3B| MSIE 6.0 compatible|3B| +http://www."; fast_pattern:55,20; http_header; content:!"become.co.jp"; within:12; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25895; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| BecomeBot/1.23|3B| http://"; fast_pattern:28,20; http_header; content:!"www.become.com"; within:14; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25894; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| BecomeBot/2.0beta|3B| http://"; fast_pattern:31,20; http_header; content:!"www.become.com"; within:14; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25893; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| Ask Jeeves/Teoma|3B| http://"; fast_pattern:30,20; http_header; content:!"about.ask.com"; within:13; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25892; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| AnsearchBot/1.x|3B| +http://www."; fast_pattern:34,20; http_header; content:!"ansearch.com.au"; within:15; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25891; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|compatible|3B| Abonti/0.8 - http://www."; fast_pattern:29,20; http_header; content:!"abonti.com"; within:10; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25890; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|Slurp/cat|3B| slurp@inktomi.com|3B| http://www."; fast_pattern:34,20; http_header; content:!"inktomi.com/slurp.html"; within:22; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25889; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/5.0 |28|Clustered-Search-Bot/1.0|3B| clsupport@"; fast_pattern:29,20; http_header; content:!"clush.com"; within:9; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25888; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.7 |28|compatible|3B| WhizBang|3B| http://www."; fast_pattern:26,20; http_header; content:!"whizbang.com/crawler"; within:20; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25887; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 compatible ZyBorg/1.0 Dead Link Checker |28|wn.zyborg@looksmart.net|3B| http://www."; fast_pattern:69,20; http_header; content:!"WISEnutbot.com"; within:14; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25886; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| crawlx, crawler@"; fast_pattern:21,20; http_header; content:!"trd.overture.com"; within:16; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25885; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE enviable|3B| DAUMOA 2.0|3B| DAUM Web Robot|3B| Daum Communications Corp., Korea|3B| +http://ws."; fast_pattern:93,20; http_header; content:!"daum.net"; within:8; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25884; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 6.0|3B| Windows NT 5.0|3B| ODP entries t_st|3B| http://"; fast_pattern:56,20; http_header; content:!"tuezilla.de/t_st-odp-entries-agent.html"; within:39; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25883; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 6.0|3B| Windows 98|3B| support@illumit.com|3B| http://www."; fast_pattern:59,20; http_header; content:!"illumit.com/Products/weblight/"; within:30; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25882; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 5.5|3B| AOL 4.0|3B| Windows 98|3B| GoBeez |28|www."; fast_pattern:48,20; http_header; content:!"gobeez.com"; within:10; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25881; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 5.0|3B| www.galaxy.com|3B| www.psychedelix.com/|3B| http://www."; fast_pattern:64,20; http_header; content:!"galaxy.com/info/crawler.html"; within:28; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25880; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 5.0|3B| Windows NT|3B| Girafabot|3B| girafabot at girafa dot com|3B| http://www."; fast_pattern:78,20; http_header; content:!"girafa.com"; within:10; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25879; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 5.0|3B| Windows ME|3B| Link Checker 2.x.xx http://www."; fast_pattern:58,20; http_header; content:!"kyosoft.com"; within:11; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25878; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| GPU p2p crawler http://gpu."; fast_pattern:32,20; http_header; content:!"sourceforge.net"; within:15; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25877; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| FastCrawler3 support-fastcrawler3@"; fast_pattern:39,20; http_header; content:!"fast.no"; within:7; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25876; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| DepSpid/5.0x|3B| +http://about."; fast_pattern:33,20; http_header; content:!"depspid.net"; within:11; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25875; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/4.0 |28|agadine3.0|29| www."; fast_pattern:9,20; http_header; content:!"agada.de"; within:8; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25874; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/3.0 |28|compatible|3B| ScollSpider|3B| http://www."; fast_pattern:29,20; http_header; content:!"webwobot.com"; within:12; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25873; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/3.0 |28|Vagabondo/2.0 MT|3B| webcrawler@"; fast_pattern:22,20; http_header; content:!"NOSPAMexperimental.net"; within:22; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25872; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/3.0 |28|Vagabondo/1.x MT|3B| webagent@wise-guys.nl|3B| http://"; fast_pattern:41,20; http_header; content:!"webagent.wise-guys.nl"; within:21; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25871; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/3.0 |28|Slurp/si|3B| slurp@inktomi.com|3B| http://www."; fast_pattern:33,20; http_header; content:!"inktomi.com/slurp.html"; within:22; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25870; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Dirt Jumper toolkit variant http flood attempt"; flow:to_server,established; content:"Mozilla/3.0 |28|Slurp.so/Goo|3B| slurp@inktomi.com|3B| http://www."; fast_pattern:37,20; http_header; content:!"inktomi.com/slurp.html"; within:22; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:attempted-dos; sid:25869; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Tors Hammer slow post flood attempt"; flow:to_server,established; content:"POST / HTTP/1.1|0D 0A|"; depth:17; content:"Keep-Alive: 900|0D 0A|Content-Length: 10000|0D 0A|"; fast_pattern:only; metadata:service http; classtype:denial-of-service; sid:23952; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MALWARE-TOOLS Hulk denial of service attempt"; flow:established,to_server,only_stream; content:"q=0.7|2C 2A 3B|q=0.7"; fast_pattern; http_header; content:"Cache-Control: no-cache"; http_header; pcre:"/Referer\x3a[^\x0d\x0a]*?[A-Z]{5,10}\x0d\x0a/H"; pcre:"/(\x3f|\x26)[A-Z]{3,10}\x3d[A-Z]{3,10}/U"; detection_filter:track by_dst, count 30, seconds 1; metadata:service http; reference:url,sectorix.com/2012/05/17/hulk-web-server-dos-tool/; classtype:attempted-dos; sid:22953; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS HOIC http denial of service attack"; flow:to_server,established,only_stream; content:"HTTP/1.0"; depth:500; content:"Host:"; http_header; content:"User-Agent|3A 20 20|Mozilla"; fast_pattern:only; http_header; detection_filter:track by_src, count 17, seconds 10; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:denial-of-service; sid:21513; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Havij advanced SQL injection tool user-agent string"; flow:to_server, established; content:"Havij"; http_header; pcre:"/User-Agent\:[^\x0a\x0d]+?Havij/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,itsecteam.com/en/projects/project1.htm; classtype:attempted-user; sid:21459; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS slowhttptest DoS tool"; flow:to_server,established; content:"Referer|3A| http|3A 2F 2F|code.google.com|2F|p|2F|slowhttptest"; fast_pattern:only; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,code.google.com/p/slowhttptest/; classtype:attempted-dos; sid:21104; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS JavaScript LOIC attack"; flow:to_server,established,only_stream; content:"/?id="; nocase; http_uri; content:"&msg="; within:5; distance:13; nocase; http_uri; detection_filter:track by_src, count 100, seconds 5; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; classtype:attempted-dos; sid:21092; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [443,465,587,995,993] (msg:"MALWARE-TOOLS THC SSL renegotiation DOS attempt"; flow:established,to_server,only_stream; ssl_state:!client_hello; content:"|16 03 03|"; depth:3; detection_filter:track by_src,count 100, seconds 1; metadata:service ssl; reference:cve,2011-1473; reference:cve,2011-5094; reference:url,www.thc.org/thc-ssl-dos/; classtype:attempted-dos; sid:20439; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [443,465,587,995,993] (msg:"MALWARE-TOOLS THC SSL renegotiation DOS attempt"; flow:established,to_server,only_stream; ssl_state:!client_hello; content:"|16 03 02|"; depth:3; detection_filter:track by_src,count 100, seconds 1; metadata:service ssl; reference:cve,2011-1473; reference:cve,2011-5094; reference:url,www.thc.org/thc-ssl-dos/; classtype:attempted-dos; sid:20438; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [443,465,587,995,993] (msg:"MALWARE-TOOLS THC SSL renegotiation DOS attempt"; flow:established,to_server,only_stream; ssl_state:!client_hello; content:"|16 03 01|"; depth:3; detection_filter:track by_src,count 100, seconds 1; metadata:service ssl; reference:cve,2011-1473; reference:cve,2011-5094; reference:url,www.thc.org/thc-ssl-dos/; classtype:attempted-dos; sid:20437; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [443,465,587,995,993] (msg:"MALWARE-TOOLS THC SSL renegotiation DOS attempt"; flow:established,to_server,only_stream; ssl_state:!client_hello; content:"|16 03 00|"; depth:3; detection_filter:track by_src,count 100, seconds 1; metadata:service ssl; reference:cve,2011-1473; reference:cve,2011-5094; reference:url,www.thc.org/thc-ssl-dos/; classtype:attempted-dos; sid:20436; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Anonymous Perl RefRef DoS tool"; flow:established,to_server; content:" and |28|select benchmark|28|99999999999,0x70726f62616e646f70726f62616e646f70726f62616e646f|29 29|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.refref.org/p/refref.html; classtype:attempted-dos; sid:19870; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Anonymous PHP RefRef DoS tool"; flow:established,to_server,only_stream; content:"Keep-Alive|3A| 900"; fast_pattern:only; http_header; content:"/-"; http_uri; pcre:"/^\/-\d{9}/U"; detection_filter:track by_dst, count 100, seconds 5; metadata:service http; reference:url,pastebin.com/eG8sLaWc; classtype:attempted-dos; sid:19869; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Hacker-Tool 0desa msn pass stealer 8.5 runtime detection"; flow:to_server,established; content:"sendmail.php?"; nocase; http_uri; content:"mail="; nocase; http_uri; content:"subject="; nocase; http_uri; content:"Odesa mpsteal form"; fast_pattern; nocase; http_uri; metadata:service http; classtype:misc-activity; sid:16138; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Slowloris http DoS tool"; flow:to_server,established,no_stream; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0|3B| .NET CLR 1.1.4322|3B| .NET CLR 2.0.503l3|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729|3B| MSOffice 12|29 0D 0A|"; content:"Content-Length|3A| 42"; detection_filter:track by_src, count 10, seconds 300; metadata:service http; reference:cve,2007-0086; classtype:attempted-dos; sid:15578; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Hacker-Tool hippynotify 2.0 runtime detection"; flow:to_server,established; content:"/wwp/msg/1,,,00.html?"; fast_pattern; nocase; http_uri; content:"Uin="; nocase; http_uri; content:"Name="; nocase; http_uri; content:"Send=yes"; nocase; http_uri; pcre:"/Uin=\d+\x26Name=.*?IP-.*?USER-.*?TROJAN-.*?PORT-.*?PASSWORD-.*?OS-.*?WEBCAM-/smi"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078296; classtype:misc-activity; sid:12230; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 4973 (msg:"MALWARE-TOOLS Hacker-Tool statwin runtime detection"; flow:to_server,established; content:"|F9 14|"; depth:2; isdataat:110,relative; content:"|B3 B3 84 86 83 83 F5 B3 B3 B3|"; within:10; distance:110; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098082; classtype:misc-activity; sid:10441; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-TOOLS Hacker-Tool spylply.a runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"|B0 AE B6 F9 CD F8 B5 C1|"; distance:0; nocase; pcre:"/^X-Mailer\x3a\s+\xb0\xae\xb6\xf9\xcd\xf8\xb5\xc1/smi"; metadata:service smtp; reference:url,db.kingsoft.com/virus/forecast/2005/06/08/43198.shtml; classtype:misc-activity; sid:10091; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-TOOLS Hacker-Tool davps runtime detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"dialup_vpn@hermangroup.org"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"dialupvpn_pwd"; distance:0; nocase; content:"name="; nocase; content:"reaction.txt"; distance:0; nocase; pcre:"/^From\x3a[^\r\n]*dialup\x5fvpn\x40hermangroup\x2Eorg.*Subject\x3a[^\r\n]*dialupvpn\x5fpwd.*name\x3d[^\r\n]*\x22reaction\x2Etxt\x22/smi"; metadata:service smtp; reference:url,www.megasecurity.org/trojans/d/davps/Davps1.0.html; classtype:misc-activity; sid:7842; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-TOOLS Hacker-Tool nettracker runtime detection - report send through email"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"NetTracker"; distance:0; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*NetTracker/smi"; metadata:service smtp; reference:url,www.spywareguide.com/product_show.php?id=15; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080821; classtype:misc-activity; sid:7836; rev:6;)
+# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool nettracker runtime detection - report browsing"; flow:to_client,established; flowbits:isset,NetTrack_Spy_ReportBrowsing; content:"NetTracker"; nocase; content:"Sane Solutions"; distance:0; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=15; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080821; classtype:misc-activity; sid:7835; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Hacker-Tool nettracker runtime detection - report browsing"; flow:to_server,established; content:"/NetTracker/"; nocase; http_uri; flowbits:set,NetTrack_Spy_ReportBrowsing; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:7834; rev:10;)
+# alert tcp $HOME_NET 4563 -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool clandestine runtime detection - image transferred"; flow:to_client,established; flowbits:isset,Clandestine_STC1; content:"<<DONE"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:misc-activity; sid:7586; rev:6;)
+# alert tcp $HOME_NET 4563 -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set image"; flow:to_client,established; flowbits:isset,Clandestine_CTS1; content:">>IMAGE|FF D8 FF E0 00 10|JFIF"; flowbits:set,Clandestine_STC1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:misc-activity; sid:7585; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4563 (msg:"MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set open"; flow:to_server,established; content:"open"; depth:4; nocase; flowbits:set,Clandestine_CTS1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:misc-activity; sid:7584; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4563 (msg:"MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set big"; flow:to_server,established; content:"big"; depth:3; nocase; flowbits:set,Clandestine_CTS1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:misc-activity; sid:7583; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool mini oblivion runtime detection - successful init connection"; flow:to_client,established; content:"OVN|01 00 01 00 1A 00 00 00|"; depth:11; content:"Mini"; distance:0; content:"Oblivion"; distance:0; content:"Ready"; distance:0; pcre:"/^OVN.*Mini\s+Oblivion.*Ready/"; reference:url,www.spywareguide.com/product_show.php?id=1599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=26770; classtype:misc-activity; sid:7542; rev:6;)
+# alert tcp $HOME_NET 10607 -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool coma runtime detection - ping"; flow:to_client,established; flowbits:isset,coma.2; content:"Pong"; depth:4; reference:url,www.spywareguide.com/product_show.php?id=1490; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090795; classtype:misc-activity; sid:7509; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 10607 (msg:"MALWARE-TOOLS Hacker-Tool coma runtime detection - ping - flowbit set"; flow:to_server,established; content:"Ping"; depth:4; flowbits:set,coma.2; flowbits:noalert; classtype:misc-activity; sid:7508; rev:4;)
+# alert tcp $HOME_NET 10607 -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool coma runtime detection - init connection"; flow:to_client,established; flowbits:isset,coma.1; content:"COMA Server Version"; depth:19; reference:url,www.spywareguide.com/product_show.php?id=1490; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090795; classtype:misc-activity; sid:7507; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 10607 (msg:"MALWARE-TOOLS Hacker-Tool coma runtime detection - init connection - flowbit set"; flow:to_server,established; content:"Hello"; depth:5; flowbits:set,coma.1; flowbits:noalert; classtype:misc-activity; sid:7506; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Hacker-Tool sars notifier runtime detection - cgi notification"; flow:to_server,established; content:"/?action=log"; fast_pattern; nocase; http_uri; content:"port="; nocase; http_uri; content:"rpass="; nocase; http_uri; content:"connection="; nocase; http_uri; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078294; classtype:misc-activity; sid:7148; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool sars notifier runtime detection - sin notification"; flow:to_server,established; content:"Days"; nocase; content:"Hours"; distance:0; nocase; content:"Minutes"; distance:0; nocase; content:"Seconds"; distance:0; nocase; pcre:"/^0[^\r\n]*Days[^\r\n]*Hours[^\r\n]*Minutes[^\r\n]*Seconds\-[^\r\n]*\|\d+\-[^\r\n]*\-\|/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078294; classtype:misc-activity; sid:7146; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-TOOLS Hacker-Tool beee runtime detection - smtp"; flow:to_server,established; content:"X-OEM|3A|"; nocase; content:"iOpus"; distance:0; nocase; content:"Software"; distance:0; nocase; content:"GmbH"; distance:0; nocase; content:"X-Sender|3A|"; nocase; content:"iOpus"; distance:0; nocase; content:"Software"; distance:0; nocase; content:"GmbH"; distance:0; nocase; pcre:"/^X-OEM\x3A[^\r\n]*iOpus\s+Software\s+GmbH.*X-Sender\x3A[^\r\n]*iOpus\s+Software\s+GmbH/smi"; metadata:service smtp; reference:url,www.spywareguide.com/product_show.php?id=1729; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060657; classtype:misc-activity; sid:6477; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 42 (msg:"MALWARE-TOOLS Hacker-Tool sin stealer 1.1 runtime detection"; flow:to_server,established; content:"|07|MESSAGE|00 00 00 00|"; depth:12; reference:url,www.megasecurity.org/trojans/s/sinstealer/Sinstealer1.1.html; classtype:misc-activity; sid:6206; rev:7;)
+# alert tcp $HOME_NET 7001 -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool freak 88 das runtime detection"; flow:to_client,established; content:"hello>WELCOMEwho do u want to phuk today>"; depth:41; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=2181; classtype:misc-activity; sid:6205; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-TOOLS Hacker-Tool ghostvoice 1.02 runtime detection - init connection with password requirement"; flow:to_server,established; flowbits:isset,GhostVoice_InitConnection_withpassword; content:"request|3A|"; depth:8; reference:url,www.spywareguide.com/product_show.php?id=1970; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073224; classtype:misc-activity; sid:5958; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool ghostvoice 1.02 runtime detection"; flow:to_client,established; content:"!Request!"; depth:9; flowbits:set,GhostVoice_InitConnection_withpassword; flowbits:noalert; classtype:misc-activity; sid:5957; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Hacker-Tool ghostvoice 1.02 icq notification of server installation"; flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; http_uri; content:"from=GhostVoiceServer"; nocase; content:"fromemail="; distance:0; nocase; content:"subject=GhostVoice"; distance:0; nocase; content:"Online"; distance:0; nocase; content:"body="; distance:0; nocase; content:"to="; distance:0; nocase; content:"Send="; distance:0; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1970; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073224; classtype:misc-activity; sid:5956; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 407 (msg:"MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - udp port 407"; flow:to_server; content:"|00|%|00 22|"; depth:4; metadata:impact_flag red; reference:url,www.spywareguide.com/product_show.php?id=955; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076680; classtype:misc-activity; sid:5897; rev:8;)
+# alert tcp $HOME_NET 407 -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - tcp port 407"; flow:to_client,established; flowbits:isset,Timbuktu_Pro_TCPPort_407; content:"|01 01|"; depth:2; content:"|00 8E 00|%"; offset:4; metadata:impact_flag red; reference:url,www.spywareguide.com/product_show.php?id=955; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076680; classtype:misc-activity; sid:5896; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 407 (msg:"MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - tcp port 407"; flow:to_server,established; content:"|00 01|"; depth:2; content:"|00|R|00|%"; offset:4; flowbits:set,Timbuktu_Pro_TCPPort_407; flowbits:noalert; classtype:misc-activity; sid:5895; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - smb"; flow:to_server,established; content:"|5C 00|T|00|B|00|2|00|"; content:!"|2E|"; within:1; metadata:impact_flag red; reference:url,www.spywareguide.com/product_show.php?id=955; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076680; classtype:misc-activity; sid:5894; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 871 (msg:"MALWARE-TOOLS Hacker-Tool eraser runtime detection - disinfect"; flow:to_server,established; content:"Disinfect"; depth:9; nocase; reference:url,vil.nai.com/vil/content/v_109495.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072642; classtype:misc-activity; sid:5876; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 871 (msg:"MALWARE-TOOLS Hacker-Tool eraser runtime detection - detonate"; flow:to_server,established; content:"Detonate"; depth:8; nocase; reference:url,vil.nai.com/vil/content/v_109495.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072642; classtype:misc-activity; sid:5875; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - view netstat"; flow:to_client,established; flowbits:isset,StealthRedirector_ViewNetstat; content:"Proto Local IP"; fast_pattern:only; reference:url,www.spywareguide.com/product_show.php?id=687; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952; classtype:misc-activity; sid:5823; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - view netstat"; flow:to_server,established; content:"/NETS"; fast_pattern:only; flowbits:set,StealthRedirector_ViewNetstat; flowbits:noalert; classtype:misc-activity; sid:5822; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - destory log"; flow:to_client,established; flowbits:isset,StealthRedirector_DestoryLog; content:"Deleting "; depth:9; nocase; content:"ATTENTION|3A|"; distance:0; nocase; reference:url,www.spywareguide.com/product_show.php?id=687; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952; classtype:misc-activity; sid:5821; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - destory log"; flow:to_server,established; content:"/LOGD"; depth:5; nocase; flowbits:set,StealthRedirector_DestoryLog; flowbits:noalert; classtype:misc-activity; sid:5820; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - check status"; flow:to_client,established; flowbits:isset,StealthRedirector_StatusCheck4; content:"FTP Redirection is"; fast_pattern:only; reference:url,www.spywareguide.com/product_show.php?id=687; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952; classtype:misc-activity; sid:5819; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - check status"; flow:to_client,established; flowbits:isset,StealthRedirector_StatusCheck3; content:"TCP Redirection is"; fast_pattern:only; flowbits:set,StealthRedirector_StatusCheck4; flowbits:noalert; classtype:misc-activity; sid:5818; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - check status"; flow:to_server,established; content:"/STAT"; depth:5; nocase; flowbits:set,StealthRedirector_StatusCheck3; flowbits:noalert; classtype:misc-activity; sid:5817; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - destory redirection"; flow:to_client,established; flowbits:isset,StealthRedirector_DestoryRedirection; content:"Redirection"; nocase; content:"destroyed"; distance:0; nocase; pcre:"/^(TC|FT)P\s+Redirections?\s+destroyed\x21/smi"; reference:url,www.spywareguide.com/product_show.php?id=687; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952; classtype:misc-activity; sid:5816; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - destory redirection"; flow:to_server,established; content:"DISC"; depth:10; offset:6; nocase; pcre:"/^\x2F(TC|FT)PD\s+DISC/smi"; flowbits:set,StealthRedirector_DestoryRedirection; flowbits:noalert; classtype:misc-activity; sid:5815; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - create redirection"; flow:to_client,established; flowbits:isset,StealthRedirector_CreateRedirection; content:"Created a connection redirect"; depth:29; nocase; reference:url,www.spywareguide.com/product_show.php?id=687; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952; classtype:misc-activity; sid:5814; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - create redirection"; flow:to_server,established; content:"CONN"; depth:10; offset:6; nocase; pcre:"/^\x2F(TC|FT)PD\s+CONN/smi"; flowbits:set,StealthRedirector_CreateRedirection; flowbits:noalert; classtype:misc-activity; sid:5813; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-TOOLS Hacker-Tool stealthredirector runtime detection - email notification"; flow:to_server,established; content:"From|3A| |22|Stealth Redirector|22|"; fast_pattern:only; content:"Subject|3A| My IP address"; nocase; metadata:service smtp; reference:url,www.spywareguide.com/product_show.php?id=687; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952; classtype:misc-activity; sid:5812; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS PyLoris http DoS tool"; flow:to_server,established,only_stream; content:"User-Agent|3A| pylor"; fast_pattern:only; http_header; detection_filter:track by_src, count 10, seconds 300; metadata:service http; reference:cve,2012-5568; classtype:attempted-dos; sid:28532; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 20 (msg:"MALWARE-TOOLS Browser Password Decryptor - Password List sent via FTP"; flow:to_client,established; content:"Browser Password Recovery Report|0D 0A|"; nocase; content:"Password List|20 0D 0A|"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data; reference:url,www.virustotal.com/en/file/7cf757e0943b0a6598795156c156cb90feb7d87d4a22c01044499c4e1619ac57/analysis/; classtype:trojan-activity; sid:29096; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS BlackSpider Tool ali.txt file upload attempt"; flow:to_server,established; content:"/ali.txt"; http_uri; urilen:8; content:"PUT"; http_method; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/3b0e2ab93a43db122bc9ba4448cb21c8ae01f18068b15a6e0a71db61fb943ed1/analysis/; classtype:misc-activity; sid:32875; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy tool download attempt"; flow:to_client,established; file_data; content:"|82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94 95 FB D4 D1 C4 CF C8 D4 D3 89 C2 DF C2 87 8A CC 87 00|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32938; rev:1;)
+# alert tcp any any -> any any (msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy communication attempt"; flow:established; content:!"HTTP/1"; content:"|E2 1D 49 49|"; depth:4; fast_pattern; content:"|49 49 49 49|"; within:4; distance:4; metadata:impact_flag red, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32937; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy tools download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 C2 3A 80 F2 73 88 10|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32936; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-TOOLS Win.Trojan.Dridex dropper message"; flow:to_server,established; file_data; content:"X-mailer: Synapse - Pascal TCP/IP library by Lukas Gebauer"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/; classtype:trojan-activity; sid:34945; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Win.Trojan.Downloader outbound connection attempt"; flow:to_server,established; urilen:20<>35; content:"Range: bytes="; fast_pattern; http_header; content:"-|0D 0A|"; within:8; http_header; content:".jpg?"; http_uri; content:"="; within:5; distance:10; http_uri; pcre:"/^\x2f[a-z-]+\.jpg\?[a-z0-9]+=\d{1,2}$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:37651; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS TorStresser http DoS tool"; flow:to_server,established; content:"Window-Size|3A|"; fast_pattern:only; http_header; content:"User-Agent|3A|"; nocase; http_header; metadata:service http; reference:url,github.com/m4s0/torshammer666; classtype:attempted-dos; sid:38989; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-TOOLS Win.Packer.ConfuserEx packed .NET executable attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"ConfusedByAttribute"; content:"ConfuserEx"; distance:0; fast_pattern; pcre:"/^\s+v[01]\.\d+\.\d+/R"; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/b3fd732050d9b0b0f32fafb0c5d3eb2652fd6463e0ec91233b7a72a48522f71a/analysis/; classtype:trojan-activity; sid:39638; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS CKnife penetration testing tool attempt"; flow:to_server,established; content:"=Response.Write%28%22-%3E%7C%22%29%3Bvar+Err%3AException%3B"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39773; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS CKnife penetration testing tool attempt"; flow:to_server,established; content:"=Response.Write%28%5C%22wscript.shell%5C%22%28.exec("; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39772; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS CKnife penetration testing tool attempt"; flow:to_server,established; content:"User-Agent: Java/"; http_header; content:"=1&action="; depth:20; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39771; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS CKnife penetration testing tool attempt"; flow:to_server,established; content:"=Execute(|22|Execute(|22 22|On+Error+Resume+Next:Function"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39744; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS slowhttptest DoS tool "; flow:to_server,established; content:"Referer|3A| https|3A 2F 2F|github.com|2F|shekyan|2F|slowhttptest|2F|"; fast_pattern:only; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.github.com/shekyan/slowhttptest; classtype:attempted-dos; sid:41771; rev:18;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-TOOLS Request to service that provices external IP address detected"; flow:to_server,established; urilen:10; content:"Host|3A| iplogger.info"; fast_pattern:only; content:!"User-Agent|3A|"; http_header; pcre:"/^\/[A-Z0-9]{5}\.(gif|jpg|png|txt)$/Ui"; metadata:service http; reference:url,virustotal.com/#/file/3b350ab5894259e843594f00151c5df5762d7225927093ad60514034348d164b/detection; classtype:trojan-activity; sid:44096; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"MALWARE-TOOLS TLS-Attacker tool connection attempt - known SSL client random"; flow:to_server,established; ssl_state:client_hello; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; within:1; distance:3; content:"|03|"; within:1; distance:3; content:"|60 B4 20 BB 38 51 D9 D4 7A CB 93 3D BE 70 39 9B F6 C9 2D A3 3A F0 1D 4F B7 70 E9 8C|"; within:28; distance:5; metadata:policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,github.com/RUB-NDS/TLS-Attacker; classtype:network-scan; sid:45831; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-TOOLS Win.Tool.Delete variant download detected"; flow:to_server,established; file_data; content:"/|00|q|00 20 00|&|00|&|00 20 00|s|00|h|00|u|00|t|00|d|00|o|00|w|00|n|00 20 00|/|00|r|00 20 00|/|00|f|00 20 00|/|00|t|00 20 00|0|00|0|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1107/; classtype:attempted-user; sid:48502; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-TOOLS Win.Tool.Delete variant download detected"; flow:to_client,established; file_data; content:"/|00|q|00 20 00|&|00|&|00 20 00|s|00|h|00|u|00|t|00|d|00|o|00|w|00|n|00 20 00|/|00|r|00 20 00|/|00|f|00 20 00|/|00|t|00 20 00|0|00|0|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1107/; classtype:attempted-user; sid:48501; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"MALWARE-TOOLS JexBoss User-Agent detected"; flow:established,to_server; content:"User-Agent|3A 20|jexboss"; fast_pattern:only; http_header; reference:url,github.com/joaomatosf/jexboss; classtype:trojan-activity; sid:48571; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"MALWARE-TOOLS JexBoss webshell commands sent in X-JEX headers"; flow:established,to_server; content:"X-JEX"; fast_pattern:only; http_header; reference:url,github.com/joaomatosf/jexboss; classtype:trojan-activity; sid:48570; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-TOOLS JexBoss webshell download"; flow:established,to_server; content:"/rnp/jexws"; fast_pattern; http_uri; content:".war"; distance:0; http_uri; reference:url,github.com/joaomatosf/jexboss; classtype:trojan-activity; sid:48569; rev:1;)
--- a/docker/etc/rules/misc.rules
+++ b/docker/etc/rules/misc.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#------------
+# MISC RULES
+#------------
+
--- a/docker/etc/rules/multimedia.rules
+++ b/docker/etc/rules/multimedia.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#------------------
+# MULTIMEDIA RULES
+#------------------
+
--- a/docker/etc/rules/mysql.rules
+++ b/docker/etc/rules/mysql.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-------------
+# MYSQL RULES
+#-------------
+
--- a/docker/etc/rules/netbios.rules
+++ b/docker/etc/rules/netbios.rules
@@ -0,0 +1,265 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#---------------
+# NETBIOS RULES
+#---------------
+
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; metadata:ruleset community; classtype:attempted-recon; sid:534; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; metadata:ruleset community; classtype:attempted-recon; sid:535; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; metadata:ruleset community; reference:cve,2003-0201; classtype:protocol-command-decode; sid:2103; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; metadata:ruleset community, service netbios-ssn; classtype:attempted-dos; sid:2191; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup andx username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; metadata:ruleset community; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2401; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup andx username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2402; rev:10;)
+# alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup response name overflow attempt"; byte_test:1,&,0x80,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; metadata:ruleset community, service netbios-ns; reference:bugtraq,10333; reference:cve,2004-0444; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2563; rev:7;)
+# alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup short response attempt"; dsize:<56; byte_test:1,&,0x80,2; content:"|00 01|"; depth:2; offset:6; metadata:ruleset community, service netbios-ns; reference:bugtraq,10335; reference:cve,2004-0444; reference:url,www.eeye.com/html/Research/Advisories/AD20040512C.html; classtype:attempted-admin; sid:2564; rev:7;)
+# alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS repeated logon failure"; flow:to_client,established,no_stream; content:"|FF|SMBs"; depth:5; offset:4; content:"m|00 00 C0|"; within:4; detection_filter:track by_dst,count 10,seconds 60; metadata:ruleset community, service netbios-ssn; classtype:unsuccessful-user; sid:2924; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:2474; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP winreg InitiateSystemShutdown attempt"; flow:established,to_server; dce_iface:338cd001-2244-31f1-aaaa-900038001003; dce_opnum:24; metadata:ruleset community, service netbios-ssn; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2942; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3019; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3018; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3021; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3020; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3023; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3022; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3025; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3024; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3026; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3027; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3028; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3029; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3030; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3031; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3032; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3033; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3034; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3035; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3036; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3037; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3038; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3039; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3040; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3041; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3043; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3042; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3045; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3044; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3047; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3046; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3049; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3048; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3051; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3050; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3053; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3052; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3055; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3054; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3057; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3056; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3135; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3141; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3140; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3139; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3137; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3142; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3136; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3138; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 139 (msg:"NETBIOS SMB Trans unicode data displacement null pointer DOS attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3641; rev:3;)
+# alert udp $EXTERNAL_NET any -> $EXTERNAL_NET 138 (msg:"NETBIOS SMB Trans andx data displacement null pointer DOS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3647; rev:4;)
+# alert udp $EXTERNAL_NET any -> $EXTERNAL_NET 138 (msg:"NETBIOS SMB Trans data displacement null pointer DOS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3648; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB-DS Trans data displacement null pointer DOS attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; metadata:service netbios-ssn; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3644; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 139 (msg:"NETBIOS SMB Trans data displacement null pointer DOS attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3640; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB-DS Trans unicode andx data displacement null pointer DOS attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; metadata:service netbios-ssn; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3646; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 139 (msg:"NETBIOS SMB Trans andx data displacement null pointer DOS attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3639; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB-DS Trans andx data displacement null pointer DOS attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; metadata:service netbios-ssn; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3643; rev:4;)
+# alert udp $EXTERNAL_NET any -> $EXTERNAL_NET 138 (msg:"NETBIOS SMB Trans unicode data displacement null pointer DOS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3649; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 139 (msg:"NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3642; rev:3;)
+# alert udp $EXTERNAL_NET any -> $EXTERNAL_NET 138 (msg:"NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3650; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB-DS Trans unicode data displacement null pointer DOS attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; metadata:service netbios-ssn; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3645; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup unicode andx username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2404; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup unicode username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; metadata:ruleset community; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2403; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; metadata:ruleset community; classtype:attempted-dos; sid:2190; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4671; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT SET SECURITY DESC unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4657; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4661; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4664; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT SET SECURITY DESC andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4668; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4652; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4672; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4662; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4651; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT SET SECURITY DESC andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4656; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4670; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT SET SECURITY DESC unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4669; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4665; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4674; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT SET SECURITY DESC SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4655; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4654; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4659; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4666; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4660; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT SET SECURITY DESC DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4667; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4653; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4673; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4658; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4663; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB Session Setup andx username overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:5683; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup unicode username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; metadata:service netbios-ssn; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:5679; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB Session Setup unicode andx username overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:5684; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; metadata:service netbios-ssn; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:5678; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB Session Setup unicode username overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:5681; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:5677; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup unicode andx username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:5682; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB Session Setup username overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:5680; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A1|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,>,1000,20,relative; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6712; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A1|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,>,1000,20,relative; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6709; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A1|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,>,1000,20,relative; metadata:service netbios-ssn; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6711; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans Secondary Param Count overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A1|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,>,1000,20,relative; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6706; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A1|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,>,1000,20,relative; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6708; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A1|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,>,1000,20,relative; metadata:service netbios-ssn; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6705; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A1|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,>,1000,20,relative; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6707; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A1|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,>,1000,20,relative; metadata:service netbios-ssn; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6704; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans Secondary Param Count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A1|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,>,1000,20,relative; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6702; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A1|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,>,1000,20,relative; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6703; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A1|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,>,1000,20,relative; metadata:service netbios-ssn; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6710; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A1|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,>,1000,20,relative; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6713; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Session Service NetDDE attack"; flow:established,to_server; content:"|00|"; depth:1; content:"|01 00 00 00|"; depth:4; offset:36; content:!"|03 00|"; depth:2; offset:44; byte_jump:2,50, from_beginning; content:!"|00|"; within:34; distance:58; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:11816; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 OPEN2 maximum param count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11945; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Datagram Service NetDDE attack"; content:"|10|"; depth:1; content:"|01 00 00 00|"; depth:4; offset:114; content:!"|03 00|"; depth:2; offset:122; byte_jump:2,128,from_beginning; content:!"|00|"; within:34; distance:136; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:11946; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB Trans2 OPEN2 unicode andx maximum param count overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11964; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 OPEN2 unicode andx maximum param count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; metadata:service netbios-ssn; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11962; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11958; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 OPEN2 unicode maximum param count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; metadata:service netbios-ssn; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11956; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 OPEN2 unicode andx maximum param count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11960; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 OPEN2 andx maximum param count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11959; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB Trans2 OPEN2 andx maximum param count overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11963; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB Trans2 OPEN2 maximum param count overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11957; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 OPEN2 andx maximum param count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; metadata:service netbios-ssn; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11961; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 OPEN2 maximum param count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; metadata:service netbios-ssn; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11955; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _TakeActionOnAFile attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"D|00 03 00|"; depth:4; byte_test:4,>,520,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12332; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_a0030 attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"0|00 0A 00|"; depth:4; byte_test:4,>,260,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12341; rev:12;)
+# alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB repeated logon failure"; flow:to_client,established,no_stream; content:"|FF|SMBs"; depth:5; offset:4; content:"m|00 00 C0|"; within:4; detection_filter:track by_dst,count 10,seconds 60; metadata:ruleset community; classtype:unsuccessful-user; sid:2923; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB /sql/query unicode andx create tree attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|s|00|q|00|l|00 5C 00|q|00|u|00|e|00|r|00|y|00 00 00|"; within:23; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; metadata:service netbios-ssn; classtype:protocol-command-decode; sid:15326; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB /sql/query unicode andx create tree attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|s|00|q|00|l|00 5C 00|q|00|u|00|e|00|r|00|y|00 00 00|"; within:23; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; classtype:protocol-command-decode; sid:15324; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB /sql/query unicode create tree attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C 00|s|00|q|00|l|00 5C 00|q|00|u|00|e|00|r|00|y|00 00 00|"; within:23; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; metadata:service netbios-ssn; classtype:protocol-command-decode; sid:15322; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB /sql/query unicode create tree attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C 00|s|00|q|00|l|00 5C 00|q|00|u|00|e|00|r|00|y|00 00 00|"; within:23; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; classtype:protocol-command-decode; sid:15320; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB /sql/query andx create tree attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|sql|5C|query|00|"; within:12; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; metadata:service netbios-ssn; classtype:protocol-command-decode; sid:15325; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB /sql/query create tree attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C|sql|5C|query|00|"; within:12; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; classtype:protocol-command-decode; sid:15319; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB /sql/query andx create tree attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|sql|5C|query|00|"; within:12; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; classtype:protocol-command-decode; sid:15323; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB /sql/query create tree attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C|sql|5C|query|00|"; within:12; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; metadata:service netbios-ssn; classtype:protocol-command-decode; sid:15321; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB session negotiation request"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBr"; within:5; distance:3; flowbits:set,smb.session.negotiate; flowbits:noalert; metadata:service netbios-ssn; classtype:misc-activity; sid:16381; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS NT QUERY SECURITY DESC flowbit"; flow:to_server,established; content:"|FF|SMB|A0|"; depth:5; offset:4; isdataat:66,relative; content:"|06 00|"; within:2; distance:64; flowbits:set,smb.query_sec_desc; flowbits:noalert; metadata:service netbios-ssn; classtype:misc-activity; sid:16538; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB Timbuktu Pro overflow andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1394; classtype:attempted-admin; sid:16766; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB /PlughNTCommand unicode create tree attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C 00|P|00|l|00|u|00|g|00|h|00|N|00|T|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00 00 00|"; within:33; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:policy max-detect-ips alert; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16761; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB /PlughNTCommand unicode andx create tree attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|P|00|l|00|u|00|g|00|h|00|N|00|T|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00 00 00|"; within:33; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:policy max-detect-ips alert; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16760; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB /PlughNTCommand create tree attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C|PlughNTCommand|00|"; within:17; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:policy max-detect-ips alert; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16759; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB Timbuktu Pro overflow WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1394; classtype:attempted-admin; sid:16764; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB /PlughNTCommand andx create tree attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|PlughNTCommand|00|"; within:17; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:policy max-detect-ips alert; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16758; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB Timbuktu Pro overflow WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1394; classtype:attempted-admin; sid:16762; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 0 little endian object call overflow attempt"; flow:established,to_server; dce_iface:62b93df0-8b02-11ce-876c-00805f842837; content:"|05|"; byte_test:1,&,16,3,relative,dce; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative,dce; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,64,12,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2008-4398; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143; classtype:attempted-admin; sid:17634; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 0 overflow attempt"; flow:to_server,established; dce_iface:62b93df0-8b02-11ce-876c-00805f842837; content:"|05|"; byte_test:1,!&,16,3,relative,dce; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,64,12,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2008-4398; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143; classtype:attempted-admin; sid:17637; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 0 object call overflow attempt"; flow:established,to_server; dce_iface:62b93df0-8b02-11ce-876c-00805f842837; content:"|05|"; byte_test:1,!&,16,3,relative,dce; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative,dce; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,64,12,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2008-4398; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143; classtype:attempted-admin; sid:17636; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB TRANS2 Find_First2 request attempt"; flow:to_server,established; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|00|"; within:1; distance:18; content:"|00 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:10; flowbits:set,smb.trans2.findfirst2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:17745; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] (msg:"NETBIOS DCERPC NCADG-IP-UDP netdfs NetrDfsEnum attempt"; flow:to_server; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; content:"_t|D1 05|0|00 00 00 10 00 00 00| |00 00 00 00 00 00 00|"; depth:20; offset:68; metadata:policy max-detect-ips drop; reference:bugtraq,24198; reference:cve,2007-2446; classtype:protocol-command-decode; sid:18192; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum attempt"; flow:established,to_server; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; content:"_t|D1 05|0|00 00 00 10 00 00 00| |00 00 00 00 00 00 00|"; depth:20; offset:68; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,24198; reference:cve,2007-2446; classtype:protocol-command-decode; sid:18191; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum attempt"; flow:established,to_server; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; content:"^t|D1 05|0|00 00 00 10 00 00 00| |00 00 00 00 00 00 00|"; depth:20; offset:48; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,24198; reference:cve,2007-2446; classtype:protocol-command-decode; sid:18189; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] (msg:"NETBIOS DCERPC NCADG-IP-UDP netdfs NetrDfsEnum attempt"; flow:to_server; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; content:"^t|D1 05|0|00 00 00 10 00 00 00| |00 00 00 00 00 00 00|"; depth:20; offset:48; metadata:policy max-detect-ips drop; reference:bugtraq,24198; reference:cve,2007-2446; classtype:protocol-command-decode; sid:18190; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB-DS Trans2 Distributed File System GET_DFS_REFERRAL request"; flow:established,to_server; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 00 00 00|"; within:4; content:"|10 00|"; depth:2; offset:65; flowbits:set,smb.trans2.get_dfs_referral; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:19190; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS Juniper Odyssey Access Client DSSETUPSERVICE_CMD_UNINSTALL overflow attempt"; flow:established,to_server; flowbits:isset,smb.neoteris; content:"|FF|SMB|2F|"; depth:5; offset:4; content:"|03 00 00 00|"; within:4; distance:62; isdataat:228,relative; metadata:service netbios-ssn; reference:cve,2009-4643; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=850; classtype:attempted-admin; sid:19817; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS Juniper NeoterisSetupService named pipe access attempt"; flow:established,to_server,no_stream; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C|NeoterisSetupService"; within:21; distance:78; fast_pattern; nocase; flowbits:set,smb.neoteris; flowbits:noalert; metadata:service netbios-ssn; reference:cve,2009-4643; classtype:protocol-command-decode; sid:19816; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP NetShareEnumAll request"; flow:established,to_server; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:15; content:"|00|"; depth:1; content:"|FF|SMB|25|"; within:5; distance:3; content:"|00 00 00 00|"; within:4; byte_test:1,!&,128,0,relative,dce; flowbits:set,dce.net_share_enum_all.request; flowbits:noalert; metadata:service netbios-ssn; reference:url,attack.mitre.org/techniques/T1049; classtype:protocol-command-decode; sid:20274; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt"; dce_iface:975201B0-59CA-11D0-A8D5-00A0C90D8051; dce_opnum:1; dce_stub_data; byte_test:4,>,128,20,dce; classtype:attempted-admin; sid:9773; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor QSIGetQueuePath overflow attempt"; flow:established,to_server; dce_iface:DC246BF0-7A7A-11CE-9F88-00805FE43838; dce_opnum:43; dce_stub_data; isdataat:672; content:!"|00|"; depth:672; metadata:policy max-detect-ips drop; reference:bugtraq,20365; reference:cve,2006-5143; reference:url,www.lssec.com/advisories/LS-20060313.pdf; classtype:attempted-admin; sid:9441; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc GetGroupStatus overflow attempt"; flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:37; dce_stub_data; byte_test:4,>,4096,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,21221; reference:cve,2006-6076; reference:url,www.lssec.com/advisories/LS-20060908.pdf; classtype:attempted-admin; sid:9806; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP msqueue function 1 overflow attempt"; flow:established,to_server; dce_iface:975201B0-59CA-11D0-A8D5-00A0C90D8051; dce_opnum:1; dce_stub_data; byte_test:4,>,128,20,dce; classtype:attempted-admin; sid:9772; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters Name Field attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:0; dce_stub_data; byte_test:4,>,283,16,dce; content:"N|00|e|00|t|00|W|00|a|00|r|00|e|00| |00|R|00|e|00|m|00|o|00|t|00|e|00| |00|P|00|r|00|i|00|n|00|t|00|e|00|r|00|s|00|"; depth:46; offset:20; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-0639; classtype:protocol-command-decode; sid:15881; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP svcctl ChangeServiceConfig2A attempt"; flow:established,to_server; dce_iface:367abb81-9844-35f1-ad32-98f038001003; dce_opnum:36; dce_stub_data; byte_test:4,=,1,24,dce; content:"|00 00 00 00|"; depth:4; classtype:protocol-command-decode; sid:10285; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters overflow attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:0; dce_stub_data; byte_test:4,>,256,16,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,21220; reference:cve,2006-5854; reference:cve,2006-6114; reference:cve,2008-0639; classtype:attempted-admin; sid:13162; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP spoolss OpenPrinter overflow attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:1; dce_stub_data; byte_test:4,>,458,4,dce; metadata:service netbios-ssn; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12808; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP spoolss RouteRefreshPrinterChangeNotification attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:65; dce_stub_data; pcre:"/^.{32}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,26,48,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2007-2446; classtype:protocol-command-decode; sid:15911; rev:7;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] (msg:"NETBIOS DCERPC NCADG-IP-UDP srvsvc NetrShareEnum null policy handle attempt"; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:15; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; content:"|00 00 00 00|"; within:4; distance:8; classtype:protocol-command-decode; sid:15448; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] (msg:"NETBIOS DCERPC NCADG-IP-UDP netdfs NetrDfsEnum overflow attempt"; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; byte_test:4,>,16777215,24,dce; pcre:"/^.{16}(([\x01\x02\x03\x04\xC8]\x00|\x2C\x01)\x00{2}|\x00{2}(\x00[\x01\x02\x03\x04]|\x01\x2C))/s"; metadata:policy max-detect-ips drop; reference:bugtraq,24198; reference:cve,2007-2446; classtype:attempted-admin; sid:14988; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP spoolss GetPrinterData attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:26; dce_stub_data; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,65536,0,relative,dce; metadata:service netbios-ssn; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13367; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] (msg:"NETBIOS DCERPC NCADG-IP-UDP lsarpc LsarAddPrivilegesToAccount overflow attempt"; dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:19; dce_stub_data; isdataat:32; pcre:"/^.{20}(.{4}).{4}(?!\1)/s"; metadata:policy max-detect-ips drop; reference:cve,2007-2446; classtype:attempted-admin; sid:11443; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy handle attempt"; flow:established,to_server; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:15; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; content:"|00 00 00 00|"; within:4; distance:8; metadata:ruleset community; classtype:protocol-command-decode; sid:529; rev:16;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] (msg:"NETBIOS DCERPC NCADG-IP-UDP srvsvc NetSetFileSecurity integer overflow attempt"; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:40; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,=,4294967295,40,relative,dce; metadata:policy max-detect-ips drop; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:12985; rev:11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [139,445] (msg:"NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request"; flow:established,to_server; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; byte_test:1,!&,128,0,relative; content:"|01 00|"; within:2; distance:52; content:"|04 01|"; within:2; distance:11; flowbits:set,smb.trans2.fileinfo; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:24972; rev:3;)
+# alert tcp any any -> $HOME_NET [139,445] (msg:"NETBIOS SMB named pipe bruteforce attempt"; flow:established,to_server,no_stream; content:"|FF|SMB|A2 00 00 00 00|"; depth:10; offset:3; content:"|FF 00 00 00 00|"; within:5; distance:24; content:"|07 00 00 00 01 00 00 00 00 00 00 00 02 00 00 00 00|"; within:17; distance:26; content:"|5C|"; within:1; distance:2; pcre:"/^(samr|atsvc|DAV RPC SERVICE|epmapper|InitShutdown|LSM_API_service|plugplay|protected_storage|SapiServerPipeS-1-5-5-0-70123|scerpc|tapsrv|trkwks|W32TIME_ALT|PIPE_EVENTROOT\x5cCIMV2SCM EVENT PROVIDER|db2remotecmd)\x00$/R"; detection_filter:track by_src, count 14, seconds 1; metadata:service netbios-ssn; reference:url,www.metasploit.com/modules/auxiliary/scanner/smb/pipe_auditor; classtype:attempted-recon; sid:26321; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters overflow attempt"; flow:established,to_server; content:"N|00|e|00|t|00|W|00|a|00|r|00|e|00| |00|R|00|e|00|m|00|o|00|t|00|e|00| |00|P|00|r|00|i|00|n|00|t|00|e|00|r|00|s|00 21 00|"; isdataat:300,relative; content:!"|00 00|"; within:300; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,21220; reference:cve,2006-5854; reference:cve,2006-6114; reference:cve,2008-0639; classtype:attempted-admin; sid:29621; rev:2;)
+# alert tcp $EXTERNAL_NET 139 -> $HOME_NET any (msg:"NETBIOS SMB server response heap overflow attempt"; flow:established,to_client; isdataat:500; content:"|00|"; depth:1; byte_test:4, >, 66563, 0; byte_test:4, <, 131072, 0; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,29404; reference:cve,2008-1105; classtype:attempted-user; sid:32631; rev:2;)
+# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"NETBIOS Wireshark console.lua file load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"c|00|o|00|n|00|s|00|o|00|l|00|e|00|.|00|l|00|u|00|a|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,49528; reference:cve,2011-3360; reference:url,www.wireshark.org/security/wnpa-sec-2011-15.html; classtype:attempted-user; sid:23238; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP ca-alert function 16,23,40, and 41 overflow attempt"; flow:established,to_server; dce_iface:3d742890-397c-11cf-9bf1-00805f88cb72; dce_opnum:16,23,40,41; dce_stub_data; byte_test:4,>,950,8,dce; content:"|05 00 00|"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,28605; reference:cve,2007-4620; reference:url,supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secnotice.asp; classtype:attempted-admin; sid:20061; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [6503,6504] (msg:"NETBIOS DCERPC NCACN-IP-TCP CA Arcserve Backup directory traversal attempt"; flow:established,to_server; dce_iface:506B1890-14C8-11D1-BBC3-00805FA6962E; dce_opnum:342; dce_stub_data; pcre:"/(\x2E\x2E[\x5C\x2F]){3}/"; content:"|05 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,31684; reference:cve,2008-4397; classtype:attempted-admin; sid:19890; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarLookupSids lsa_io_trans_name heap overflow attempt"; flow:established,to_server; dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:15; dce_stub_data; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:20; byte_extract:4,0,count,relative,dce; byte_test:4,>,count,4,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:18472; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|09 00 0A 00|"; depth:4; byte_test:4,>,600,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:17715; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|08 00 0A 00|"; depth:4; byte_test:4,>,600,0,relative,dce; metadata:policy max-detect-ips drop; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:17714; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect trend_req_num buffer overflow attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|47 00 03 00|"; depth:4; byte_test:4,>,98,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:17707; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor opnum 43 overflow attempt"; flow:established,to_server; dce_iface:DC246BF0-7A7A-11CE-9F88-00805FE43838; dce_opnum:43; dce_stub_data; byte_test:4,>,624,0,dce; metadata:policy max-detect-ips drop; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:17640; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 0 little endian overflow attempt"; flow:established,to_server; dce_iface:62b93df0-8b02-11ce-876c-00805f842837; content:"|05 00 00 03 10 00 00 00|"; depth:8; content:"|00 00 00 00 00 00|"; within:6; distance:14; isdataat:65,relative; content:!"|00|"; within:65; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2008-4398; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143; classtype:attempted-admin; sid:17635; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters name overflow attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:0; dce_stub_data; byte_test:4,>,100,16,dce; content:"N|00|e|00|t|00|W|00|a|00|r|00|e|00| |00|R|00|e|00|m|00|o|00|t|00|e|00| |00|P|00|r|00|i|00|n|00|t|00|e|00|r|00|s|00|"; depth:46; offset:20; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,25092; reference:cve,2007-6701; reference:url,support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5005400.html; classtype:attempted-admin; sid:17321; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB negotiate protocol request - ascii strings"; flow:to_server,established; content:"|FF|SMB|72 00 00 00 00|"; depth:9; offset:4; byte_test:1,!&,0x40,0,relative,little; byte_test:2,!&,0x8000,1,relative,little; flowbits:set,smb.req.ascii; flowbits:noalert; metadata:service netbios-ssn; classtype:protocol-command-decode; sid:17151; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB Timbuktu Pro overflow WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1394; classtype:attempted-admin; sid:16765; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB Timbuktu Pro overflow WriteAndX attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1394; classtype:attempted-admin; sid:16763; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB /PlughNTCommand unicode create tree attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C 00|P|00|l|00|u|00|g|00|h|00|N|00|T|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00 00 00|"; within:33; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16757; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB /PlughNTCommand unicode andx create tree attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|P|00|l|00|u|00|g|00|h|00|N|00|T|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00 00 00|"; within:33; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16756; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB /PlughNTCommand create tree attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C|PlughNTCommand|00|"; within:17; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16755; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB /PlughNTCommand andx create tree attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|PlughNTCommand|00|"; within:17; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16754; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor opcode 0x3B null strings attempt"; flow:established,to_server; dce_iface:DC246BF0-7A7A-11CE-9F88-00805FE43838; dce_opnum:59; dce_stub_data; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:8; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,35396; reference:cve,2009-1761; classtype:attempted-dos; sid:15710; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor opcode 0x13 overflow attempt"; flow:established,to_server; dce_iface:DC246BF0-7A7A-11CE-9F88-00805FE43838; dce_opnum:19; dce_stub_data; byte_test:4,=,1,0,dce; byte_test:4,>,64000,8,dce; byte_test:4,=,0,12,dce; byte_test:4,>,64000,16,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,35396; reference:cve,2009-1761; classtype:attempted-dos; sid:15702; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum overflow attempt"; flow:established,to_server; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; byte_test:4,>,16777215,24,dce; pcre:"/^.{16}(([\x01\x02\x03\x04\xC8]\x00|\x2C\x01)\x00{2}|\x00{2}(\x00[\x01\x02\x03\x04]|\x01\x2C))/s"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,24198; reference:cve,2007-2446; classtype:attempted-admin; sid:14900; rev:15;)
+# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB server response heap overflow attempt"; flow:established,to_client; flowbits:isset,smb.session.negotiate; flowbits:unset,smb.session.negotiate; isdataat:500; content:"|00|"; depth:1; byte_test:4, >, 66563, 0; byte_test:4, <, 131072, 0; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,29404; reference:cve,2008-1105; classtype:attempted-user; sid:13901; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP srvsvc NetSetFileSecurity integer overflow attempt"; flow:established,to_server; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:40; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,=,4294967295,40,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:12984; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [6503,6504] (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc2 CA call 269 overflow attempt"; flow:established,to_server; dce_iface:506B1890-14C8-11D1-BBC3-00805FA6962E; dce_opnum:269; dce_stub_data; pcre:"/^.{268}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,190,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,26015; reference:cve,2007-5327; classtype:attempted-admin; sid:12940; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 19 attempt"; flow:established,to_server; dce_iface:88435ee0-861a-11ce-b86b-00001b27f656; dce_opnum:19; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12934; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 18 attempt"; flow:established,to_server; dce_iface:88435ee0-861a-11ce-b86b-00001b27f656; dce_opnum:18; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12928; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 16 attempt"; flow:established,to_server; dce_iface:88435ee0-861a-11ce-b86b-00001b27f656; dce_opnum:16; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12922; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 12 attempt"; flow:established,to_server; dce_iface:88435ee0-861a-11ce-b86b-00001b27f656; dce_opnum:12; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12916; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 4 attempt"; flow:established,to_server; dce_iface:88435ee0-861a-11ce-b86b-00001b27f656; dce_opnum:4; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12910; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrWkstaGetInfo attempt"; flow:established,to_server; dce_iface:6bffd098-a112-3610-9833-46c3f87e345a; dce_opnum:2; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12489; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetSvcImpersonateUser attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|10 00 0A 00|"; depth:4; byte_test:4,>,520,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12347; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_30010 overflow attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; pcre:"/^(\x10|\x0d)/s"; content:"|00 03 00|"; within:3; byte_test:4,>,38,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,25395; reference:cve,2007-4218; classtype:attempted-admin; sid:12335; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _AddTaskExportLogItem attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|0C 01 03 00|"; depth:4; byte_test:4,>,512,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12326; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect-earthagent RPCFN_CopyAUSrc attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|00 1F 00|"; depth:3; offset:1; byte_test:4,>,512,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,23866; reference:bugtraq,25395; reference:cve,2007-2508; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12317; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetPagerNotifyConfig attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|08 05 03 00|"; depth:4; byte_test:4,>,528,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12307; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC-NCACN-IP-TCP ca alert function 16/23 overflow attempt"; flow:established,to_server; dce_iface:3d742890-397c-11cf-9bf1-00805f88cb72; dce_opnum:16,23; dce_stub_data; byte_test:4,>,200,12,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,24947; reference:cve,2007-3825; reference:url,supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secnotice.asp; classtype:attempted-admin; sid:12100; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarAddPrivilegesToAccount overflow attempt"; flow:established,to_server; dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:19; dce_stub_data; isdataat:32; pcre:"/^.{20}(.{4}).{4}(?!\1)/s"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2007-2446; classtype:attempted-admin; sid:11442; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc corrupt user-supplied memory address attempt"; flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:15,16,17; content:"|05 00 00 03 10 00 00 00 1C 00|"; depth:10; content:"|0F 00 00 00 00 00|"; within:6; distance:12; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,22994; reference:cve,2006-6076; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10486; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect COMN_NetTestConnection attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|17 00 0A 00|"; depth:4; byte_test:4,>,600,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:10208; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetRealTimeScanConfigInfo attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|04 00 03 00|"; depth:4; byte_test:4,>,600,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:10202; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc GetGCBHandleFromGroupName overflow attempt"; flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:207; dce_stub_data; byte_test:4,>,1024,0,dce; metadata:policy max-detect-ips drop; reference:bugtraq,22005; reference:cve,2007-0169; classtype:attempted-admin; sid:10117; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [6503,6504] (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc2 ASDBLoginToComputer overflow attempt"; flow:established,to_server; dce_iface:506B1890-14C8-11D1-BBC3-00805FA6962E; dce_opnum:117; dce_stub_data; byte_test:4,>,119,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10050; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor ASRemotePFC overflow attempt"; flow:established,to_server; dce_iface:DC246BF0-7A7A-11CE-9F88-00805FE43838; dce_opnum:47; dce_stub_data; byte_test:4,>,624,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10036; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor QSIGetQueuePath_Function_45 overflow attempt"; flow:established,to_server; dce_iface:DC246BF0-7A7A-11CE-9F88-00805FE43838; dce_opnum:45; dce_stub_data; byte_test:4,>,1,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,20365; reference:cve,2006-5143; reference:cve,2006-6076; classtype:attempted-admin; sid:10030; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc ClientDBMiniAgentClose attempt"; flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:191; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,22010; reference:cve,2007-0168; reference:url,www.kb.cert.org/vuls/id/662400; reference:url,www.lssec.com/advisories/LS-20061002.pdf; classtype:protocol-command-decode; sid:10024; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc ReserveGroup attempt"; flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:38; content:"|05 00 00|"; depth:3; content:"|26 00 10 09 F9 77|"; within:6; distance:19; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2006-6076; reference:cve,2006-6917; reference:url,www.lssec.com/advisories/LS-20061001.pdf; classtype:protocol-command-decode; sid:10018; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6106 (msg:"NETBIOS DCERPC NCACN-IP-TCP veritas bind attempt"; flow:established,to_server; dce_iface:93841fd0-16ce-11ce-850d-02608c44967b; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,14020; reference:cve,2005-0771; reference:url,www.idefense.com/application/poi/display?id=269&type=vulnerabilities; classtype:protocol-command-decode; sid:3697; rev:13;)
+# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB client NULL deref race condition attempt "; flow:to_client,established,no_stream; content:"|FF|SMB|72|"; depth:5; offset:4; byte_test:1,&,128,4,relative; content:"|00|"; depth:1; detection_filter:track by_dst, count 25, seconds 1; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-0017; reference:cve,2010-0231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-006; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:attempted-admin; sid:16418; rev:10;)
+# alert tcp any any -> $HOME_NET [139,445] (msg:"NETBIOS SMB Corel PaintShop Pro u32zlib.dll dll-load exploit attempt"; flow:established,to_server; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"u|00|3|00|2|00|z|00|l|00|i|00|b|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34916; rev:4;)
+# alert tcp any any -> $HOME_NET [139,445] (msg:"NETBIOS SMB Corel PaintShop Pro quserex.dll dll-load exploit attempt"; flow:established,to_server; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"q|00|u|00|s|00|e|00|r|00|e|00|x|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34915; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt"; flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:16; dsize:29; content:"|05 00 00 03 10 00 00 00|"; depth:8; content:"|10 00|"; within:2; distance:14; byte_extract:1,0,memoryAddr,relative,multiplier 257; byte_test:2,=,memoryAddr,0,relative; byte_test:2,=,memoryAddr,1,relative; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2006-6076; reference:cve,2006-6917; reference:url,www.lssec.com/advisories/LS-20061001.pdf; classtype:protocol-command-decode; sid:36877; rev:1;)
+# alert tcp any any -> $HOME_NET 445 (msg:"NETBIOS SMB samr named pipe creation attempt"; flow:to_server,established; content:"|FE|SMB|40 00|"; depth:6; offset:4; content:"|05 00|"; within:2; distance:6; content:"s|00|a|00|m|00|r|00|"; fast_pattern:only; metadata:service netbios-ssn; classtype:misc-activity; sid:38322; rev:1;)
+# alert tcp any any -> $HOME_NET 445 (msg:"NETBIOS SMB svcctl named pipe creation attempt"; flow:to_server,established; content:"|FE|SMB|40 00|"; depth:6; offset:4; content:"|05 00|"; within:2; distance:6; content:"s|00|v|00|c|00|c|00|t|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; classtype:misc-activity; sid:38321; rev:1;)
+# alert tcp any any -> $HOME_NET 445 (msg:"NETBIOS SMB srvsvc named pipe creation attempt"; flow:to_server,established; content:"|FE|SMB|40 00|"; depth:6; offset:4; content:"|05 00|"; within:2; distance:6; content:"s|00|r|00|v|00|s|00|v|00|c|00|"; fast_pattern:only; metadata:service netbios-ssn; classtype:misc-activity; sid:38320; rev:1;)
+# alert tcp any any -> $HOME_NET 445 (msg:"NETBIOS SMB winreg named pipe creation attempt"; flow:to_server,established; content:"|FE|SMB|40 00|"; depth:6; offset:4; content:"|05 00|"; within:2; distance:6; content:"w|00|i|00|n|00|r|00|e|00|g|00|"; fast_pattern:only; metadata:service netbios-ssn; classtype:misc-activity; sid:38319; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarAddPrivilegesToAccount overflow attempt"; flow:established,to_server; content:"|FF|SMB"; content:"|05 00 00 03 10 00 00 00|"; within:48; distance:48; content:"|13 00|"; within:2; distance:14; byte_extract:4,24,count,relative; byte_test:4,>,count,0,relative; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2007-2446; classtype:attempted-admin; sid:39875; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NETBIOS DCERPC possible wmi remote process launch"; flow:to_server,established; dce_iface:00000143-0000-0000-c000-000000000046; metadata:service dcerpc; reference:url,attack.mitre.org/techniques/T1047; reference:url,attack.mitre.org/techniques/T1084; reference:url,car.mitre.org/wiki/CAR-2014-12-001; classtype:policy-violation; sid:43370; rev:2;)
+# alert tcp any any -> $HOME_NET 445 (msg:"NETBIOS SMB NTLMSSP authentication brute force attempt"; flow:to_server,established,no_stream; content:"|FF|SMB|73|"; depth:5; offset:4; content:"NTLMSSP|00 03 00 00 00|"; fast_pattern:only; detection_filter:track by_src, count 5, seconds 1; metadata:service netbios-ssn; reference:url,attack.mitre.org/techniques/T1110; reference:url,en.wikipedia.org/wiki/NTLMSSP; classtype:attempted-user; sid:44651; rev:4;)
+alert tcp any any -> $HOME_NET 445 (msg:"NETBIOS SMB SESSION_SETUP subcommand detected"; flow:to_server,established; content:"|FF|SMB2"; depth:5; offset:4; content:"|0E 00|"; within:2; distance:56; flowbits:set,smb.session_setup_subcommand; flowbits:noalert; metadata:service netbios-ssn; reference:url,countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/; classtype:protocol-command-decode; sid:45515; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS MikroTik RouterOS buffer overflow attempt"; flow:to_server,established; content:"|81 00|"; depth:2; byte_test:2,>,75,0,relative; byte_extract:2,0,len,relative; isdataat:!len,relative; isdataat:len; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,103427; reference:cve,2018-7445; classtype:attempted-user; sid:46076; rev:2;)
+# alert tcp any any -> $HOME_NET 445 (msg:"NETBIOS SMB NTLM Authentication with unknown authentication message type attempt"; flow:to_server,established; content:"|FF|SMB|73|"; depth:5; offset:4; content:"NTLMSSP|00|"; distance:0; content:!"|01 00 00 00|"; within:4; content:!"|02 00 00 00|"; within:4; content:!"|03 00 00 00|"; within:4; metadata:service netbios-ssn; classtype:misc-activity; sid:46403; rev:1;)
+# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB client NULL deref race condition attempt "; flow:to_client,established,only_stream; content:"|FF|SMB|72|"; depth:5; offset:4; byte_test:1,&,128,4,relative; content:"|00|"; depth:1; detection_filter:track by_dst, count 25, seconds 1; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-0017; reference:cve,2010-0231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-006; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:attempted-admin; sid:46637; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS Cisco WebEx WebExService.exe remote code execution attempt"; flow:to_server,established; content:"|FF|SMB|2F|"; content:"s|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00|-|00|u|00|p|00|d|00|a|00|t|00|e|00 00 00 02 00 00 00 00 00 00 00 02 00 00 00|1|00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2018-15442; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection; classtype:attempted-admin; sid:48241; rev:1;)
--- a/docker/etc/rules/nntp.rules
+++ b/docker/etc/rules/nntp.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#------------
+# NNTP RULES
+#------------
+
--- a/docker/etc/rules/oracle.rules
+++ b/docker/etc/rules/oracle.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#--------------
+# ORACLE RULES
+#--------------
+
--- a/docker/etc/rules/os-linux.rules
+++ b/docker/etc/rules/os-linux.rules
@@ -0,0 +1,79 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#----------------
+# OS-LINUX RULES
+#----------------
+
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel SCTP duplicate cookie denial of service attempt"; ip_proto:132; content:"|0A 00|"; depth:2; offset:12; fast_pattern; byte_extract:4,0,chunk_length_plus_cookie_crumb,relative; content:"|0A 00|"; distance:0; byte_test:4,=,chunk_length_plus_cookie_crumb,0,relative; reference:bugtraq,60715; reference:cve,2013-2206; classtype:attempted-dos; sid:30326; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-LINUX Linux kernel IA32 out-of-bounds system call attempt"; flow:to_server,established; file_data; content:"kernelmodecode"; fast_pattern:only; content:"commit_creds"; nocase; content:"prepare_kernel_cred"; distance:0; metadata:service smtp; reference:cve,2010-3301; classtype:attempted-admin; sid:24371; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Linux kernel IA32 out-of-bounds system call attempt"; flow:to_client,established; file_data; content:"kernelmodecode"; fast_pattern; content:"commit_creds"; distance:0; nocase; content:"prepare_kernel_cred"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-3301; classtype:attempted-admin; sid:24370; rev:5;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Red Hat Enterprise Linux DNS resolver buffer overflow attempt"; flow:to_client; content:"|D3 A9 85 80 00 01 00|2"; metadata:service dns; reference:bugtraq,6186; reference:cve,2002-0029; classtype:attempted-admin; sid:15963; rev:5;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux Kernel DCCP Protocol Handler dccp_setsockopt_change integer overflow attempt"; ip_proto:33; content:"|22|"; depth:1; offset:29; byte_test:1,<,4,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,30704; reference:cve,2008-3276; classtype:denial-of-service; sid:15907; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; metadata:ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; metadata:ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; metadata:ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"OS-LINUX ntalkd x86 Linux overflow"; flow:to_server; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-LINUX Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; metadata:ruleset community; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:302; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-LINUX x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; metadata:ruleset community; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-LINUX x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:265; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-LINUX x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; metadata:ruleset community, service dns; classtype:attempted-admin; sid:264; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-LINUX x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:262; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-LINUX Linux kernel ARM put_user write outside process address space privilege escalation attempt"; flow:to_server,established; file_data; content:"|02 98 2A 1C 01 F0 4C EE A8 42 02 D0 1B 48 78 44 17 E0 E2 19 01 98 19 49 08 F0 81 FA 01 30 04 D1|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,63734; reference:cve,2013-6282; classtype:attempted-admin; sid:28999; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Linux kernel ARM put_user write outside process address space privilege escalation attempt"; flow:to_client,established; file_data; content:"|02 98 2A 1C 01 F0 4C EE A8 42 02 D0 1B 48 78 44 17 E0 E2 19 01 98 19 49 08 F0 81 FA 01 30 04 D1|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,63734; reference:cve,2013-6282; classtype:attempted-admin; sid:28998; rev:2;)
+# alert ip any any -> any any (msg:"OS-LINUX Linux kernel IGMP queries denial of service attempt"; ip_proto:2; content:"|11|"; depth:1; content:"|00|"; within:1; metadata:policy max-detect-ips drop; reference:cve,2012-0207; classtype:denial-of-service; sid:25314; rev:8;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel sctp_rcv_ootb invalid chunk length DoS attempt"; ip_proto:132; content:"|00 00|"; depth:2; offset:14; metadata:policy max-detect-ips drop; reference:bugtraq,38857; reference:cve,2010-0008; classtype:attempted-dos; sid:18997; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel SCTP Unknown Chunk Types denial of service attempt"; ip_proto:132; dsize:>12; byte_test:1,>,14,12; metadata:policy max-detect-ips drop; reference:bugtraq,24376; reference:bugtraq,54797; reference:cve,2007-2876; classtype:attempted-dos; sid:17302; rev:8;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel sctp_process_unk_param SCTPChunkInit buffer overflow attempt"; ip_proto:132; content:"|01|"; depth:1; offset:12; byte_test:2,>,0xC000,19,relative; pcre:!"/^.{19}\xC0[\x05\x06\x09\x0B\x0C]/sR"; byte_jump:2,21,relative,align,post_offset -4; byte_test:2,>,0xC000,0,relative; pcre:!"/^\xC0[\x05\x06\x09\x0B\x0C]/R"; metadata:policy max-detect-ips drop; reference:bugtraq,39794; reference:cve,2010-1173; classtype:attempted-admin; sid:16724; rev:7;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"OS-LINUX Linux Kernel NFSD Subsystem overflow attempt"; flow:to_server; content:"|00 00 00 22|"; content:"|00 00 00 01 00 00 10 00 00 00 03|D|00 00 00 1A|"; within:16; distance:16; metadata:policy max-detect-ips drop; reference:bugtraq,31133; reference:cve,2008-3915; classtype:attempted-dos; sid:16352; rev:7;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux Kernel DCCP Protocol Handler dccp_setsockopt_change integer overflow attempt"; ip_proto:33; content:" "; depth:1; offset:29; byte_test:1,<,4,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,30704; reference:cve,2008-3276; classtype:denial-of-service; sid:15906; rev:8;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux SCTP malformed forward-tsn chunk arbitrary code execution attempt"; ip_proto:132; content:"|C0 00|"; depth:2; offset:12; byte_test:2,>,500,0,relative,big; metadata:policy max-detect-ips drop; reference:bugtraq,33113; reference:cve,2009-0065; classtype:attempted-admin; sid:15490; rev:9;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX kernel SCTP chunkless packet denial of service attempt"; ip_proto:132; dsize:12; metadata:policy max-detect-ips drop; reference:bugtraq,18755; reference:cve,2006-2934; classtype:attempted-dos; sid:7021; rev:9;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel SCTP Unknown Chunk Types denial of service attempt"; ip_proto:132; dsize:>12; content:"|C1|"; depth:1; offset:12; byte_test:2,&,3,18,relative; reference:cve,2014-3673; classtype:attempted-dos; sid:34802; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-LINUX Linux Kernel keyring object exploit download attempt"; flow:to_server,established; flowbits:isset,file.elf; file_data; content:"libkeyutils"; content:"keyctl"; within:200; content:"|B8 FC FF FF FF 48 39 45 E8|"; content:"|BA 88 00 00 00|"; content:"|48 83 7D E8 3F|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0728; classtype:attempted-admin; sid:37438; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-LINUX Linux Kernel keyring object exploit download attempt"; flow:to_server,established; flowbits:isset,file.elf; file_data; content:"libkeyutils"; content:"keyctl"; within:200; content:"|83 7D E4 FC|"; content:"|68 88 00 00 00|"; content:"|83 7D E4 3F|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0728; classtype:attempted-admin; sid:37437; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Linux Kernel keyring object exploit download attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"libkeyutils"; content:"keyctl"; within:200; content:"|B8 FC FF FF FF 48 39 45 E8|"; content:"|BA 88 00 00 00|"; content:"|48 83 7D E8 3F|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0728; classtype:attempted-admin; sid:37436; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Linux Kernel keyring object exploit download attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"libkeyutils"; content:"keyctl"; within:200; content:"|83 7D E4 FC|"; content:"|68 88 00 00 00|"; content:"|83 7D E4 3F|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0728; classtype:attempted-admin; sid:37435; rev:2;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel SCTP handshake COOKIE ECHO Chunks denial of service attempt"; ip_proto:132; content:"|01|"; depth:1; offset:12; fast_pattern; content:"|80 00|"; depth:2; offset:40; content:!"|C0 00|"; within:6; distance:2; content:!"|0F|"; depth:1; offset:48; reference:bugtraq,65943; reference:cve,2014-0101; classtype:attempted-dos; sid:37654; rev:1;)
+alert tcp $EXTERNAL_NET 3240 -> $HOME_NET any (msg:"OS-LINUX Linux Kernel USBIP out of bounds write attempt"; flow:to_client,established; file_data; content:"|00 00 00 03|"; depth:4; content:"|00 00 00 01|"; within:4; distance:8; content:"|00 00 00 00|"; within:4; distance:4; byte_test:4,>,0x78,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-3955; reference:url,kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.3; classtype:attempted-dos; sid:39894; rev:2;)
+alert tcp $EXTERNAL_NET 3240 -> $HOME_NET any (msg:"OS-LINUX Linux Kernel USBIP out of bounds write attempt"; flow:to_client,established; file_data; content:"|00 00 00 02|"; depth:4; content:"|00 00 00 01|"; within:4; distance:8; content:"|00 00 00 00|"; within:4; distance:4; byte_test:4,>,0x78,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-3955; reference:url,kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.3; classtype:attempted-dos; sid:39893; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux Kernel Challenge ACK provocation attempt"; flow:to_server,no_stream; flags:R; detection_filter:track by_src, count 200, seconds 1; metadata:ruleset community; reference:bugtraq,91704; reference:cve,2016-5696; reference:cve,2017-7285; classtype:attempted-admin; sid:40063; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-LINUX Linux kernel madvise race condition attempt"; flow:to_server,established; file_data; content:"|7F|ELF"; depth:4; content:"procselfmemThread"; fast_pattern:only; content:"madviseThread"; content:"/proc/self/mem"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-5195; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1384344; classtype:attempted-admin; sid:40543; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Linux kernel madvise race condition attempt"; flow:to_client,established; file_data; content:"|7F|ELF"; depth:4; content:"procselfmemThread"; fast_pattern:only; content:"madviseThread"; content:"/proc/self/mem"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5195; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1384344; classtype:attempted-admin; sid:40542; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel madvise race condition attempt"; flow:to_client,established; content:"|5C|155|5C|141|5C|144|5C|166|5C|151|5C|163|5C|145|5C|50|5C|155|5C|141|5C|160|5C|54|5C|61|5C|60|5C|60|5C|54|5C|115|5C|101|5C|104|5C|126|5C|137|5C|104|5C|117|5C|116|5C|124|5C|116|5C|105|5C|105|5C|104|5C|51|5C|73|5C|12"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-5195; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1384344; classtype:attempted-admin; sid:40566; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-LINUX Linux kernel madvise race condition attempt"; flow:to_server,established; file_data; content:"|7F|ELF"; depth:4; content:"|44 01 C1 48 63 F1 BA 04 00 00 00 E8|"; fast_pattern; content:"|FF C5 81 FD 40 42 0F 00|"; within:16; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-5195; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1384344; classtype:attempted-admin; sid:40565; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Linux kernel madvise race condition attempt"; flow:to_client,established; file_data; content:"|44 01 C1 48 63 F1 BA 04 00 00 00 E8|"; fast_pattern; content:"|FF C5 81 FD 40 42 0F 00|"; within:16; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-5195; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1384344; classtype:attempted-admin; sid:40564; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-LINUX Linux kernel madvise race condition attempt"; flow:to_server,established; file_data; content:"|7F|ELF"; depth:4; content:"|8B 45 F8|"; content:"|48 8B|"; within:10; content:"|BA 04 00 00 00|"; within:10; content:"|48 89 C7 E8|"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-5195; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1384344; classtype:attempted-admin; sid:40563; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Linux kernel madvise race condition attempt"; flow:to_client,established; file_data; content:"|7F|ELF"; depth:4; content:"|8B 45 F8|"; content:"|48 8B|"; within:10; content:"|BA 04 00 00 00|"; within:10; content:"|48 89 C7 E8|"; within:20; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-5195; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1384344; classtype:attempted-admin; sid:40562; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-LINUX Linux kernel madvise race condition attempt"; flow:to_server,established; file_data; content:"|7F|ELF"; depth:4; content:"|BA 04 00 00 00|"; content:"|48 89 C7 E8|"; within:20; content:"|01 45 F8|"; within:10; content:"|83 45 FC 01|"; within:100; content:"|81 7D|"; within:200; byte_test:4,>=,0x050000,1,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-5195; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1384344; classtype:attempted-admin; sid:40561; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Linux kernel madvise race condition attempt"; flow:to_client,established; file_data; content:"|7F|ELF"; depth:4; content:"|BA 04 00 00 00|"; content:"|48 89 C7 E8|"; within:20; content:"|01 45 F8|"; within:10; content:"|83 45 FC 01|"; within:100; content:"|81 7D|"; within:200; byte_test:4,>=,0x050000,1,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5195; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1384344; classtype:attempted-admin; sid:40560; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-LINUX Linux net af_packet.c tpacket version race condition use after free attempt"; flow:to_server,established; file_data; content:"|41 B8 04 00 00 00 48 89 D1 BA 0A 00 00 00 BE 07 01 00 00 89 C7 E8|"; fast_pattern; byte_extract:3,1,setsockoptApproxOffset,relative; content:"|00 00 00 00|"; within:30; distance:-50; content:"|C7|"; within:1; distance:-7; content:"|02 00 00 00|"; within:100; content:"|C7|"; within:1; distance:-7; content:"|41 B8 04 00 00 00 48 89 D1 BA 0A 00 00 00 BE 07 01 00 00 89 C7 E8|"; within:50; byte_test:3,=,setsockoptApproxOffset,1,relative; metadata:service smtp; reference:cve,2016-8655; classtype:attempted-user; sid:41028; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Linux net af_packet.c tpacket version race condition use after free attempt"; flow:to_client,established; file_data; content:"|41 B8 04 00 00 00 48 89 D1 BA 0A 00 00 00 BE 07 01 00 00 89 C7 E8|"; fast_pattern; byte_extract:3,1,setsockoptApproxOffset,relative; content:"|00 00 00 00|"; within:30; distance:-50; content:"|C7|"; within:1; distance:-7; content:"|02 00 00 00|"; within:100; content:"|C7|"; within:1; distance:-7; content:"|41 B8 04 00 00 00 48 89 D1 BA 0A 00 00 00 BE 07 01 00 00 89 C7 E8|"; within:50; byte_test:3,=,setsockoptApproxOffset,1,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-8655; classtype:attempted-user; sid:41027; rev:1;)
+alert tcp $SMTP_SERVERS any -> $HOME_NET 25 (msg:"OS-LINUX Ubuntu Apport CrashDB crash report code injection attempt"; flow:to_server,established; file_data; content:"ProblemType:"; fast_pattern:only; content:"CrashDB:"; nocase; content:"{"; within:5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-9949; reference:url,ubuntu.com/usn/usn-3157-1/; classtype:attempted-admin; sid:41041; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Ubuntu Apport CrashDB crash report code injection attempt"; flow:to_client,established; file_data; content:"ProblemType:"; fast_pattern:only; content:"CrashDB"; nocase; content:"{"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-9949; reference:url,ubuntu.com/usn/usn-3157-1/; classtype:attempted-admin; sid:41040; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-LINUX cURL and libcurl set-cookie remote code execution attempt"; flow:to_client,established; content:"Set-Cookie|3A|"; fast_pattern:only; http_header; content:"path"; nocase; http_cookie; content:"|22|"; within:100; http_cookie; content:!"|22|"; within:100; http_cookie; pcre:"/path\s*\x3D\s*\x22(([^\x22]+?$)|(?!.))/Cmi"; metadata:service http; reference:bugtraq,74303; reference:cve,2015-3145; classtype:attempted-user; sid:41853; rev:3;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel SCTP invalid chunk length denial of service attempt"; ip_proto:132; content:"|09 00|"; depth:2; offset:12; byte_extract:2,0,length,relative; isdataat:!length; metadata:policy max-detect-ips drop; reference:cve,2016-9555; classtype:attempted-dos; sid:43692; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel sctp_rcv_ootb invalid chunk length DoS attempt"; ip_proto:132; content:"|00 00 00 00|"; depth:4; offset:4; content:"|01 00 00|"; within:3; distance:4; byte_test:1,<,20,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,38857; reference:cve,2010-0008; classtype:attempted-dos; sid:44309; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel sctp_rcv_ootb invalid chunk length DoS attempt"; ip_proto:132; content:"|00 00 00 00|"; depth:4; offset:4; content:"|01 00 00|"; within:3; distance:4; byte_jump:1,0,relative,align,post_offset -4; byte_test:2,>,1024,2,relative; metadata:policy max-detect-ips drop; reference:bugtraq,38857; reference:cve,2010-0008; classtype:attempted-dos; sid:44308; rev:1;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,1,10,relative; byte_test:1,=,1,11,relative,bitmask 0x80; metadata:service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46619; rev:1;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x40; metadata:service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46618; rev:1;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x20; metadata:service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46617; rev:1;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x10; metadata:service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46616; rev:1;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x01; metadata:service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46615; rev:1;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x08; metadata:service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46614; rev:1;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,6,10,relative; byte_test:1,=,1,16,relative,bitmask 0x40; metadata:service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46613; rev:1;)
+# alert udp any 67 -> $HOME_NET 68 (msg:"OS-LINUX Red Hat NetworkManager DHCP client command injection attempt"; content:"|63 82 53 63 35|"; content:"|FC|"; within:50; pcre:"/([\xfc]).{0,50}([\x27])([\x20\x26\x3b\x7c]|[\x3c\x3e\x24]\x28)+/i"; metadata:policy max-detect-ips drop, ruleset community, service dhcp; reference:cve,2018-1111; reference:url,access.redhat.com/security/cve/cve-2018-1111; classtype:attempted-user; sid:46847; rev:1;)
--- a/docker/etc/rules/os-mobile.rules
+++ b/docker/etc/rules/os-mobile.rules
@@ -0,0 +1,128 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------------
+# OS-MOBILE RULES
+#-----------------
+
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Kindle User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"kindle"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*kindle/iH"; metadata:ruleset community, service http; classtype:policy-violation; sid:25524; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Samsung User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"Samsung"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*samsung/iH"; metadata:ruleset community, service http; classtype:policy-violation; sid:25523; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Nokia User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"nokia"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*nokia/iH"; metadata:ruleset community, service http; classtype:policy-violation; sid:25522; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"android"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*android/iH"; metadata:ruleset community, service http; classtype:policy-violation; sid:25521; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Apple iPhone User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"iPhone"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]*iPhone/H"; metadata:ruleset community, service http; classtype:policy-violation; sid:25520; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Apple iPad User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"iPad"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]*iPad/H"; metadata:ruleset community, service http; classtype:policy-violation; sid:25519; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Apple iPod User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"iPod"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]*iPod/H"; metadata:ruleset community, service http; classtype:policy-violation; sid:25518; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Apple iOS 6.x jailbreak download attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"evasi0n-win-"; fast_pattern:only; content:"evasi0n.exe"; nocase; metadata:service smtp; reference:url,evasi0n.com/; classtype:attempted-admin; sid:25616; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Apple iOS 6.x jailbreak download attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"evasi0n-win-"; fast_pattern:only; content:"evasi0n.exe"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,evasi0n.com/; classtype:attempted-admin; sid:25615; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Apple iOS 4.3.3 jailbreak for iPad download attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|28 69 90 CC 10 42 88 0A D9 21 25 52 F6 DE 23 23|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,jailbreakzone.com/2011/07/02/jailbreakme-3-0-leaked-try-it-out-now/; classtype:attempted-admin; sid:19417; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Apple iOS 4.3.3 jailbreak for iPad download attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|78 DA ED DD 07 5C 8E FB E3 3F FE 86 8C 86 A2 A1 41 32 22 69 A7 52 69 A2 D2 56 89 64 A5 BD 35 35|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,jailbreakzone.com/2011/07/02/jailbreakme-3-0-leaked-try-it-out-now/; classtype:attempted-admin; sid:19416; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Apple iOS 4.3.3 jailbreak for iPod download attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|78 DA ED DD 07 3C 97 FB FF 3F 7E 23 0D 23 CA C8 28 69 90 64 13 21 44 85 B2 0A 91 68 C8 DE 5B 46|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,jailbreakzone.com/2011/07/02/jailbreakme-3-0-leaked-try-it-out-now/; classtype:attempted-admin; sid:19419; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Apple iOS 4.3.3 jailbreak for iPhone download attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|78 DA ED DD 07 3C D7 7B FF 3F 7E 2A 29 15 1A 94 64 A5 32 B2 25 45 94 0A 89 22 85 64 25 7B CB DE|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,jailbreakzone.com/2011/07/02/jailbreakme-3-0-leaked-try-it-out-now/; classtype:attempted-admin; sid:19418; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Gmaster device information send"; flow:to_server,established; content:"uid="; nocase; http_client_body; content:"imei="; nocase; http_client_body; content:"simNum="; nocase; http_client_body; content:"telNum="; nocase; http_client_body; content:"imsi="; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-082404-5049-99&tabid=2; classtype:trojan-activity; sid:26026; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Tetus device information leakage variant"; flow:to_server, established; content:"User-Agent: Dalvik"; fast_pattern:only; http_header; content:"imei="; nocase; http_uri; content:"referrer="; nocase; http_uri; content:"pid="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/855332267ffd1fb671d916822ea2929bef8974441a34cb4d9eb9c9b60ba6481f/analysis/; classtype:trojan-activity; sid:26939; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Tetus device information leakage"; flow:to_server, established; content:"User-Agent: Dalvik"; fast_pattern:only; http_header; content:"imei="; nocase; http_uri; content:"lpn="; nocase; http_uri; content:"vd="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/855332267ffd1fb671d916822ea2929bef8974441a34cb4d9eb9c9b60ba6481f/analysis/; classtype:trojan-activity; sid:26938; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ANDR.Trojan.Opfake device information disclosure attempt"; flow:to_server,established; content:"/q.php"; nocase; http_uri; content:"Apache-HttpClient/UNAVAILABLE (java 1."; fast_pattern:only; http_header; content:"log"; depth:3; nocase; http_client_body; content:"Executing"; distance:0; nocase; http_client_body; content:"sendSMS"; distance:0; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,blog.avast.com/2012/10/31/double-trouble/; classtype:trojan-activity; sid:26827; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ANDR.Trojan.Opfake credential theft attempt"; flow:to_server,established; content:"/login.php"; nocase; http_uri; content:"|28|Linux|3B| U|3B| Android 2."; fast_pattern:only; http_header; content:"user_id="; nocase; http_client_body; content:"&password="; distance:0; nocase; http_client_body; content:"&submit="; distance:0; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,blog.avast.com/2012/10/31/double-trouble/; classtype:trojan-activity; sid:26826; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ANDR.Trojan.ZertSecurity apk download"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00|.|00|c|00|e|00|a|00|n|00|d|00|r|00|o|00|i|00|d|00|.|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|.|00|z|00|e|00|r|00|t"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,blog.lookout.com/blog/2013/05/06/zertsecurity; classtype:trojan-activity; sid:26795; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ANDR.Trojan.Opfake APK file download"; flow:to_client,established; file_data; flowbits:isset,file.apk; content:"n|00|g|00|j|00|v|00|n|00|p|00|s|00|l|00|n|00|p|00|.|00|i|00|p|00|l|00|h|00|m|00|k"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/f2648dc7bc964dc7690c60575ad526ba5b23a0f09312fd7ebf4fa65a379919ca/analysis/; classtype:trojan-activity; sid:26783; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Fakedoc device information leakage"; flow:to_server, established; content:"&locale_source_term_network_sim="; fast_pattern:only; http_uri; content:"network="; nocase; http_uri; content:"&did="; nocase; http_uri; content:"&model="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/85c4f3066b76671aab7148b98766e6b904c83cd0920187ec4bbd5af8c9e9c970/analysis/; classtype:trojan-activity; sid:26768; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Fakeinst device information leakage"; flow:to_server, established; content:"User-Agent: Dalvik/"; fast_pattern:only; http_header; content:"imei="; nocase; http_uri; content:"imsi="; nocase; http_uri; content:"phone="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/0a77e1aac4720037e2946edf84d957616e564bd525e444cf3994f5ae4b9374ab/analysis/; classtype:trojan-activity; sid:26760; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Ewalls device information exfiltration"; flow:to_server, established; content:"uniquely_code="; fast_pattern:only; http_client_body; content:"imsi_mcc"; nocase; http_client_body; content:"build_model"; nocase; http_client_body; content:"line1_number"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/1318b052ac129baf53b004e2e4a7002f4bf8654c1dd9381c4cbf7a535b5c5106/analysis/; classtype:trojan-activity; sid:26705; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Antammi device information exfiltration"; flow:to_server,established; content:"network_mcc"; fast_pattern:only; http_client_body; content:"imsi="; nocase; http_client_body; content:"phone_number="; nocase; http_client_body; content:"sim_id="; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/10e2d89226c48d0d9fc08168cc5e508cd9afc6d08c262e70f02b7de607ef548a/analysis/; classtype:trojan-activity; sid:26693; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Denofow phone information exfiltration"; flow:to_server,established; content:"SOAPAction: "; fast_pattern:only; http_header; content:"</opname>"; nocase; http_client_body; content:"</cell>"; nocase; http_client_body; content:"</openmic>"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/fc0417fd719f457f172a5c3fbb8fc155a04f2376b2ca4155395e01a028908038/analysis/; classtype:trojan-activity; sid:26689; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 30125 (msg:"OS-MOBILE Android MDK encrypted information leak"; flow:to_server,established; content:"Host: app.looking3g.com"; nocase; content:"/serv?"; nocase; content:"User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)"; fast_pattern:only; metadata:impact_flag red, service http; reference:url,androidmalwaredump.blogspot.com/2013/01/androidtrojmdk-aka-androidksapp.html; classtype:trojan-activity; sid:26443; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android MDK encrypted information leak"; flow:to_server,established; content:"Host: wap.juliu.net"; nocase; http_header; content:"/control.html?"; nocase; http_uri; content:"User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,androidmalwaredump.blogspot.com/2013/01/androidtrojmdk-aka-androidksapp.html; classtype:trojan-activity; sid:26442; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android Stels server response"; flow:to_client,established; file_data; content:"{|22|removeAllSmsFilters|22|:"; fast_pattern:only; content:",|22|wait|22|:"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/03c1b44c94c86c3137862c20f9f745e0f89ce2cdb778dc6466a06a65b7a591ae/analysis/; classtype:trojan-activity; sid:26388; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Stels initial server contact"; flow:to_server,established; content:"--AaB03x"; nocase; http_client_body; content:"Content-Disposition"; fast_pattern:only; http_client_body; content:"botId"; nocase; http_client_body; content:"imsi"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/03c1b44c94c86c3137862c20f9f745e0f89ce2cdb778dc6466a06a65b7a591ae/analysis/; classtype:trojan-activity; sid:26387; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"OS-MOBILE Android Ksapp device registration"; flow:to_server,established; content:"/kspp/do?imei="; fast_pattern:only; http_uri; content:"&wid="; nocase; http_uri; content:"&type=&step=0"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-091722-4052-99; classtype:trojan-activity; sid:26291; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ANDR.Trojan.RootSmart outbound communication attempt"; flow:to_server,established; content:"c:root="; fast_pattern:only; http_client_body; content:"/androidService/services/AndroidService"; http_client_body; content:"IMEI"; distance:0; http_client_body; content:"&amp|3B|IMSI"; within:9; distance:16; http_client_body; content:"&amp|3B|TYPE_TEL"; within:18; distance:16; http_client_body; content:"INSTALL_TYPE"; distance:0; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/8cb40e8dce05482907ff83b39911831daf20e4a69ee63a6cff523c880eed1acf/analysis/; classtype:trojan-activity; sid:26290; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android ANDR.Trojan.Chuli APK file download attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"h|00|t|00|t|00|p|00|:|00|/|00|/|00|6|00|4|00 2E 00|7|00|8|00 2E 00|1|00|6|00|1|00 2E 00|1|00|3|00|3"; fast_pattern:only; metadata:impact_flag red, service smtp; reference:url,www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack; classtype:trojan-activity; sid:26273; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ANDR.Trojan.Chuli APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"h|00|t|00|t|00|p|00|:|00|/|00|/|00|6|00|4|00 2E 00|7|00|8|00 2E 00|1|00|6|00|1|00 2E 00|1|00|3|00|3"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack; classtype:trojan-activity; sid:26272; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ANDR-WIN.MSIL variant PC-USB Malicious executable file download"; flow:to_server,established; pcre:"/\x2f[^\x26\x2f\x3f]+?\x2e(exe|zip)$/iU"; content:"Host|3A| claco."; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.securelist.com/en/blog/805/Mobile_attacks; classtype:trojan-activity; sid:26257; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android ANDR.Trojan.PremiumSMS APK file download attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00|.|00|z|00|w|00|x|00|.|00|f|00|l|00|y|00|a|00|p|00|p"; fast_pattern:only; metadata:impact_flag red, service smtp; reference:url,blog.trustgo.com/trojanextension-a-complex-malware-escapes-av-detection/; classtype:trojan-activity; sid:26247; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ANDR.Trojan.PremiumSMS APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00|.|00|z|00|w|00|x|00|.|00|f|00|l|00|y|00|a|00|p|00|p"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,blog.trustgo.com/trojanextension-a-complex-malware-escapes-av-detection/; classtype:trojan-activity; sid:26246; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Fakenetflix email password upload"; flow:to_server,established; content:"Host|3A| erofolio.no-ip.biz"; fast_pattern:only; http_header; content:"email="; nocase; http_client_body; content:"&pass="; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-101105-0518-99&tabid=2; classtype:trojan-activity; sid:26205; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android CruseWind imei leakage"; flow:to_server,established; content:"/flash/test.xml?imei="; fast_pattern:only; http_uri; content:"&time="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-070301-5702-99&tabid=2; classtype:trojan-activity; sid:26192; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android YZHC device registration"; flow:to_server,established; content:"action=domregbycode&"; fast_pattern:only; http_uri; content:"channe="; http_uri; content:"imsi="; http_uri; content:"code="; http_uri; metadata:impact_flag red, service http; reference:url,www.csc.ncsu.edu/faculty/jiang/YZHCSMS/; classtype:trojan-activity; sid:26190; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 9888 (msg:"OS-MOBILE Android YZHC device registration"; flow:to_server,established; content:"networklocale="; fast_pattern:only; content:"networkname="; content:"networkcode="; content:"register?imei="; metadata:impact_flag red, service http; reference:url,www.csc.ncsu.edu/faculty/jiang/YZHCSMS/; classtype:trojan-activity; sid:26189; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Zitmo trojan intercepted sms upload"; flow:to_server,established; content:"/security.jsp"; nocase; http_uri; content:"f0="; nocase; http_client_body; content:"&b0="; nocase; http_client_body; content:"&pid="; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:trojan-activity; sid:26114; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android KMin imei imsi leakage"; flow:to_server,established; content:"/portal/m/c"; nocase; http_uri; content:".ashx?"; nocase; http_uri; content:"&nt2="; nocase; http_uri; content:"&tp=2"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99&tabid=2; classtype:trojan-activity; sid:26104; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android GoldDream device registration"; flow:to_server,established; content:"/zj/RegistUid.aspx?pid="; nocase; http_uri; content:"&imsi="; nocase; http_uri; content:"&imei="; nocase; http_uri; content:"&sim="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.cs.ncsu.edu/faculty/jiang/GoldDream/; classtype:trojan-activity; sid:26102; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android GoneIn60Seconds data upload"; flow:to_server,established; content:"data="; nocase; http_client_body; content:"contacts%22%3a"; nocase; http_client_body; content:"sms%22%3a"; nocase; http_client_body; content:"recent%22%3a"; nocase; http_client_body; content:"url%22%3a"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99&tabid=2; classtype:trojan-activity; sid:26087; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android GGTracker installation call out"; flow:to_server,established; content:"/SM"; nocase; http_uri; content:"|3F|device_id="; nocase; http_uri; content:"|26|adv_sub="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,blog.lookout.com/blog/2011/06/20/security-alert-android-trojan-ggtracker-charges-victims-premium-rate-sms-messages/; classtype:trojan-activity; sid:26018; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android GGTracker leak of device phone number"; flow:to_server,established; content:"notif.php?phone="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,blog.lookout.com/blog/2011/06/20/security-alert-android-trojan-ggtracker-charges-victims-premium-rate-sms-messages/; classtype:trojan-activity; sid:26017; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android GGTracker server communication"; flow:to_server,established; content:"number="; nocase; http_client_body; content:"carrier="; nocase; http_client_body; content:"message="; nocase; http_client_body; content:"sdk="; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,blog.lookout.com/blog/2011/06/20/security-alert-android-trojan-ggtracker-charges-victims-premium-rate-sms-messages/; classtype:trojan-activity; sid:26016; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Lovetrap initial connection"; flow:to_server,established; content:"positionrecorder.asmx"; nocase; http_uri; content:"imsi="; nocase; http_uri; content:"appid="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99&tabid=2; classtype:trojan-activity; sid:26015; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ADRD encrypted information leak"; flow:to_server,established; content:".aspx?im="; nocase; http_uri; content:"User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)"; fast_pattern:only; http_header; content:"Accept-Language: zh-CN, en-US"; nocase; http_header; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99&tabid=2; classtype:trojan-activity; sid:25999; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ADRD encrypted information leak"; flow:to_server,established; content:".aspx?im="; nocase; http_uri; content:"User-Agent: J2ME/UCWEB7.4.0.57"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99&tabid=2; classtype:trojan-activity; sid:25998; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android jSMSHider initial encrypted device info send"; flow:to_server,established; content:"svs="; nocase; http_client_body; content:"sid="; nocase; http_client_body; content:"ssd="; nocase; http_client_body; content:"sta="; nocase; http_client_body; content:"sac="; nocase; http_client_body; content:"sci="; nocase; http_client_body; content:"sch="; nocase; http_client_body; content:"stp="; nocase; http_client_body; content:"svr="; nocase; http_client_body; content:"sig="; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,blog.lookout.com/blog/2011/06/15/security-alert-malware-found-targeting-custom-roms-jsmshider/; classtype:trojan-activity; sid:25997; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android.Trojan.Rus.SMS outbound communication attempt"; flow:established,to_server; content:"imei="; depth:5; http_client_body; content:"&time="; within:6; distance:15; http_client_body; content:"&os="; distance:0; http_client_body; content:"&imsi="; distance:0; http_client_body; content:"&v="; within:3; distance:15; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/664725869278f478e5a50a5e359dc6d5cf4f2a7019d0c122e2fa1e318f19636b/analysis/; classtype:trojan-activity; sid:25868; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android AngryBirdsRioUnlocker initial device info send"; flow:to_server,established; content:"|22|userId|22 3A 22|NOT IN USE!!!|22|"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.geek.com/articles/mobile/google-removes-malicious-angry-birds-apps-from-android-market-20110614/; classtype:trojan-activity; sid:25864; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ANDR.Trojan.SMSsend variant outbound connection"; flow:established,to_server; content:"/rq.php"; http_uri; content:"Apache-HttpClient/UNAVAILABLE (java 1."; fast_pattern:only; http_header; content:"name="; depth:5; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/2076cb718edae12fa641a6b28cc53aee8d9d495518836bcc24e8e8bd1172f892/analysis/; classtype:trojan-activity; sid:25512; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android/Fakelash.A!tr.spy trojan command and control channel traffic"; flow:to_server,established; content:"/data.php?action="; nocase; http_uri; content:"&m="; distance:0; nocase; http_uri; content:"&p="; distance:0; nocase; http_uri; content:"&n="; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:24251; rev:4;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android SMSZombie APK file download"; flow:to_client,established; file_data; content:"assets/a33.jpg"; fast_pattern:only; flowbits:set,file.smszombie; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,blog.trustgo.com/SMSZombie/; classtype:trojan-activity; sid:23969; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android SMSZombie APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; flowbits:isset,file.smszombie; file_data; content:"b|00|a|00|o|00|x|00|i|00|a|00|n|00|_|00|z|00|h|00|u|00|s|00|h|00|o|00|u"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,blog.trustgo.com/SMSZombie/; classtype:trojan-activity; sid:23954; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Zitmo trojan command and control channel traffic"; flow:to_server,established; content:"/update/biwdr.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.securelist.com/en/blog/208193604/Android_Security_Suite_Premium_New_ZitMo; classtype:trojan-activity; sid:23173; rev:5;)
+# alert tcp $EXTERNAL_NET 2018 -> $HOME_NET any (msg:"OS-MOBILE Android/Nickispy.D sms logging response detection"; flow:to_client,established; content:"|00 00 00 27 00 80 00 05 80|"; depth:9; metadata:impact_flag red; reference:url,www.virustotal.com/#/file/57f771d7809aa35599f81de9ea0120d3/detection; classtype:trojan-activity; sid:21598; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 2018 (msg:"OS-MOBILE Android/Nickispy.D sms logging request detection"; flow:to_server,established; content:"|00 00 00 05 80|"; depth:5; offset:4; metadata:impact_flag red; reference:url,www.virustotal.com/#/file/57f771d7809aa35599f81de9ea0120d3/detection; classtype:trojan-activity; sid:21597; rev:5;)
+# alert tcp $EXTERNAL_NET 2018 -> $HOME_NET any (msg:"OS-MOBILE Android/Nickispy.D initialization response detection"; flow:to_client,established; content:"|00 00 00 27 00 80 00 09 80|"; depth:9; metadata:impact_flag red; reference:url,www.virustotal.com/#/file/57f771d7809aa35599f81de9ea0120d3/detection; classtype:trojan-activity; sid:21596; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 2018 (msg:"OS-MOBILE Android/Nickispy.D initialization request detection"; flow:to_server,established; content:"|00 00 00 27 00 00 00 09 80|"; depth:9; metadata:impact_flag red; reference:url,www.virustotal.com/#/file/57f771d7809aa35599f81de9ea0120d3/detection; classtype:trojan-activity; sid:21595; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ANDR.Trojan.SMSSilence device information disclosure attempt"; flow:to_server,established; content:"/Android_SMS/installing.php"; nocase; http_uri; content:"|28|Linux|3B| U|3B| Android 2."; fast_pattern:only; http_header; content:"Content-Length: 18"; nocase; http_header; content:"mobile="; depth:7; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/d36afc56bffe3716565bd9a7a82e3bb80dfd67eb5267ee531d19ba85b37916de/analysis/; classtype:trojan-activity; sid:27099; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ANDR.Trojan.SMSSilence unsolicited sms attempt"; flow:to_server,established; content:"/Android_SMS/receiving.php"; nocase; http_uri; content:"|28|Linux|3B| U|3B| Android 2."; fast_pattern:only; http_header; content:"mobile="; depth:7; nocase; http_client_body; content:"&revsms="; within:8; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/d36afc56bffe3716565bd9a7a82e3bb80dfd67eb5267ee531d19ba85b37916de/analysis/; classtype:trojan-activity; sid:27098; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ANDR.Trojan.SMSSilence APK file download attempt"; flow:to_client,established; file_data; flowbits:isset,file.apk; content:"c|00|o|00|m|00|.|00|v|00|e|00|r|00|t|00|u|00|."; fast_pattern:only; content:"dat.dat"; nocase; content:"dat0.dat"; within:200; nocase; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/d36afc56bffe3716565bd9a7a82e3bb80dfd67eb5267ee531d19ba85b37916de/analysis/; classtype:trojan-activity; sid:27097; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ANDR.Trojan.FakeToken APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"OriginalDocumentID=|22|uuid:053FFFFBB1EEE0119F83A87C5C1D6A29"; fast_pattern:only; content:"xmp.iid:601E7F76F132E1118DA2D9C4A1B3D877"; nocase; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/f7c36355c706fc9dd8954c096825e0613807e0da4bd7f3de97de0aec0be23b79/analysis/; classtype:trojan-activity; sid:27095; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ANDR.Trojan.FakeToken information disclosure attempt"; flow:to_server,established; content:"/cp/server.php"; nocase; http_uri; content:"|28|Linux|3B| U|3B| Android 2."; fast_pattern:only; http_header; content:"imei"; nocase; http_client_body; content:"sid_1"; distance:0; nocase; http_client_body; content:"smsResults"; distance:0; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/f7c36355c706fc9dd8954c096825e0613807e0da4bd7f3de97de0aec0be23b79/analysis/; classtype:trojan-activity; sid:27094; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 7766 (msg:"OS-MOBILE Android Spy2Mobile device information leakage"; flow:to_server, established; content:"|22|protocol_ver|22|:"; fast_pattern:only; content:"|22|imei|22|:"; nocase; content:"|22|version|22|:"; nocase; content:"|22|packet|22|:"; nocase; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/35f87a74a89a6ef69a68e8387671a36e26afd2df68136feac4be6c381d049005/analysis/; classtype:trojan-activity; sid:27064; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Vidro / EClips device information leakage"; flow:to_server, established; content:"|22|messagingqueue_size|22|"; fast_pattern:only; http_client_body; content:"|22|sim_msisdn|22|"; nocase; http_client_body; content:"|22|device_imei|22|"; nocase; http_client_body; content:"|22|sim_imsi|22|"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/67e5c171463284894e4521fe9d255bd29e16ed4936d972392d180e207f05daba/analysis/; classtype:trojan-activity; sid:27038; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android Vidro / EClips sms send instructions"; flow:to_client, established; file_data; content:"|22|messaging_update_interval|22|"; fast_pattern:only; content:"|22|short_code|22|"; nocase; content:"|22|send_sms|22|"; nocase; content:"|22|messaging_intents|22|"; nocase; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/67e5c171463284894e4521fe9d255bd29e16ed4936d972392d180e207f05daba/analysis/; classtype:trojan-activity; sid:27037; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Walkinwat / Wandt information leakage generic"; flow:to_server, established; content:"SECOND_TABLE="; fast_pattern:only; http_client_body; content:"imei="; nocase; http_client_body; content:"phone"; nocase; http_client_body; content:"wat.php"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/c6eb43f2b7071bbfe893fc78419286c3cb7c83ce56517bd281db5e7478caf995/analysis/; classtype:trojan-activity; sid:27032; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Satfi device information leakage"; flow:to_server, established; content:"confabcode="; http_uri; content:"msisdn="; distance:0; nocase; http_uri; content:"imsi="; distance:0; nocase; http_uri; content:"operator="; distance:0; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/C149AC741A3A1336193D355A7F59A4911D9B6FC8F88307F8EC86C85C10C9059A/analysis/; classtype:trojan-activity; sid:27031; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android AnserverBot initial contact"; flow:to_server,established; content:"/jk.action?a="; fast_pattern:only; http_uri; content:"&key="; nocase; http_uri; content:"&g1="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.csc.ncsu.edu/faculty/jiang/AnserverBot/; classtype:trojan-activity; sid:27016; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"OS-MOBILE Android Androrat contact list leakage"; flow:to_server, established; content:"sr|00 13|java.util.Arraylist"; fast_pattern:only; content:"sr|00 0D|utils.Contact"; content:"times_contacted"; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/1af93c9fafdd21a33d647a79d1c36f5591432cb005edb3070768ddb1f333345a/analysis/; classtype:trojan-activity; sid:27118; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"OS-MOBILE Android Androrat sms message leakage"; flow:to_server, established; content:"sr|00 13|java.util.Arraylist"; fast_pattern:only; content:"sr|00 10|Packet.SMSPacket"; content:"person"; content:"thread_id"; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/1af93c9fafdd21a33d647a79d1c36f5591432cb005edb3070768ddb1f333345a/analysis/; classtype:trojan-activity; sid:27117; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"OS-MOBILE Android Androrat device information leakage"; flow:to_server, established; content:"sr|00 13|java.util.Hashtable"; fast_pattern:only; content:"PhoneNumber"; content:"SimOperator"; content:"IMEI"; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/1af93c9fafdd21a33d647a79d1c36f5591432cb005edb3070768ddb1f333345a/analysis/; classtype:trojan-activity; sid:27116; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android Exploit Extra_Field APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"PK|03 04|"; content:"|00 00|"; within:2; distance:4; byte_test:2, >, 0x7FFF, 18, relative, little; content:"classes.dex"; within:11; distance:20; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:27552; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"OS-MOBILE Android SMSAgent.C outbound SMTP communication"; flow:to_server,established; content:"18765435554=E5=AE=89=E8=A3=85=E6=88=90=E5=8A=9F----18765435554=E5=AE=89=E8="; fast_pattern:only; metadata:service smtp; reference:url,www.f-secure.com/weblog/archives/00002594.html; reference:url,www.virustotal.com/en/file/fdc4983bdaaf97146caa84fe2c7ffdf8b3eb78bde8b828203a2c757e2506e865/analysis/; classtype:trojan-activity; sid:27725; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android ANDR.Trojan.FakeAV APK file download attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00 00 00|e|00|x|00|a|00|m|00|p|00|l|00|e|00 00 00|a|00|n|00|d|00|r|00|o|00|i|00|d|00|d|00|e|00|f|00|e|00|n|00|d|00|e|00|r|00|2"; fast_pattern:only; metadata:impact_flag red, service smtp; reference:url,www.virustotal.com/en/file/5f96e12b035ee083f11f0e121352258c2bc86132e13d95811ffc2f4d3304a74e/analysis/1380055877/; classtype:trojan-activity; sid:28057; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ANDR.Trojan.FakeAV APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00 2E 00|e|00|x|00|a|00|m|00|p|00|l|00|e|00 2E 00|a|00|n|00|d|00|r|00|o|00|i|00|d|00|d|00|e|00|f|00|e|00|n|00|d|00|e|00|r|00|2"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/5f96e12b035ee083f11f0e121352258c2bc86132e13d95811ffc2f4d3304a74e/analysis/1380055877/; classtype:trojan-activity; sid:28056; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ANDR.Trojan.FakeAV outbound communication attempt"; flow:to_server,established; content:"User-Agent|3A 20|android|0D 0A|"; fast_pattern; http_header; content:"Content-Type|3A| text|2F|plain|3B| charset|3D|utf-8"; http_header; content:"&affid="; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/5f96e12b035ee083f11f0e121352258c2bc86132e13d95811ffc2f4d3304a74e/analysis/1380055877/; classtype:trojan-activity; sid:28055; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android fake iMessage app download"; flow:to_client,established; flowbits:isset,file.apk; content:"HuLuWa Team"; nocase; content:"Android version of iMessage"; within:50; metadata:service http; reference:url,plus.google.com/u/0/116098411511850876544/posts/UkgaXa1oa6M; reference:url,www.engadget.com/2013/09/24/imessage-for-android-app-risk/; classtype:trojan-activity; sid:28046; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android WebKit Java reflection command execution attempt"; flow:to_client,established; file_data; content:".getClass|28 29|.forName|28|"; nocase; content:".getMethod"; within:200; content:".invoke|28|null|2C|"; within:150; metadata:service http; reference:cve,2014-0514; reference:url,blogs.avg.com/mobile-2/analyzing-android-webview-exploit/; reference:url,helpx.adobe.com/security/products/reader-mobile/apsb14-12.html; reference:url,labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/; classtype:attempted-user; sid:28043; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ANDR.Trojan.SmsSpy APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"com.android|00 00 00 00 00 00 02 1C 01 04 0A 00 00 7F 00 00 00|c|00|o|00|m|00 2E 00|C|00|o|00|p|00|o|00|n"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/0F540A52242E6D97E12AD9D85E8523F9AEE788AC8566284055E91155568DA714/analysis/; classtype:trojan-activity; sid:28087; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android ANDR.Trojan.SmsSpy APK file download attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"com.android|00 00 00 00 00 00 02 1C 01 04 0A 00 00 7F 00 00 00|c|00|o|00|m|00 2E 00|C|00|o|00|p|00|o|00|n"; fast_pattern:only; metadata:impact_flag red, service smtp; reference:url,www.virustotal.com/en/file/0F540A52242E6D97E12AD9D85E8523F9AEE788AC8566284055E91155568DA714/analysis/; classtype:trojan-activity; sid:28086; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ANDR.Trojan.Malapp APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00 2E 00|a|00|p|00|p|00 2E 00|l|00|o|00|t|00|t|00|e|00 2E 00|a|00|u|00|t|00|h"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/d95d7d2b6e3f73e83d93ec4df4afb681db93697e100011f6486fdfc44fbead34/analysis/; classtype:trojan-activity; sid:28082; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android ANDR.Trojan.Malapp APK file download attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00 2E 00|a|00|p|00|p|00 2E 00|l|00|o|00|t|00|t|00|e|00 2E 00|a|00|u|00|t|00|h"; fast_pattern:only; metadata:impact_flag red, service smtp; reference:url,www.virustotal.com/en/file/d95d7d2b6e3f73e83d93ec4df4afb681db93697e100011f6486fdfc44fbead34/analysis/; classtype:trojan-activity; sid:28081; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Andr.Trojan.MobileTx information disclosure attempt"; flow:to_server,established; content:"|28|Linux|3B| U|3B| Android 2."; fast_pattern:only; http_header; content:"/client/reg.do"; nocase; http_uri; content:"Content-Length|3A| 20"; nocase; http_header; content:"imsi="; depth:5; nocase; http_client_body; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/a3ffa998c7865f2bf49fd148e7b56547e24eb95c/analysis/; classtype:trojan-activity; sid:28403; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android Andr.Trojan.MobileTx APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"assets/txconfig/splashimg.jsonPK"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/a3ffa998c7865f2bf49fd148e7b56547e24eb95c/analysis/; classtype:trojan-activity; sid:28402; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android Andr.Trojan.MobileTx APK file download attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"assets/txconfig/splashimg.jsonPK"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/a3ffa998c7865f2bf49fd148e7b56547e24eb95c/analysis/; classtype:trojan-activity; sid:28401; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android Goodix gt915 touchscreen driver improper bounds-check privileged access attempt"; flow:to_server,established; file_data; content:"create_proc_entry|28|procname|2C| 0666|2C| NULL|29|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,63661; reference:cve,2013-4740; reference:cve,2013-6122; reference:url,www.codeaurora.org/projects/security-advisories/multiple-memory-corruption-issues-and-race-condition-goodix-gt915-touchscreen-driver-procfs-handler; classtype:attempted-user; sid:29438; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android Goodix gt915 touchscreen driver improper bounds-check privileged access attempt"; flow:to_client,established; file_data; content:"create_proc_entry|28|procname|2C| 0666|2C| NULL|29|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,63661; reference:cve,2013-4740; reference:cve,2013-6122; reference:url,www.codeaurora.org/projects/security-advisories/multiple-memory-corruption-issues-and-race-condition-goodix-gt915-touchscreen-driver-procfs-handler; classtype:attempted-user; sid:29437; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android signature validation bypass APK file download attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"PK|03 04|"; byte_test:2,>,0x500,22,relative,little; metadata:impact_flag red, service smtp; reference:bugtraq,64529; reference:cve,2013-6792; reference:url,android.googlesource.com/platform/libcore/+/2da1bf57a6631f1cbd47cdd7692ba8743c993ad9%5E!; classtype:trojan-activity; sid:29419; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android signature validation bypass APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"PK|03 04|"; byte_test:2,>,0x500,22,relative,little; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64529; reference:cve,2013-6792; reference:url,android.googlesource.com/platform/libcore/+/2da1bf57a6631f1cbd47cdd7692ba8743c993ad9%5E!; classtype:trojan-activity; sid:29418; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Andr.Trojan.Waller information disclosure attempt"; flow:to_server,established; content:"/farm.php?imei="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/8ea8ce79404dc6ba06fae16add7bc7859f23c70dbea601cad178dd4180e83299/analysis/; classtype:trojan-activity; sid:30880; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Apple iOS 8.x jailbreak download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Pangu_Main_Frame"; fast_pattern:only; content:"sys.page.jbreak"; nocase; content:"iOS 8.x"; nocase; metadata:service smtp; reference:url,pangu.io/; classtype:attempted-admin; sid:32275; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Apple iOS 8.x jailbreak download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Pangu_Main_Frame"; fast_pattern:only; content:"sys.page.jbreak"; nocase; content:"iOS 8.x"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,pangu.io/; classtype:attempted-admin; sid:32274; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android ObjectInputStream privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"|93 68 3F 0F FA 59 D0 0B C0 97 81 C7 81 A5 98 E7 29 D0 B7 80 77 81 5F 03 3A 6C 79 10 C3 7E 20 08 D4 00 38 16|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,71176; reference:cve,2014-7911; classtype:attempted-user; sid:32975; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ObjectInputStream privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"|93 68 3F 0F FA 59 D0 0B C0 97 81 C7 81 A5 98 E7 29 D0 B7 80 77 81 5F 03 3A 6C 79 10 C3 7E 20 08 D4 00 38 16|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,71176; reference:cve,2014-7911; classtype:attempted-user; sid:32974; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Fakeinst device information leakage"; flow:to_server, established; content:"Apache-HttpClient/UNAVAILABLE (java 1.4)|0D 0A|"; fast_pattern:only; http_header; content:"imei="; nocase; http_client_body; content:"imsi="; nocase; http_client_body; content:"msisdn="; nocase; http_client_body; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:url,www.virustotal.com/en/file/0a77e1aac4720037e2946edf84d957616e564bd525e444cf3994f5ae4b9374ab/analysis/; classtype:trojan-activity; sid:26761; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"OS-MOBILE iOS lockdownd plist object buffer overflow attempt"; flow:to_server, established; file_data; content:"|C7 04 24 D4 74 0E 33 E8 16 FB FF FF 89 45 D4 8B 45 D4 01 45 DC 8B 45 DC 89 44 24 04 C7 04 24 43 43 43 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-admin; sid:35091; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE iOS lockdownd plist object buffer overflow attempt"; flow:to_client, established; file_data; content:"|C7 04 24 D4 74 0E 33 E8 16 FB FF FF 89 45 D4 8B 45 D4 01 45 DC 8B 45 DC 89 44 24 04 C7 04 24 43 43 43 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-admin; sid:35090; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android Stagefright MP4 buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.mp4; file_data; content:"covr"; byte_test:4,<,16,-8,relative; metadata:service smtp; reference:cve,2015-1538; reference:cve,2015-1539; reference:cve,2015-3824; reference:cve,2015-3826; reference:cve,2015-3827; reference:cve,2015-3828; reference:cve,2015-3829; classtype:attempted-admin; sid:35435; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android Stagefright MP4 buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"covr"; byte_test:4,<,16,-8,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1538; reference:cve,2015-1539; reference:cve,2015-3824; reference:cve,2015-3826; reference:cve,2015-3827; reference:cve,2015-3828; reference:cve,2015-3829; classtype:attempted-admin; sid:35434; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android WebKit Java reflection command execution attempt"; flow:to_client,established; file_data; content:"|38 A6 DA 62 78 91 83 45 A1 C1 C1 42 7F 1F D1 3B 85 FA AF 9B BF 50 A6 DE CE D3 93 CC B9 9E 41 FC|"; fast_pattern:only; metadata:service http; reference:cve,2014-0514; reference:url,blogs.avg.com/mobile-2/analyzing-android-webview-exploit/; reference:url,helpx.adobe.com/security/products/reader-mobile/apsb14-12.html; reference:url,labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/; classtype:attempted-user; sid:36362; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android WebKit Java reflection command execution attempt"; flow:to_server,established; file_data; content:"|38 A6 DA 62 78 91 83 45 A1 C1 C1 42 7F 1F D1 3B 85 FA AF 9B BF 50 A6 DE CE D3 93 CC B9 9E 41 FC|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-0514; reference:url,blogs.avg.com/mobile-2/analyzing-android-webview-exploit/; reference:url,helpx.adobe.com/security/products/reader-mobile/apsb14-12.html; reference:url,labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/; classtype:attempted-user; sid:36361; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android WebKit Java reflection command execution attempt"; flow:to_server,established; file_data; content:".getClass|28 29|.forName|28|"; nocase; content:".getMethod"; within:200; content:".invoke|28|null|2C|"; within:150; metadata:service smtp; reference:cve,2014-0514; reference:url,blogs.avg.com/mobile-2/analyzing-android-webview-exploit/; reference:url,helpx.adobe.com/security/products/reader-mobile/apsb14-12.html; reference:url,labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/; classtype:attempted-user; sid:36360; rev:1;)
--- a/docker/etc/rules/os-other.rules
+++ b/docker/etc/rules/os-other.rules
@@ -0,0 +1,89 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#----------------
+# OS-OTHER RULES
+#----------------
+
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1211,1210] (msg:"OS-OTHER CoDeSys Gateway Server Denial of Service attempt detected"; flow:established,to_server; content:"|DD DD|"; depth:2; byte_test:4,>=,4127195136,12,relative,little; metadata:policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4707; classtype:attempted-dos; sid:29604; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER DLink IP camera remote command execution vulnerability - access to vulnerable rtpd.cgi"; flow:to_server,established; content:"/cgi-bin/rtpd.cgi?"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-1599; reference:url,seclists.org/fulldisclosure/2013/Apr/253; classtype:attempted-admin; sid:26559; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-OTHER Nintendo User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"nintendo"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*nintendo/iH"; metadata:ruleset community, service http; classtype:policy-violation; sid:25525; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"OS-OTHER Cisco Nexus OS software command injection attempt"; flow:established,to_server; content:"sec"; fast_pattern:only; content:"sh"; nocase; content:"|7C|"; within:75; content:"sec"; within:75; content:"|7C|"; within:75; pcre:"/sh(o|ow)?[^\x7c]*\x7c\s*sec(t?i?o?n?)?[^\x7c]*\x7c[^\r\n\x00]*([$`{}<>()\x3b]|\x2f?(bin|etc|flash|usr|lib|sys|\x2f?(ba)?sh|boot|config|rc|config))/i"; metadata:service telnet; reference:cve,2011-2569; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=24458; classtype:attempted-admin; sid:25020; rev:2;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-OTHER Cisco NHRP incorrect packet size"; ip_proto:54; content:"|FF FF|"; depth:2; offset:10; reference:bugtraq,25238; reference:cve,2007-4286; classtype:attempted-user; sid:12300; rev:4;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-OTHER Cisco NHRP incorrect packet size"; ip_proto:47; content:" |01|"; depth:2; offset:2; content:"|FF FF|"; depth:2; offset:14; reference:bugtraq,25238; reference:cve,2007-4286; classtype:attempted-user; sid:12299; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-OTHER Cisco IOS HTTP configuration attempt"; flow:to_server,established; content:"/level/"; http_uri; pcre:"/\x2flevel\x2f\d+\x2f(exec|configure)/iU"; metadata:ruleset community, service http; reference:bugtraq,2936; reference:cve,2001-0537; reference:nessus,10700; classtype:web-application-attack; sid:1250; rev:21;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-OTHER x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; metadata:ruleset community, service dns; classtype:attempted-admin; sid:266; rev:15;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31978; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31977; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31976; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"%3D%28%29+%7B"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31975; rev:5;)
+alert udp $HOME_NET 67 -> $HOME_NET 68 (msg:"OS-OTHER Malicious DHCP server bash environment variable injection attempt"; flow:stateless; content:"() {"; fast_pattern:only; content:"|02 01 06 00|"; depth:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31985; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; content:"RCPT"; nocase; content:"TO|3A|"; distance:0; nocase; pcre:"/^\s*?RCPT\s+?TO\x3a[^\r\n]*?\x28\x29\s\x7b/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32039; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; content:"MAIL"; nocase; content:"FROM|3A|"; distance:0; nocase; pcre:"/^\s*?MAIL\s+?FROM\x3a[^\r\n]*?\x28\x29\s\x7b/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32038; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"USER "; depth:5; content:"() {"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32043; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash CGI nested loops word_lineno denial of service attempt"; flow:to_server,established; file_data; content:"for"; nocase; content:"in {"; within:10; content:"|7C| bash |7C 7C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-7187; reference:url,shellshocker.net/; classtype:attempted-dos; sid:32049; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Bash CGI nested loops word_lineno denial of service attempt"; flow:to_client,established; file_data; content:"for"; nocase; content:"in {"; within:10; content:"|7C| bash |7C 7C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-7187; reference:url,shellshocker.net/; classtype:attempted-dos; sid:32047; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Bash redir_stack here document handling denial of service attempt"; flow:to_client, established; file_data; content:"printf '<<EOF %.0s' {1.."; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-7186; reference:url,github.com/hannob/bashcheck/blob/master/bashcheck; classtype:attempted-dos; sid:32046; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Bash redir_stack here document handling denial of service attempt"; flow:to_client, established; file_data; content:"<<EOF <<EOF <<EOF <<EOF <<EOF <<EOF"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-7186; reference:url,github.com/mubix/shellshocker-pocs; classtype:attempted-dos; sid:32045; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"PASS "; depth:5; content:"() {"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32069; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; content:"() {"; http_cookie; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32336; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:" () {"; depth:50; urilen:>0,norm; content:!"HTTP/"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32335; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"() {"; content:"}"; within:25; pcre:"/^[\w\x2d\x5f]+?\x3a\s*?\x28\x29\s\x7b/mi"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32366; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER QEMU floppy disk controller buffer overflow attempt"; flow:to_server,established; file_data; content:"|C7 44 24 08 01 00 00 00 C7 44 24 04 07 00 00 00 C7 04 24 F0 03 00 00 E8 90 FE FF FF C7 44 24 04 F4 03 00 00 C7 04 24 80 00 00 00 E8 A9 FF FF FF|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,74640; reference:cve,2015-3456; classtype:attempted-admin; sid:34488; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER QEMU floppy disk controller buffer overflow attempt"; flow:to_client,established; file_data; content:"|C7 44 24 08 01 00 00 00 C7 44 24 04 07 00 00 00 C7 04 24 F0 03 00 00 E8 90 FE FF FF C7 44 24 04 F4 03 00 00 C7 04 24 80 00 00 00 E8 A9 FF FF FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,74640; reference:cve,2015-3456; classtype:attempted-admin; sid:34487; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER QEMU floppy disk controller buffer overflow attempt"; flow:to_server,established; file_data; content:"|C7 04 24 03 00 00 00 E8 C0 FE FF FF C7 44 24 04 F5 03 00 00 C7 04 24 0A 00 00 00 E8 B9 FF FF FF C7 44 24 1C 00 00 00 00 EB 19 C7 44 24 04 F5 03|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,74640; reference:cve,2015-3456; classtype:attempted-admin; sid:34486; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER QEMU floppy disk controller buffer overflow attempt"; flow:to_client,established; file_data; content:"|C7 04 24 03 00 00 00 E8 C0 FE FF FF C7 44 24 04 F5 03 00 00 C7 04 24 0A 00 00 00 E8 B9 FF FF FF C7 44 24 1C 00 00 00 00 EB 19 C7 44 24 04 F5 03|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,74640; reference:cve,2015-3456; classtype:attempted-admin; sid:34485; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER QEMU floppy disk controller buffer overflow attempt"; flow:to_server,established; file_data; content:"|BA 01 00 00 00 BE 07 00 00 00 BF F0 03 00 00 E8 C1 FE FF FF BE F4 03 00 00 BF 80 00 00 00 E8 BF FF FF FF BE F5 03 00 00 BF 0A 00 00 00 E8 B0 FF|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,74640; reference:cve,2015-3456; classtype:attempted-admin; sid:34484; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER QEMU floppy disk controller buffer overflow attempt"; flow:to_client,established; file_data; content:"|BA 01 00 00 00 BE 07 00 00 00 BF F0 03 00 00 E8 C1 FE FF FF BE F4 03 00 00 BF 80 00 00 00 E8 BF FF FF FF BE F5 03 00 00 BF 0A 00 00 00 E8 B0 FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,74640; reference:cve,2015-3456; classtype:attempted-admin; sid:34483; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER QEMU floppy disk controller buffer overflow attempt"; flow:to_server,established; file_data; content:"|BF 03 00 00 00 E8 B7 FE FF FF BE F5 03 00 00 BF 0A 00 00 00 E8 C5 FF FF FF C7 45 FC 00 00 00 00 EB 13 BE F5 03 00 00 BF 42 00 00 00 E8 AD FF FF|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,74640; reference:cve,2015-3456; classtype:attempted-admin; sid:34482; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER QEMU floppy disk controller buffer overflow attempt"; flow:to_client,established; file_data; content:"|BF 03 00 00 00 E8 B7 FE FF FF BE F5 03 00 00 BF 0A 00 00 00 E8 C5 FF FF FF C7 45 FC 00 00 00 00 EB 13 BE F5 03 00 00 BF 42 00 00 00 E8 AD FF FF|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,74640; reference:cve,2015-3456; classtype:attempted-admin; sid:34481; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"OS-OTHER Cisco Nexus OS software command injection attempt"; flow:established,to_server; content:"less"; fast_pattern:only; content:"sh"; nocase; content:"|7C|"; within:75; content:"less"; within:75; content:"|7C|"; within:75; pcre:"/sh(o|ow)?[^\x7c]*\x7c\s*less?[^\x7c]*\x7c[^\r\n\x00]*([$`{}<>()\x3b]|\x2f?(bin|etc|flash|usr|lib|sys|\x2f?(ba)?sh|boot|config|rc|config))/i"; metadata:policy max-detect-ips drop, service telnet; reference:cve,2011-2569; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=24458; classtype:attempted-admin; sid:25019; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER OS X DYLD_PRINT_TO_FILE privilege escalation attempt"; flow:to_server,established; file_data; content:"DYLD_PRINT_TO_FILE="; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.rapid7.com/db/modules/exploit/osx/local/dyld_print_to_file_root; reference:url,www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html; classtype:attempted-admin; sid:35736; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER OS X DYLD_PRINT_TO_FILE privilege escalation attempt"; flow:to_client,established; file_data; content:"DYLD_PRINT_TO_FILE="; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.rapid7.com/db/modules/exploit/osx/local/dyld_print_to_file_root; reference:url,www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html; classtype:attempted-admin; sid:35735; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Joyent SmartOS add entries denial of service attempt"; flow:to_server,established; flowbits:isset,file.elf; file_data; content:"|C7 40 18 00 04 00 00|"; content:"|48 8D 55 D0 8B 45 E8 BE 01 48 00 00 89 C7 B8 00 00 00 00|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-9039; reference:cve,2016-9040; reference:url,www.talosintelligence.com/reports/TALOS-2016-0257/; reference:url,www.talosintelligence.com/reports/TALOS-2016-0258/; classtype:attempted-dos; sid:41218; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Joyent SmartOS add entries denial of service attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"|C7 40 18 00 04 00 00|"; content:"|48 8D 55 D0 8B 45 E8 BE 01 48 00 00 89 C7 B8 00 00 00 00|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-9039; reference:cve,2016-9040; reference:url,www.talosintelligence.com/reports/TALOS-2016-0257/; reference:url,www.talosintelligence.com/reports/TALOS-2016-0258/; classtype:attempted-dos; sid:41217; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Joyent SmartOS file system path buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.elf; file_data; content:"|C7 40 08 00 04 00 00|"; content:"|89 45 E8 48 8D 55 D0 8B 45 E8 BE 01 48 00 00 89 C7 B8 00 00 00 00|"; within:130; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-9033; reference:cve,2016-9035; reference:url,www.talosintelligence.com/reports/TALOS-2016-0251/; reference:url,www.talosintelligence.com/reports/TALOS-2016-0253/; classtype:attempted-admin; sid:40903; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Joyent SmartOS file system path buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"|C7 40 08 00 04 00 00|"; content:"|89 45 E8 48 8D 55 D0 8B 45 E8 BE 01 48 00 00 89 C7 B8 00 00 00 00|"; within:130; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-9033; reference:cve,2016-9035; reference:url,www.talosintelligence.com/reports/TALOS-2016-0251/; reference:url,www.talosintelligence.com/reports/TALOS-2016-0253/; classtype:attempted-admin; sid:40902; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Joyent SmartOS file system name buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.elf; file_data; content:"|C7 40 18 00 04 00 00|"; content:"|89 45 D8 48 8D 55 C0 8B 45 D8 BE 01 48 00 00 89 C7 B8 00 00 00 00|"; within:75; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-9032; reference:cve,2016-9034; reference:url,www.talosintelligence.com/reports/TALOS-2016-0250/; reference:url,www.talosintelligence.com/reports/TALOS-2016-0252/; classtype:attempted-admin; sid:40901; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Joyent SmartOS file system name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"|C7 40 18 00 04 00 00|"; content:"|89 45 D8 48 8D 55 C0 8B 45 D8 BE 01 48 00 00 89 C7 B8 00 00 00 00|"; within:75; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-9032; reference:cve,2016-9034; reference:url,www.talosintelligence.com/reports/TALOS-2016-0250/; reference:url,www.talosintelligence.com/reports/TALOS-2016-0252/; classtype:attempted-admin; sid:40900; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Joyent SmartOS ioctl integer underflow attempt"; flow:to_server,established; flowbits:isset,file.elf; file_data; content:"|C7 45 E8 FF FF FF FF|"; content:"|89 45 FC 48 8D 55 E0 8B 45 FC BE 01 48 00 00 89 C7 B8 00 00 00 00|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8733; reference:cve,2016-9031; reference:url,www.talosintelligence.com/reports/TALOS-2016-0248/; reference:url,www.talosintelligence.com/reports/TALOS-2016-0249/; classtype:attempted-admin; sid:40899; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Joyent SmartOS ioctl integer underflow attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"|C7 45 E8 FF FF FF FF|"; content:"|89 45 FC 48 8D 55 E0 8B 45 FC BE 01 48 00 00 89 C7 B8 00 00 00 00|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8733; reference:cve,2016-9031; reference:url,www.talosintelligence.com/reports/TALOS-2016-0248/; reference:url,www.talosintelligence.com/reports/TALOS-2016-0249/; classtype:attempted-admin; sid:40898; rev:3;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"OS-OTHER Apple OSX and iOS x509 certificate name constraints parsing use after free attempt"; flow:to_client,established; content:"|06 03 55 1D 1E 04|"; content:"|30|"; within:1; distance:1; content:"|A0|"; within:1; distance:1; content:"|30|"; within:1; distance:1; byte_test:1,>,0x84,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; reference:cve,2017-2485; reference:url,www.talosintelligence.com/reports/TALOS-2017-0296/; classtype:attempted-admin; sid:41999; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt"; flow:to_client,established; content:"301"; fast_pattern:only; content:"301"; http_stat_code; content:"OK"; http_stat_msg; metadata:service http; reference:cve,2007-0464; classtype:denial-of-service; sid:43388; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|48 8B|"; byte_extract:4,1,array,relative; content:"|48 FF C0 48 89|"; within:10; byte_test:4,=,array,1,relative; content:"|48 83|"; within:20; byte_test:4,=,array,1,relative; content:"|E8|"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45368; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|48 8B|"; byte_extract:4,1,array,relative; content:"|48 FF C0 48 89|"; within:10; byte_test:4,=,array,1,relative; content:"|48 83|"; within:20; byte_test:4,=,array,1,relative; content:"|E8|"; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45367; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|68 00 08 00 00 8D 85 F8 F7 FF FF 89 15 CC 5A 40 00 68 FF 00 00 00 50 C7 83 40 1F 00 00 01 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45366; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_client,established; file_data; content:"x = ((j % 6) - 1) & ~0xFFFF|3B| /* Set x=FFF.FF000"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45365; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_client,established; file_data; content:"L2_cache_clear = (BYTE*)VirtualAlloc(0, 256 * 4096"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45364; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_client,established; file_data; content:"localJunk ^= probeTable[index|7C|0]|7C|0|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45363; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|B8 08 00 00 00 48 69 C0 E8 03 00 00 48 8D 0D 79 6F 00 00 48 8B 95 D0 0C 00 00 48 89 14 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45362; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|68 00 08 00 00 8D 85 F8 F7 FF FF 89 15 CC 5A 40 00 68 FF 00 00 00 50 C7 83 40 1F 00 00 01 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45361; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_server,established; file_data; content:"x = ((j % 6) - 1) & ~0xFFFF|3B| /* Set x=FFF.FF000"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45360; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_server,established; file_data; content:"L2_cache_clear = (BYTE*)VirtualAlloc(0, 256 * 4096"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45359; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_server,established; file_data; content:"localJunk ^= probeTable[index|7C|0]|7C|0|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45358; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x86 side-channel analysis information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|B8 08 00 00 00 48 69 C0 E8 03 00 00 48 8D 0D 79 6F 00 00 48 8B 95 D0 0C 00 00 48 89 14 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45357; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Mac OS X setuid privilege esclatation exploit attempt"; flow:to_client,established; file_data; content:"/Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy"; fast_pattern:only; content:"/Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool"; content:"/Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0345; classtype:attempted-admin; sid:45386; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Mac OS X setuid privilege esclatation exploit attempt"; flow:to_server,established; file_data; content:"/Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy"; fast_pattern:only; content:"/Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool"; content:"/Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool"; metadata:service smtp; reference:cve,2007-0345; classtype:attempted-admin; sid:45385; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45444; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45443; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"OS-OTHER Apple macOS IOHIDeous exploit download attempt"; flow:to_server,established; file_data; flowbits:isset,file.macho64le; content:"/bin/launchctl reboot logout"; fast_pattern:only; content:"IOHIDSystem"; content:"IOHIDUserClient"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1152; classtype:attempted-user; sid:45419; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Apple macOS IOHIDeous exploit download attempt"; flow:to_client,established; file_data; flowbits:isset,file.macho64le; content:"/bin/launchctl reboot logout"; fast_pattern:only; content:"IOHIDSystem"; content:"IOHIDUserClient"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1152; classtype:attempted-user; sid:45418; rev:3;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-OTHER FreeBSD sctp6_ctlinput null pointer dereference attempt"; itype:<5; content:"|60 00 00 00|"; depth:4; content:"|84|"; within:1; distance:2; byte_test:2,<,12,-3,relative; metadata:policy max-detect-ips drop; reference:cve,2016-1879; reference:url,www.freebsd.org/security/advisories/FreeBSD-SA-16:01.sctp.asc; classtype:attempted-dos; sid:46023; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt"; flow:to_server,established; flowbits:isset,file.macho64le; file_data; content:"|C7|"; content:"|05 00|"; within:10; content:"|C7|"; within:8; content:"|FF 0F 00|"; within:10; content:"|C7|"; within:8; content:"|00 00 00 80|"; within:10; content:"|31 F6|"; content:"|E8|"; within:10; content:"|83|"; within:15; content:"|FF 0F 85|"; within:10; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4243; classtype:attempted-admin; sid:46991; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt"; flow:to_client,established; flowbits:isset,file.macho64le; file_data; content:"|C7|"; content:"|05 00|"; within:10; content:"|C7|"; within:8; content:"|FF 0F 00|"; within:10; content:"|C7|"; within:8; content:"|00 00 00 80|"; within:10; content:"|31 F6|"; content:"|E8|"; within:10; content:"|83|"; within:15; content:"|FF 0F 85|"; within:10; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4243; classtype:attempted-admin; sid:46990; rev:1;)
--- a/docker/etc/rules/os-solaris.rules
+++ b/docker/etc/rules/os-solaris.rules
@@ -0,0 +1,40 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#------------------
+# OS-SOLARIS RULES
+#------------------
+
+# alert udp $EXTERNAL_NET 513 -> $HOME_NET 513 (msg:"OS-SOLARIS Oracle Solaris in.rwhod hostname denial of service attempt"; flow:to_server; content:"|01 01 00 00|"; depth:4; isdataat:40,relative; content:!"|00|"; within:32; distance:8; reference:bugtraq,13401; reference:cve,2004-1351; classtype:attempted-dos; sid:20725; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"OS-SOLARIS Oracle Solaris username overflow authentication bypass attempt"; flow:to_server,established; content:"c c c c c c c c c"; metadata:service telnet; reference:cve,2001-0797; classtype:attempted-admin; sid:13613; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris printd arbitrary file deletion vulnerability"; flow:to_server,established; content:"|0A|U"; content:"../.."; fast_pattern:only; content:"|0A|"; reference:bugtraq,14510; reference:cve,2005-4797; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; classtype:misc-attack; sid:12080; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris lpd unlink file attempt"; flow:to_server,established; flowbits:isset,lp.controlfile; content:"|02|"; depth:1; content:"dfA"; nocase; pcre:"/^\x02\d+ dfA/smi"; metadata:service printer; reference:bugtraq,14510; reference:cve,2005-4797; classtype:misc-attack; sid:10418; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"OS-SOLARIS Oracle Solaris login environment variable authentication bypass attempt"; flow:to_server,established; content:"|FF FA|"; rawbytes; content:"USER|01|-f"; distance:0; rawbytes; metadata:service telnet; reference:bugtraq,22512; reference:cve,2007-0882; classtype:attempted-admin; sid:10136; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris LPD overflow attempt"; flow:to_server,established; content:"|02|//////////"; depth:11; dsize:>1000; reference:bugtraq,3274; reference:cve,2001-1583; classtype:attempted-admin; sid:3527; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"OS-SOLARIS Oracle Solaris npls x86 overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; metadata:ruleset community; reference:bugtraq,2319; reference:cve,1999-1588; classtype:attempted-admin; sid:300; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-SOLARIS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:267; rev:13;)
+# alert udp $EXTERNAL_NET 67 -> $HOME_NET 68 (msg:"OS-SOLARIS Oracle Solaris DHCP Client Arbitrary Code Execution attempt"; flow:to_server; content:"|63 82 53 63|"; content:"|35 01 05|"; distance:0; fast_pattern; content:"|0F|"; distance:0; content:"|20|"; within:100; metadata:policy max-detect-ips drop, service dhcp; reference:bugtraq,14687; reference:cve,2005-2870; classtype:attempted-user; sid:17433; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris printd Daemon Arbitrary File Deletion attempt"; flow:to_server,established; flowbits:isset,lp.controlfile; content:"|0A 55|"; content:"|2F|"; distance:0; metadata:policy max-detect-ips drop, service printer; reference:bugtraq,14510; reference:cve,2005-4797; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; classtype:misc-attack; sid:17353; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris lpd control file upload attempt"; flow:to_server,established; flowbits:isset,lp.cascade; content:"|02|"; depth:1; content:"cfA"; nocase; pcre:"/^\x02\d+ cfA/smi"; flowbits:set,lp.controlfile; metadata:policy max-detect-ips drop, service printer; classtype:misc-attack; sid:4144; rev:12;)
+# alert udp $EXTERNAL_NET 177 -> $HOME_NET any (msg:"OS-SOLARIS XMDCP double-free attempt"; flow:to_client; content:"|00 1C|"; depth:2; offset:17; reference:cve,2004-0368; classtype:attempted-admin; sid:37511; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"OS-SOLARIS XMDCP double-free attempt"; flow:to_server,established; content:"|00 01 00 07|"; depth:4; content:!"|00 00|"; within:2; distance:5; reference:cve,2004-0368; classtype:attempted-admin; sid:39936; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [111,32768:] (msg:"OS-SOLARIS Solaris RPC XDR overflow code execution attempt"; flow:to_server,established; content:"|80 00 04 E8|"; depth:4; content:"|00 00 00 00 00 00 00 02 00 01|"; within:10; distance:4; content:"|00 00 55 DE|"; within:4; distance:10; byte_jump:4,0,relative,post_offset 8; isdataat:288,relative; reference:cve,2017-3623; reference:url,seclists.org/dailydave/2016/q4/15; classtype:attempted-admin; sid:42226; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-SOLARIS Solaris dtappgather local privilege escalation attempt"; flow:to_server,established; file_data; content:"|68 FF 83 2A CF 8D 85 94 EB FF FF 50 8D 85 94 EB FF FF 50 E8 E1 F3 FF FF 83 C4 0C 8B 45 08 3D 01 00 00 00 0F 85 20 00 00 00 6A 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,packetstormsecurity.com/files/142120/Solaris-x86-SPARC-EXTREMEPARR-dtappgather-Privilege-Escalation.html; classtype:attempted-admin; sid:42254; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-SOLARIS Solaris dtappgather local privilege escalation attempt"; flow:to_client,established; file_data; content:"|68 FF 83 2A CF 8D 85 94 EB FF FF 50 8D 85 94 EB FF FF 50 E8 E1 F3 FF FF 83 C4 0C 8B 45 08 3D 01 00 00 00 0F 85 20 00 00 00 6A 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,packetstormsecurity.com/files/142120/Solaris-x86-SPARC-EXTREMEPARR-dtappgather-Privilege-Escalation.html; classtype:attempted-admin; sid:42253; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"OS-SOLARIS Solaris catflap telnet remote code execution attempt"; flow:to_server,established; content:"|5C|63|5C|300|5C|120|5C|260|5C|33|5C|350|5C|41|5C|0|5C|0|5C|0|5C|350|5C|0|5C|0|5C|0|5C|0|5C|137|5C|213|5C|307|5C|5|5C|44|5C|0|5C|0|5C|0|5C|120|5C|203|5C|307|5C|157|5C|127|5C|63|5C|300|5C|260|5C|13|5C|350|5C|6|5C|0|5C|0|5C|0|5C|63|5C|300|5C|120|5C|120|5C|260|5C|1|5C|232|5C|0|5C|0|5C|0|5C|0|5C|47|5C|0|5C|303"; fast_pattern:only; metadata:service telnet; classtype:attempted-admin; sid:42283; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"OS-SOLARIS Solaris catflap telnet remote code execution attempt"; flow:to_server,established; content:"|5C|63|5C|300|5C|353|5C|6|5C|137|5C|210|5C|107|5C|6|5C|353|5C|55|5C|350|5C|365|5C|377|5C|377|5C|377|5C|232|5C|172|5C|121|5C|114|5C|37|5C|47|5C|5|5C|303|5C|63|5C|322|5C|130|5C|215|5C|170|5C|24|5C|122|5C|127|5C|120|5C|253|5C|222|5C|253|5C|210|5C|102|5C|10|5C|260|5C|73|5C|350|5C|342|5C|377|5C|377|5C|377|5C|63|5C|300|5C|120|5C|260|5C|1|5C|350|5C|330|5C|377|5C|377|5C|377|5C|350|5C|333|5C|377|5C|377|5C|377|5C|57|5C|142|5C|151|5C|156|5C|57|5C|153|5C|163|5C|150|5C|"; fast_pattern:only; metadata:service telnet; classtype:attempted-admin; sid:42282; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"OS-SOLARIS Solaris catflap telnet remote code execution attempt"; flow:to_server,established; content:"|5C|100|5C|0|5C|0|5C|2|5C|220|5C|20|5C|0|5C|0|5C|202|5C|20|5C|40|5C|33|5C|221|5C|320|5C|40|5C|10|5C|220|5C|3|5C|340|5C|176|5C|222|5C|3|5C|340|5C|54|5C|202|5C|20|5C|40|5C|13|5C|221|5C|320|5C|40|5C|10|5C|220|5C|20|5C|0|5C|0|5C|202|5C|20|5C|40|5C|1|5C|221|5C|320|5C|40|5C|10|5C|0|5C|2"; fast_pattern:only; metadata:service telnet; classtype:attempted-admin; sid:42281; rev:1;)
--- a/docker/etc/rules/os-windows.rules
+++ b/docker/etc/rules/os-windows.rules
--- a/docker/etc/rules/other-ids.rules
+++ b/docker/etc/rules/other-ids.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------------
+# OTHER-IDS RULES
+#-----------------
+
--- a/docker/etc/rules/p2p.rules
+++ b/docker/etc/rules/p2p.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------
+# P2P RULES
+#-----------
+
--- a/docker/etc/rules/phishing-spam.rules
+++ b/docker/etc/rules/phishing-spam.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#---------------------
+# PHISHING-SPAM RULES
+#---------------------
+
--- a/docker/etc/rules/policy-multimedia.rules
+++ b/docker/etc/rules/policy-multimedia.rules
@@ -0,0 +1,28 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-------------------------
+# POLICY-MULTIMEDIA RULES
+#-------------------------
+
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-MULTIMEDIA Apple Quicktime User Agent access"; flow:to_server,established; content:"User-Agent|3A| Quicktime"; fast_pattern:only; metadata:ruleset community, service http; classtype:policy-violation; sid:1436; rev:12;)
+# alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"POLICY-MULTIMEDIA audio galaxy keepalive"; flow:established; content:"E_|00 03 05|"; depth:5; metadata:ruleset community; classtype:misc-activity; sid:1428; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-MULTIMEDIA Youtube video player file request"; flow:to_server,established; content:"/get_video?video_id"; fast_pattern; nocase; http_uri; content:"youtube.com"; nocase; metadata:service http; classtype:policy-violation; sid:12436; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-MULTIMEDIA Shoutcast playlist redirection"; flow:to_client,established; content:"Content-type|3A|"; nocase; http_header; content:"audio/x-scpls"; within:50; fast_pattern; nocase; http_header; metadata:ruleset community, service http; classtype:policy-violation; sid:1439; rev:17;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-MULTIMEDIA Icecast playlist redirection"; flow:to_client,established; content:"Content-type|3A|"; nocase; http_header; content:"audio/x-mpegurl"; within:50; fast_pattern; nocase; http_header; metadata:ruleset community, service http; classtype:policy-violation; sid:1440; rev:17;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-MULTIMEDIA Google video player request"; flow:to_server,established; content:"/googleplayer.swf"; nocase; http_uri; metadata:service http; classtype:policy-violation; sid:12437; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY-MULTIMEDIA vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; metadata:ruleset community; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:7;)
--- a/docker/etc/rules/policy-other.rules
+++ b/docker/etc/rules/policy-other.rules
@@ -0,0 +1,344 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#--------------------
+# POLICY-OTHER RULES
+#--------------------
+
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Shockwave Flash file using doswf packer"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ByteArray"; content:"doswf"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:policy-violation; sid:37929; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Shockwave Flash suspicious flash file using URLDownloadToFileA"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"ByteArray"; content:"URLDownloadToFileA"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:policy-violation; sid:37928; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Shockwave Flash file using doswf packer"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ByteArray"; content:"doswf"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0569; reference:url,www.adobe.com/support/security/bulletins/apsb14-22.html; classtype:policy-violation; sid:37923; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Shockwave Flash suspicious flash file using URLDownloadToFileA"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ByteArray"; content:"URLDownloadToFileA"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:37922; rev:2;)
+# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER Microsoft Windows SMB potential group policy fallback exploit attempt"; flow:to_server,established,no_stream; content:"|FF|SMB"; depth:4; offset:4; content:"|5C 00|g|00|p|00|t|00|T|00|m|00|p|00|l|00|.|00|i|00|n|00|f|00 00|"; fast_pattern:only; detection_filter:track by_src,count 5,seconds 2; metadata:service netbios-ssn; reference:cve,2015-0009; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-014; classtype:policy-violation; sid:33429; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER Microsoft Windows Terminal server RDP attempt"; flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|"; depth:11; metadata:ruleset community, service rdp; reference:bugtraq,3099; reference:cve,2001-0540; reference:cve,2001-0663; reference:nessus,10940; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:protocol-command-decode; sid:1447; rev:20;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER Microsoft Windows Terminal server request attempt"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0 00 00 00 00 00|"; depth:6; offset:5; metadata:ruleset community, service rdp; reference:bugtraq,3099; reference:cve,2001-0540; reference:cve,2001-0663; reference:nessus,10940; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:protocol-command-decode; sid:1448; rev:20;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER Microsoft Windows Terminal Server no encryption session initiation attempt"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1; offset:288; metadata:ruleset community; reference:cve,2001-0663; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:attempted-dos; sid:2418; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Seagate BlackArmor administrator password reset attempt"; flow:to_server,established; content:"/d41d8cd98f00b204e9800998ecf8427e.php"; fast_pattern:only; http_uri; metadata:policy security-ips drop, service http; reference:cve,2012-2568; reference:url,www.kb.cert.org/vuls/id/515283; classtype:attempted-admin; sid:23102; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"POLICY-OTHER script tag in URI - likely cross-site scripting attempt"; flow:to_server,established; content:"<SCRIPT"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2012-1857; reference:cve,2014-4075; reference:cve,2014-4116; reference:cve,2015-1653; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-064; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-073; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-036; classtype:web-application-attack; sid:7070; rev:22;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"POLICY-OTHER AFS access"; flow:to_server; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY-OTHER FTP anonymous login attempt"; flow:to_server,established; content:"USER"; fast_pattern:only; pcre:"/^USER\s+(anonymous|ftp)[^\w]*[\r\n]/smi"; metadata:ruleset community, service ftp; classtype:misc-activity; sid:553; rev:13;)
+# alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"POLICY-OTHER WinGate telnet server response"; flow:to_client,established; content:"WinGate>"; metadata:ruleset community; reference:cve,1999-0657; classtype:misc-activity; sid:555; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"POLICY-OTHER HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; metadata:ruleset community; reference:bugtraq,2245; classtype:misc-activity; sid:568; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"POLICY-OTHER HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; metadata:ruleset community; reference:bugtraq,2245; classtype:misc-activity; sid:510; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"POLICY-OTHER PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; metadata:ruleset community; classtype:attempted-admin; sid:2044; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"POLICY-OTHER xtacacs login attempt"; flow:to_server; content:"|80 01|"; depth:2; content:"|00|"; distance:4; metadata:ruleset community; classtype:misc-activity; sid:2040; rev:7;)
+# alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"POLICY-OTHER xtacacs accepted login response"; flow:to_client; content:"|80 02|"; depth:2; content:"|01|"; distance:4; metadata:ruleset community; classtype:misc-activity; sid:2042; rev:7;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY-OTHER IPSec PGPNet connection attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; fast_pattern:only; metadata:ruleset community; classtype:protocol-command-decode; sid:1771; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 9030:9031 (msg:"POLICY-OTHER TOR traffic anonymizer server request"; flow:established,to_server; content:"GET /tor/server"; fast_pattern:only; classtype:policy-violation; sid:9324; rev:5;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 3544 (msg:"POLICY-OTHER Outbound Teredo traffic detected"; flow:to_server; content:" |01|"; depth:2; offset:8; byte_test:1,&,96,0; reference:cve,2007-3038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-038; classtype:policy-violation; sid:12065; rev:5;)
+# alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"POLICY-OTHER Inbound Teredo traffic detected"; flow:to_server; content:"?|FE 83 1F|"; depth:4; offset:8; byte_test:1,&,96,0; reference:cve,2007-3038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-038; classtype:policy-violation; sid:12068; rev:5;)
+# alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"POLICY-OTHER Inbound Teredo traffic detected"; flow:to_server; content:" |01|"; depth:2; offset:8; byte_test:1,&,96,0; reference:cve,2007-3038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-038; classtype:policy-violation; sid:12066; rev:6;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 3544 (msg:"POLICY-OTHER Outbound Teredo traffic detected"; flow:to_server; content:"?|FE 83 1F|"; depth:4; offset:8; byte_test:1,&,96,0; reference:cve,2007-3038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-038; classtype:policy-violation; sid:12067; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"POLICY-OTHER TOR proxy connection initiation - second alternate port"; flow:to_server,established; content:"TOR"; content:"client <identity>"; classtype:policy-violation; sid:13698; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"POLICY-OTHER TOR proxy connection initiation - alternate port"; flow:to_server,established; content:"TOR"; content:"client <identity>"; classtype:policy-violation; sid:13697; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Microsoft Windows Dr. Watson error reporting attempt"; flow:to_server,established; content:"User-Agent|3A| MSDW|0D 0A|"; fast_pattern:only; http_header; content:"watson.microsoft.com"; http_header; content:"StageOne"; http_uri; metadata:service http; reference:url,oca.microsoft.com/en/dcp20.asp; classtype:policy-violation; sid:13864; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER proxycgi proxy connection detected"; flow:established,to_server; content:"/cgi-bin/anon-www.cgi/http"; fast_pattern:only; http_uri; metadata:service http; reference:url,anonymouse.org; classtype:policy-violation; sid:19475; rev:4;)
+# alert udp $HOME_NET any -> any 53 (msg:"POLICY-OTHER hamachi VPN outbound traffic detected"; flow:to_server; content:"|01 00|"; depth:2; offset:2; content:"|0A|hamachi-dc|0F|logmein-gateway|03|com"; fast_pattern:only; reference:url,secure.logmein.com/products/hamachi2/download.aspx; classtype:policy-violation; sid:19474; rev:3;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER stunnel proxy connection detected"; flow:established,to_client; content:"|13 16|Stunnel Developers Ltd"; fast_pattern:only; reference:url,en.wikipedia.org/wiki/Stunnel; classtype:policy-violation; sid:19473; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER proxytunnel proxy connection detected"; flow:established,to_server; content:"CONNECT localhost|3A|22"; depth:20; nocase; metadata:service http; reference:url,proxytunnel.sourceforge.net; classtype:policy-violation; sid:19472; rev:4;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"POLICY-OTHER dnstunnel v0.5 outbound traffic detected"; flow:to_server,no_stream; content:"|01 00|"; depth:2; offset:2; byte_test:1,>,20,12; content:!"sophosxl|03|net"; content:!"senderbase|03|org"; content:!"proofpoint|03|com"; content:!"|01|j|02|e5|02|sk"; content:"|00 10 00 01|"; offset:34; detection_filter:track by_src, count 10, seconds 1; metadata:service dns; reference:url,www.hsc.fr/ressources/outils/dns2tcp/index.html.en; classtype:policy-violation; sid:19471; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Rapidshare file-sharing site contacted"; flow:established,to_server; content:"auth.html?"; nocase; http_uri; content:"authcode="; distance:0; nocase; http_uri; content:"Host|3A| www.rapidshare.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.rapidshare.com; classtype:policy-violation; sid:19737; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Filesonic file-sharing site contacted"; flow:established,to_server; content:"Host|3A|"; nocase; http_header; content:"www.filesonic.com"; within:50; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.filesonic.com; classtype:policy-violation; sid:19735; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Megaupload file-sharing site contacted"; flow:established,to_server; content:"/upload_done.php"; nocase; http_uri; content:".megaupload.com"; fast_pattern:only; http_header; pcre:"/^Host\x3A[^\r\n]+\.megaupload\.com/Hsmi"; metadata:service http; reference:url,www.megaupload.com; classtype:policy-violation; sid:19736; rev:5;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER logmein.com connection attempt"; flow:to_client,established; content:"secure|2E|logmein|2E|com"; fast_pattern:only; reference:url,secure.logmein.com; classtype:policy-violation; sid:19780; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Glype proxy usage detected"; flow:established,to_server; content:"/browse.php?"; nocase; http_uri; content:"u=Oi8v"; distance:0; nocase; http_uri; content:"b="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.glype.com; classtype:policy-violation; sid:20136; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Privoxy disabling of x-filter"; flow:to_server,established; content:"x|2D|filter|3A|"; nocase; http_header; content:"No"; within:10; nocase; http_header; metadata:service http; reference:cve,2007-6724; reference:url,pseudo-flaw.net/content/tor/vidalia-insecure-privoxy-configuration/; classtype:policy-violation; sid:20243; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER possible forced privoxy disabling"; flow:to_client,established; content:"Location|3A|"; nocase; http_header; content:"http|3A 2F 2F|www|2E|privoxy|2E|org|2F|config|2F 3F|set|3D|disable"; within:100; nocase; http_header; metadata:service http; reference:cve,2007-6724; reference:url,pseudo-flaw.net/content/tor/vidalia-insecure-privoxy-configuration/; classtype:policy-violation; sid:20244; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER remote privoxy config access"; flow:to_client,established; content:"Location|3A|"; nocase; http_header; content:"http|3A 2F 2F|www|2E|privoxy|2E|org|2F|config|2F|"; within:100; nocase; http_header; metadata:service http; reference:cve,2007-6724; reference:url,pseudo-flaw.net/content/tor/vidalia-insecure-privoxy-configuration/; classtype:policy-violation; sid:20245; rev:6;)
+# alert tcp any any -> $HOME_NET 9100 (msg:"POLICY-OTHER HP Printer firmware update attempt"; flow:to_server,established; content:"@PJL COMMENT MODEL=HP"; fast_pattern:only; content:"|1B|%-12345X@PJL"; depth:13; nocase; content:"@PJL UPGRADE SIZE="; nocase; classtype:policy-violation; sid:20658; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 10651 (msg:"POLICY-OTHER Progrea Movicon TCPUploadServer.exe unauthenticated access attempt"; flow:established,to_server; content:"MovX"; depth:4; nocase; pcre:"/^[\x31-\x37\x42]/R"; reference:bugtraq,46907; reference:cve,2011-2963; classtype:attempted-admin; sid:20758; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4848 (msg:"POLICY-OTHER TRACE attempt"; flow:to_server,established; content:"TRACE"; depth:5; reference:bugtraq,47818; reference:cve,2011-1511; classtype:web-application-attack; sid:20873; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER HP SiteScope integrationViewer default credentials policy-bypass attempt"; flow:to_server,established; content:"/SiteScope/j_security_check"; fast_pattern:only; http_uri; pcre:"/(j_username\x3D\x26)?[^\n]*j_password\x3D(\x26|$)([^\n]*j_username\x26(\x26|$))?/"; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:20996; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER HP SiteScope integrationViewer default credentials policy-bypass attempt"; flow:to_server,established; content:"/SiteScope/j_security_check"; http_uri; content:"j_username|3D|integrationViewer"; fast_pattern:only; pcre:"/j_password\x3DvKm46(\x2A|\x25\x32\x41)sdH(\x24|\x25\x32\x34)8109(\x23|\x25\x32\x33)JLSudh(\x3A|\x25\x33\x41)(\x29|\x25\x32\x39)/"; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:20995; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Telnet protocol specifier in web page attempt"; flow:to_client,established; file_data; content:"telnet|3A 2F 2F|"; fast_pattern:only; pcre:"/(src|href)\s*=\s*(\x22|\x27|)telnet\x3a\x2f\x2f/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,11731; reference:cve,2004-1541; classtype:policy-violation; sid:19669; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER TRENDnet IP Camera anonymous access attempt"; flow:to_server,established; content:"/anony/"; fast_pattern:only; http_uri; pcre:"/\/anony\/(jpgview\.htm|mjpeg\.cgi|view2\.cgi|mjpg\.cgi)/Ui"; metadata:ruleset community, service http; reference:url,console-cowboys.blogspot.com/2012/01/trendnet-cameras-i-always-feel-like.html; reference:url,www.trendnet.com/press/view.asp?id=1958; reference:url,www.wired.com/threatlevel/2012/02/home-cameras-exposed/; classtype:policy-violation; sid:21267; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Microsoft Windows 98 User-Agent string"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"Windows 98"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3A[^\r\n]+Windows 98/Hsmi"; metadata:service http; reference:url,msdn.microsoft.com/en-us/library/ms537503(v=vs.85).aspx; classtype:policy-violation; sid:21556; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [8080,8090] (msg:"POLICY-OTHER Cisco Network Registrar default credentials authentication attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"|2F|login|2E|js"; nocase; http_uri; content:"name=admin"; nocase; http_uri; content:"pass"; nocase; http_uri; content:"changeme"; within:12; http_uri; metadata:service http; reference:cve,2011-2024; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.securityfocus.com/bid/48076; classtype:default-login-attempt; sid:20691; rev:7;)
+# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER use of psexec remote administration tool"; flow:to_server,established; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|p|00|s|00|e|00|x|00|e|00|c|00|s|00|v|00|c"; nocase; metadata:service netbios-ssn; reference:url,attack.mitre.org/techniques/T1035; reference:url,technet.microsoft.com/en-us/sysinternals/bb897553.aspx; classtype:policy-violation; sid:24008; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER TCP packet with urgent flag attempt"; flow:stateless; flags:U+; classtype:protocol-command-decode; sid:24378; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Adobe ColdFusion admin API access attempt"; flow:to_server,established; content:"/CFIDE/adminapi"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,57330; reference:cve,2013-0632; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:policy-violation; sid:25976; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Adobe ColdFusion component browser access attempt"; flow:to_server,established; content:"/CFIDE/componentutils"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,57330; reference:cve,2013-0632; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:policy-violation; sid:25977; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Adobe ColdFusion admin interface access attempt"; flow:to_server,established; content:"/CFIDE/administrator"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,57330; reference:cve,2013-0632; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:policy-violation; sid:25975; rev:2;)
+# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"POLICY-OTHER Achievement Unlocked -- Billion Dollar Company"; flow:to_server,established; content:"We've hit 1bn before but now we're solidly in there.  Woot"; fast_pattern:only; reference:url,www.nasdaq.com/article/sourcefire-inc-fire-surged-to-a-new-high-on-q4-results-20120223-00248; classtype:policy-violation; sid:20000; rev:6;)
+# alert tcp $EXTERNAL_NET [$FILE_DATA_PORTS,443] -> $HOME_NET any (msg:"POLICY-OTHER Microsoft ADFS endpoint information disclosure attempt"; flow:to_client,established; file_data; content:"/adfs/services/trust/2005/windowstransport"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3185; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-066; classtype:misc-activity; sid:27609; rev:3;)
+# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER use of psexec remote administration tool SMBv2"; flow:to_server,established; content:"|FE|SMB"; depth:8; nocase; content:"|05 00|"; within:2; distance:8; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C|00|"; fast_pattern:only; metadata:service netbios-ssn; reference:url,attack.mitre.org/techniques/T1028; reference:url,attack.mitre.org/techniques/T1035; reference:url,technet.microsoft.com/en-us/sysinternals/bb897553.aspx; classtype:policy-violation; sid:30281; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"POLICY-OTHER Chunked-Encoding transfer attempt"; flow:to_server,established; content:"Transfer-Encoding: chunked|0D 0A 0D 0A 0D 0A|"; nocase; isdataat:!0,relative,rawbytes; metadata:ruleset community, service http; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; reference:nessus,10932; classtype:policy-violation; sid:1807; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Rosetta Flash tool use attempt"; flow:to_server,established; content:"=ZWS"; fast_pattern:only; http_uri; urilen:>200; metadata:service http; reference:cve,2015-3096; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:url,miki.it/blog/2014/8/15/adobe-really-fixed-rosetta-flash-today/; classtype:policy-violation; sid:31401; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Rosetta Flash tool use attempt"; flow:to_server,established; content:"=FWS"; fast_pattern:only; http_uri; urilen:>200; metadata:service http; reference:cve,2015-3096; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:url,miki.it/blog/2014/8/15/adobe-really-fixed-rosetta-flash-today/; classtype:policy-violation; sid:31400; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Rosetta Flash tool use attempt"; flow:to_server,established; content:"=CWS"; fast_pattern:only; http_uri; urilen:>200; metadata:service http; reference:cve,2015-3096; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-11.html; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:url,miki.it/blog/2014/8/15/adobe-really-fixed-rosetta-flash-today/; classtype:policy-violation; sid:31399; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Adobe Flash Player possible cross-domain bypass attempt"; flow:to_server,established; content:"|0D 0A|X-"; fast_pattern:only; http_header; content:".swf"; http_header; pcre:"/^Host:\s*(?P<hostname>[^\s\x2f\x5c]+)[\s\x2f\x5c].*?Referer:\s*https?:\x2f\x2f(?!(?P=hostname))[^\n]*\x2eswf([\r\n\?]|$)/smiH"; metadata:service http; reference:bugtraq,68455; reference:cve,2014-0537; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-17.html; classtype:policy-violation; sid:31614; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER HP Universal CMDB default credentials authentication attempt"; flow:to_server,established; content:"/axis2/axis2-admin/login"; fast_pattern:only; http_uri; content:"username=admin"; nocase; content:"password=axis2"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,68363; reference:cve,2014-2617; reference:url,attack.mitre.org/techniques/T1078; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c04357076; classtype:policy-violation; sid:31846; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt"; flow:to_server,established; content:"USER|20|images|0D 0A|"; flowbits:set,qlogic_default_ftp; flowbits:noalert; metadata:ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1078; reference:url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V_Series_QuickTools_v80_59264-02B.pdf; reference:url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guide_Sb5600_Series_v74_59235-03_%5BA%5D.pdf; classtype:default-login-attempt; sid:31831; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt"; flow:to_server,established; content:"PASS|20|images|0D 0A|"; flowbits:isset,qlogic_default_ftp; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1078; reference:url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V_Series_QuickTools_v80_59264-02B.pdf; reference:url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guide_Sb5600_Series_v74_59235-03_%5BA%5D.pdf; classtype:default-login-attempt; sid:31830; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6060 (msg:"POLICY-OTHER ManageEngine DeviceExpert user credentials enumeration attempt"; flow:to_server,established; content:"GET"; depth:3; content:"ReadUsersFromMasterServlet"; within:30; nocase; metadata:service http; reference:bugtraq,69443; reference:cve,2014-5377; classtype:policy-violation; sid:32092; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 9001 (msg:"POLICY-OTHER SolarWinds Log and Event Manager default credentials authentication attempt"; flow:to_server,established; content:"|00 00 00 06|trigeo|00 00 00 06|trigeo"; reference:bugtraq,69559; reference:cve,2014-5504; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:32068; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Remote non-JavaScript file found in script tag src attribute"; flow:to_client,established; file_data; content:"<script"; content:"src="; within:30; isdataat:100,relative; content:!"|2E|js"; within:100; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6345; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:policy-violation; sid:32481; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Visual Mining NetCharts default credentials authentication attempt"; flow:to_server,established; content:"U2NoZWR1bGVyOiFAIyRzY2hlZHVsZXIkI0Ah"; http_header; metadata:service http; reference:bugtraq,70895; reference:cve,2014-8516; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:32526; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"POLICY-OTHER SSLv3 CBC client connection attempt"; flow:to_server,established; ssl_version:sslv3; ssl_state:client_hello; content:"|16 03 00|"; depth:3; content:"|00 00 02 00 2F|"; within:5; distance:40; metadata:service ssl; reference:cve,2014-3566; classtype:attempted-recon; sid:32566; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER ManageEngine Eventlog Analyzer information disclosure attempt"; flow:to_server,established; content:"/agentHandler"; nocase; http_uri; content:"mode=getTableData"; fast_pattern:only; http_uri; content:"table="; nocase; http_uri; metadata:service http; reference:cve,2014-6038; classtype:attempted-recon; sid:32603; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER ManageEngine Eventlog Analyzer credential disclosure attempt"; flow:to_server,established; content:"/hostdetails"; fast_pattern:only; http_uri; content:"slid="; nocase; http_uri; content:"hostid="; nocase; http_uri; metadata:service http; reference:cve,2014-6039; reference:url,attack.mitre.org/techniques/T1003; reference:url,attack.mitre.org/techniques/T1081; reference:url,attack.mitre.org/techniques/T1214; classtype:attempted-recon; sid:32602; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Arris VAP2500 default credentials authentication attempt"; flow:to_server,established; content:"e882245238cff6150a1a67b1cc336f4f"; fast_pattern:only; content:"e882245238cff6150a1a67b1cc336f4f"; nocase; http_cookie; metadata:service http; reference:bugtraq,71297; reference:cve,2014-8424; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:32741; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Arris VAP2500 default credentials authentication attempt"; flow:to_server,established; content:"1b3231655cebb7a1f783eddf27d254ca"; fast_pattern:only; content:"1b3231655cebb7a1f783eddf27d254ca"; nocase; http_cookie; metadata:service http; reference:bugtraq,71297; reference:cve,2014-8424; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:32740; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [696,7426] (msg:"POLICY-OTHER HP Network Node Manager ovopi.dll command 685 insecure pointer dereference attempt"; flow:stateless; content:"|AD 02 00 00|"; depth:4; isdataat:2556,relative; reference:cve,2014-2624; reference:url,h20565.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c04378450-2; classtype:policy-violation; sid:32729; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER base64 encoded executable file download"; flow:to_client,established; file_data; content:"TV"; depth:2; content:"A//8AALgAAAAAAAAAQAA"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/b9cf049a38d52f79e2a9c2d84b9bbc5ad39263a8b663cceda5cae12a3bdb65b8/analysis/; classtype:policy-violation; sid:32951; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER PirateBrowser User-Agent detected"; flow:to_server, established; content:"User-Agent: PB"; fast_pattern:only; http_header; pcre:"/User-Agent: PB\d\.\d/iH"; metadata:service http; reference:url,piratebrowser.com; classtype:policy-violation; sid:32907; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER ManageEngine Desktop Central DCPlugin insecure admin account creation attempt"; flow:to_server,established; content:"/DCPluginServelet"; fast_pattern:only; http_uri; content:"action=addPlugInUser"; nocase; http_uri; content:"role=DCAdmin"; nocase; http_uri; content:"password="; nocase; http_uri; metadata:service http; reference:bugtraq,71849; reference:cve,2014-7862; classtype:policy-violation; sid:32967; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 48080 (msg:"POLICY-OTHER SolarWinds Firewall Security Manager insecure userlogin.jsp access attempt"; flow:to_server,established; content:"GET /fsm/userlogin.jsp"; depth:22; nocase; metadata:service http; reference:cve,2015-2284; classtype:policy-violation; sid:33875; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Evercookie persistent cookie storage attempt"; flow:to_server,established; file_data; content:"this.evercookie_etag"; content:"function("; within:15; content:"name"; within:8; content:"value"; within:9; metadata:service smtp; reference:url,github.com/samyk/evercookie/blob/master/js/evercookie.js; classtype:policy-violation; sid:33964; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Evercookie persistent cookie storage attempt"; flow:to_client,established; file_data; content:"this.evercookie_etag"; content:"function("; within:15; content:"name"; within:8; content:"value"; within:9; metadata:service ftp-data, service http, service imap, service pop3; reference:url,github.com/samyk/evercookie/blob/master/js/evercookie.js; classtype:policy-violation; sid:33963; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER ManageEngine Desktop Central insecure admin password reset attempt"; flow:to_server,established; content:"/DCOperationsServlet"; fast_pattern:only; http_uri; content:"operation=addOrModifyUser"; nocase; http_uri; content:"roleId=DCAdmin"; nocase; http_uri; content:"password="; nocase; http_uri; metadata:service http; reference:cve,2015-2560; classtype:policy-violation; sid:33986; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER ManageEngine Desktop Central insecure admin password reset attempt"; flow:to_server,established; content:"/DCOperationsServlet"; fast_pattern:only; http_uri; content:"operation=addOrModifyUser"; nocase; http_client_body; content:"roleId=DCAdmin"; nocase; http_client_body; content:"password="; nocase; http_client_body; metadata:service http; reference:cve,2015-2560; classtype:policy-violation; sid:34024; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"POLICY-OTHER Red Hat OpenStack default password login attempt"; flow:to_server,established; content:"hacluster"; fast_pattern:only; content:"CHANGEME"; metadata:service http; reference:cve,2015-1842; reference:url,attack.mitre.org/techniques/T1078; reference:url,rhn.redhat.com/errata/RHSA-2015-0791.html; classtype:attempted-admin; sid:34345; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7080 (msg:"POLICY-OTHER Red Hat JBoss Operations Network web console access attempt"; flow:to_server,established; content:"/coregui/org.rhq.coregui.CoreGUI/"; fast_pattern:only; metadata:service http; reference:url,access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Users_Guide/index.html; classtype:policy-violation; sid:34342; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7080 (msg:"POLICY-OTHER Red Hat JBoss Operations Network ServerInvokerServlet access attempt"; flow:to_server,established; content:"GET /jboss-remoting-servlet-invoker/ServerInvokerServlet"; fast_pattern:only; metadata:service http; reference:cve,2015-0297; reference:url,rhn.redhat.com/errata/RHSA-2015-0862.html; classtype:policy-violation; sid:34341; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7080 (msg:"POLICY-OTHER Red Hat JBoss Operations Network ServerInvokerServlet access attempt"; flow:to_server,established; content:"POST /jboss-remoting-servlet-invoker/ServerInvokerServlet"; fast_pattern:only; metadata:service http; reference:cve,2015-0297; reference:url,rhn.redhat.com/errata/RHSA-2015-0862.html; classtype:policy-violation; sid:34340; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"POLICY-OTHER ProFTPD mod_copy unauthenticated file copy attempt"; flow:to_server,established; content:"SITE"; depth:4; nocase; content:"CPFR"; within:4; distance:1; fast_pattern; nocase; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,74238; reference:cve,2015-3306; classtype:policy-violation; sid:34447; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"POLICY-OTHER PHP tag injection in http header attempt"; flow:to_server,established; content:"<?php"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2013-1081; classtype:web-application-attack; sid:27027; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1098 (msg:"POLICY-OTHER RedHat JBOSS JNDI service naming"; flow:established,to_server; content:"javax.naming"; content:"org.jnp.interfaces.FastNamingProperties"; fast_pattern:only; metadata:policy max-detect-ips drop, service java_rmi; reference:bugtraq,54644; reference:cve,2011-4605; classtype:policy-violation; sid:25317; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12345 (msg:"POLICY-OTHER Adobe InDesign SOAP interface RunScript method access attempt"; flow:to_server,established; content:"|3C|IDSP|3A|RunScript|3E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:policy-violation; sid:24987; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"POLICY-OTHER PHP uri tag injection attempt"; flow:to_server,established; content:"<?php"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0297; reference:cve,2012-2957; classtype:web-application-attack; sid:23111; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [8080,8090] (msg:"POLICY-OTHER Cisco network registrar default credentials authentication attempt"; flow:to_server,established; content:"/login.js"; nocase; http_uri; content:"name=admin"; nocase; http_uri; content:"pass"; nocase; http_uri; content:"changeme"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2011-2024; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.securityfocus.com/bid/48076; classtype:default-login-attempt; sid:20692; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER HP Universal CMDB server axis2 service upload attempt"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/axis2/axis2-admin/upload"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:url,secunia.com/advisories/42763/; classtype:attempted-admin; sid:19158; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER CA ARCserve Axis2 default credential login attempt"; flow:to_server,established; content:"/axis2-admin/login"; fast_pattern:only; http_uri; content:"userName=admin"; nocase; http_client_body; content:"password="; nocase; http_client_body; pcre:"/^(admin|axis2)/iR"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45625; reference:cve,2010-0219; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:18985; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6504 (msg:"POLICY-OTHER CA BightStor ARCserver Backup possible insecure method access"; flow:established, to_server; dce_iface:506b1890-14c8-11d1-bbc3-00805fa6962e; dce_opnum:383-396; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2007-5328; reference:url,secunia.com/advisories/27192/; classtype:attempted-user; sid:17577; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER file URI scheme attempt"; flow:established,to_client; file_data; content:"file|3A 2F 2F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3230; reference:url,tools.ietf.org/html/rfc1630; reference:url,tools.ietf.org/html/rfc1738; classtype:policy-violation; sid:16642; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 9001:9030 (msg:"POLICY-OTHER TOR proxy connection initiation"; flow:to_server,established; content:"TOR"; content:"client <identity>"; metadata:policy max-detect-ips drop; classtype:policy-violation; sid:13696; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 13782 (msg:"POLICY-OTHER VERITAS NetBackup system - execution function call access"; flow:established,to_server; content:"|00 18 00 1B 00 02|"; depth:18; metadata:policy max-detect-ips drop; reference:bugtraq,21565; reference:cve,2006-4902; reference:cve,2006-6822; classtype:misc-activity; sid:10130; rev:9;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER IPv6 packets encapsulated in IPv4"; ip_proto:41; metadata:policy max-detect-ips drop; reference:bugtraq,29235; reference:cve,2008-2136; classtype:policy-violation; sid:8446; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER web server file upload attempt"; flow:to_server,established; content:"Content-Disposition"; nocase; content:"filename"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,www.faqs.org/rfcs/rfc1867.html; classtype:misc-activity; sid:5708; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt"; flow:to_server,established; content:"/zenworks/rtr"; nocase; http_uri; content:"maintenance=ShowLogins"; fast_pattern:only; metadata:service http; reference:bugtraq,74289; reference:cve,2015-0784; classtype:policy-violation; sid:34584; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER HP SiteScope unspecified privilege escalation attempt"; flow:to_server,established; content:"/SiteScope/remoteProxy?"; http_uri; content:"File name|74 00 0C|users.config"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-2120; reference:url,h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04688784 ; classtype:policy-violation; sid:34823; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Arcserve Unified Data Protection Management credential disclosure attempt"; flow:to_server,established; content:"POST /services/EdgeServiceImpl"; depth:30; nocase; content:"getBackupPolic"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,74838; reference:cve,2015-4069; reference:url,attack.mitre.org/techniques/T1003; reference:url,attack.mitre.org/techniques/T1081; reference:url,attack.mitre.org/techniques/T1214; classtype:policy-violation; sid:34944; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"POLICY-OTHER Apple Cups cupsd.conf change attempt"; flow:to_server,established; content:"PUT"; http_method; urilen:22; content:"/admin/conf/cupsd.conf"; fast_pattern:only; http_uri; metadata:service http; classtype:policy-violation; sid:35042; rev:1;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER IPv6 neighbor solicitation - THC-IPv6 tool indicator attempt"; itype:135; icode:>0; detection_filter:track by_dst, count 4000, seconds 1; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:35098; rev:1;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER IPv6 neighbor solicitation - THC-IPv6 tool indicator attempt"; itype:135; icode:>0; content:"XXXXXX"; fast_pattern:only; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:35097; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Microsoft Internet Explorer InPrivate mode image information leak attempt"; flow:to_server,established; file_data; content:".getElementById"; nocase; content:".width"; within:100; nocase; content:".height"; within:50; nocase; pcre:"/\x2EgetElementById\x28[\x22\x27]?(?P<element>\w+)[\x22\x27]?.*?(?P=element)\x2Ewidth.*?(?P=element)\x2Eheight/si"; metadata:service smtp; reference:cve,2015-2414; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-recon; sid:35195; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Microsoft Internet Explorer InPrivate mode image information leak attempt"; flow:to_server,established; file_data; content:".getElementById"; nocase; content:".height"; within:100; nocase; content:".width"; within:50; nocase; pcre:"/\x2EgetElementById\x28[\x22\x27]?(?P<element>\w+)[\x22\x27]?.*?(?P=element)\x2Eheight.*?(?P=element)\x2Ewidth/si"; metadata:service smtp; reference:cve,2015-2414; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-recon; sid:35194; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Microsoft Internet Explorer InPrivate mode image information leak attempt"; flow:to_client,established; file_data; content:".getElementById"; nocase; content:".width"; within:100; nocase; content:".height"; within:50; nocase; pcre:"/\x2EgetElementById\x28[\x22\x27]?(?P<element>\w+)[\x22\x27]?.*?(?P=element)\x2Ewidth.*?(?P=element)\x2Eheight/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2414; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-recon; sid:35193; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Microsoft Internet Explorer InPrivate mode image information leak attempt"; flow:to_client,established; file_data; content:".getElementById"; nocase; content:".height"; within:100; nocase; content:".width"; within:50; nocase; pcre:"/\x2EgetElementById\x28[\x22\x27]?(?P<element>\w+)[\x22\x27]?.*?(?P=element)\x2Eheight.*?(?P=element)\x2Ewidth/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2414; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-065; classtype:attempted-recon; sid:35192; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Remote non-JavaScript file found in script tag src attribute"; flow:to_server,established; file_data; content:"<script"; content:"src="; within:30; isdataat:50,relative; isdataat:!100,relative; content:!"|2E|js"; within:50; metadata:service smtp; reference:cve,2015-1729; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:policy-violation; sid:35181; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Remote non-JavaScript file found in script tag src attribute"; flow:to_client,established; file_data; content:"<script"; content:"src="; within:30; isdataat:50,relative; isdataat:!100,relative; content:!"|2E|js"; within:50; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1729; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-065; classtype:policy-violation; sid:35180; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Microsoft Internet Explorer IE6 compatibility mode attempt"; flow:to_server,established; file_data; content:"http-equiv="; nocase; content:"X-UA-Compatible"; within:50; nocase; content:"content="; within:50; nocase; content:"IE=6"; within:50; nocase; metadata:service smtp; reference:url,msdn.microsoft.com/en-us/library/ms533876%28v=vs.85%29.aspx; classtype:policy-violation; sid:35148; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Microsoft Internet Explorer IE6 compatibility mode attempt"; flow:to_client,established; file_data; content:"http-equiv="; nocase; content:"X-UA-Compatible"; within:50; nocase; content:"content="; within:50; nocase; content:"IE=6"; within:50; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,msdn.microsoft.com/en-us/library/ms533876%28v=vs.85%29.aspx; classtype:policy-violation; sid:35147; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Microsoft cabinet file default sha1 signature detected"; flow:to_server,established; flowbits:isset,file.cab; file_data; content:"|06 09 2A 86 48 86 F7 0D 01 01 05 05 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2466; reference:url,attack.mitre.org/techniques/T1078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-081; classtype:misc-attack; sid:35528; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Microsoft cabinet file default sha1 signature detected"; flow:to_client,established; flowbits:isset,file.cab; file_data; content:"|06 09 2A 86 48 86 F7 0D 01 01 05 05 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2466; reference:url,attack.mitre.org/techniques/T1078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-081; classtype:misc-attack; sid:35527; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2219 access attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 00 00 00 00 14 00 00 08 AB|"; within:12; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,74426; reference:cve,2015-0538; classtype:policy-violation; sid:35539; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2060 access attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 00 00 00 00 14 00 00 08 0C|"; within:12; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,74426; reference:cve,2015-0538; classtype:policy-violation; sid:35538; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER OCSP response with no nextUpdate field"; flow:to_client,established; content:"content-type|3A| application/ocsp-response"; fast_pattern:only; http_header; file_data; content:"|80 00 18 0F|"; isdataat:500,relative; content:!"|A0 11 18 0F|"; within:500; metadata:service http; reference:cve,2015-4748; reference:url,www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html; classtype:policy-violation; sid:35598; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Symantec Endpoint Protection insecure password reset attempt"; flow:to_server,established; content:"/servlet/ConsoleServlet"; nocase; http_uri; content:"ActionType=ResetPassword"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2015-1486; classtype:policy-violation; sid:35670; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 51000 (msg:"POLICY-OTHER EMC Documentum Content Server remote access attempt"; flow:to_server,established; content:"|0A|QUERY STRING"; fast_pattern:only; reference:cve,2014-2514; reference:cve,2015-4532; reference:url,www.emc.com/enterprise-content-management/index.htm; classtype:policy-violation; sid:35849; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER BitTorrent distributed reflected denial-of-service attempt"; flow:stateless,no_stream; content:"|13|BitTorrent protocol"; fast_pattern:only; detection_filter:track by_dst, count 70, seconds 5; reference:url,usenix.org/conference/woot15/workshop-program/presentation/p2p-file-sharing-hell-exploiting-bittorrent; classtype:attempted-dos; sid:36194; rev:2;)
+alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"POLICY-OTHER Cisco router Security Device Manager default banner"; flow:to_client,established; content:"the one-time use of the username |22|cisco|22| with the |0A|password |22|cisco|22|."; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service telnet; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.cisco.com/c/en/us/td/docs/routers/access/iad880/hardware/installation/guide/IAD880HIG/4InitialConfigIAD880.pdf; classtype:policy-violation; sid:36282; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"POLICY-OTHER dnstunnel v0.5 outbound traffic detected"; flow:to_server,no_stream; content:"|01 00|"; depth:2; offset:2; byte_test:1,>,20,12; content:"|00 19 00 01|"; offset:34; detection_filter:track by_src, count 10, seconds 1; metadata:service dns; reference:url,www.hsc.fr/ressources/outils/dns2tcp/index.html.en; classtype:policy-violation; sid:36379; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute"; flow:to_server,established; file_data; content:"<script"; content:"text/vbs"; within:30; content:"src="; within:30; isdataat:100,relative; content:!"|2E|vbs"; within:100; metadata:service smtp; reference:cve,2015-6059; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-108; classtype:policy-violation; sid:36422; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute"; flow:to_client,established; file_data; content:"<script"; content:"text/vbs"; within:30; content:"src="; within:30; isdataat:100,relative; content:!"|2E|vbs"; within:100; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6059; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-108; classtype:policy-violation; sid:36421; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute"; flow:to_server,established; file_data; content:"<script"; content:"language"; within:30; content:"vbscript"; within:30; content:"src="; within:30; isdataat:100,relative; content:!"|2E|vbs"; within:100; metadata:service smtp; reference:cve,2015-6059; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-108; classtype:policy-violation; sid:36420; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute"; flow:to_client,established; file_data; content:"<script"; content:"language"; within:30; content:"vbscript"; within:30; content:"src="; within:30; isdataat:100,relative; content:!"|2E|vbs"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6059; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-106; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-108; classtype:policy-violation; sid:36419; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"POLICY-OTHER Polycom Botnet inbound connection attempt"; flow:to_server,established; file_data; content:"|03 00|"; depth:2; content:"|08 02|"; within:2; distance:2; content:"|00|c|00|i|00|s|00|c|00|o"; within:60; content:"ooh323"; distance:0; fast_pattern; reference:url,support.polycom.com/global/documents/support/documentation/H_3_2_3_Botnet_Bulletin_v_1_1.pdf; classtype:trojan-activity; sid:36541; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Symantec LiveUpdate forcepasswd.do insecure password change attempt"; flow:to_server,established; content:"/lua/forcepasswd.do"; fast_pattern:only; http_uri; content:"newPassword"; nocase; http_client_body; metadata:service http; reference:bugtraq,66399; reference:cve,2014-1644; classtype:policy-violation; sid:36784; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER self-signed SSL certificate eDellRoot use attempt"; flow:to_client,established; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|6B C5 7B 95 18 93 AA 97 4B 62 4A C0 88 FC 3B B6|"; fast_pattern:only; content:"|09|eDellRoot"; metadata:service ssl; classtype:policy-violation; sid:36887; rev:1;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL/TLS weak RC4 cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|00 05|"; within:2; metadata:service ssl; reference:bugtraq,73684; reference:cve,2015-2808; classtype:policy-violation; sid:37026; rev:3;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL/TLS weak RC4 cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|00 04|"; within:2; metadata:service ssl; reference:bugtraq,73684; reference:cve,2015-2808; classtype:policy-violation; sid:37025; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER ManageEngine EventLog Analyzer runQuery.do insecure SQL query attempt"; flow:to_server,established; content:"/event/runQuery.do"; fast_pattern:only; http_uri; content:"execute=true"; nocase; content:"query="; nocase; metadata:service http; reference:bugtraq,76866; reference:cve,2015-7387; classtype:policy-violation; sid:36915; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53413 (msg:"POLICY-OTHER Netcore/Netis firmware hard-coded backdoor account access attempt"; flow:to_server; content:"netcore"; depth:7; offset:8; reference:url,nearsecurity.net/love-china-netisbackdoor-exploitation/; classtype:attempted-admin; sid:37545; rev:1;)
+# alert tcp any any -> any any (msg:"POLICY-OTHER junk rule to autoenable pop3.stat flowbit"; flow:to_client,established; content:"237<pop3.stat>5yefahr78ah4r7ayrq7yq3tr4ga78"; fast_pattern:only; flowbits:isset,pop3.stat; metadata:policy max-detect-ips alert; classtype:misc-activity; sid:37683; rev:1;)
+# alert tcp any any -> any any (msg:"POLICY-OTHER junk rule to autoenable smb.session.negotiate flowbit"; flow:to_client,established; content:"237<smb.session.negotiate>5yefahr78ah4r7ayrq7yq3tr4ga78"; fast_pattern:only; flowbits:isset,smb.session.negotiate; metadata:policy max-detect-ips alert; classtype:misc-activity; sid:37682; rev:1;)
+# alert tcp any any -> any any (msg:"POLICY-OTHER junk rule to autoenable vnetd.bpspsserver.connection flowbit"; flow:to_client,established; content:"237<vnetd.bpspsserver.connection>5yefahr78ah4r7ayrq7yq3tr4ga78"; fast_pattern:only; flowbits:isset,vnetd.bpspsserver.connection; metadata:policy max-detect-ips alert; classtype:misc-activity; sid:37681; rev:1;)
+# alert tcp any any -> any any (msg:"POLICY-OTHER eicar test string download attempt"; flow:to_client,established; file_data; content:"7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+"; fast_pattern:only; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:37732; rev:1;)
+# alert tcp any any -> any any (msg:"POLICY-OTHER junk rule to autoenable imap.cram_md5 flowbit"; flow:to_client,established; content:"237<imap.cram_md5>5yefahr78ah4r7ayrq7yq3tr4ga78"; fast_pattern:only; flowbits:isset,imap.cram_md5; metadata:policy max-detect-ips alert; classtype:misc-activity; sid:37845; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"POLICY-OTHER Polycom Botnet inbound connection attempt"; flow:to_server,established; file_data; content:"|03 00|"; depth:2; content:"|08 02|"; within:2; distance:2; content:"EE|A8 C6|3"; within:80; content:"ooh323"; distance:6; fast_pattern; metadata:ruleset community; reference:url,support.polycom.com/global/documents/support/documentation/H_3_2_3_Botnet_Bulletin_v_1_2.pdf; classtype:trojan-activity; sid:37815; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"POLICY-OTHER Polycom Botnet inbound connection attempt"; flow:to_server,established; file_data; content:"|03 00|"; depth:2; content:"|08|"; distance:2; content:"|05|"; distance:4; content:"MERA RTU"; within:100; fast_pattern; metadata:ruleset community; reference:url,support.polycom.com/global/documents/support/documentation/H_3_2_3_Botnet_Bulletin_v_1_2.pdf; classtype:trojan-activity; sid:37814; rev:1;)
+# alert tcp any any -> any any (msg:"POLICY-OTHER junk rule to autoenable vnc.server.auth.types flowbit"; flow:to_client,established; content:"237<vnc.server.auth.types>5yefahr78ah4r7ayrq7yq3tr4ga78"; fast_pattern:only; flowbits:isset,vnc.server.auth.types; metadata:policy max-detect-ips alert; classtype:misc-activity; sid:37813; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash file containing protoType.valueOf function download detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|09|prototype"; fast_pattern:only; content:"|07|valueOf"; nocase; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38059; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash file containing getDefinitionByName function download detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|13|getDefinitionByName"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38058; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash file containing parseFloat function download detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0A|parseFloat"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38057; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash file containing domainMemory function download detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0C|domainMemory"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38056; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash file containing defaultValue function download detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|0C|defaultValue"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38055; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Flash file containing protoType.valueOf function download detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|09|prototype"; fast_pattern:only; content:"|07|valueOf"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38054; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Flash file containing getDefinitionByName function download detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|13|getDefinitionByName"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38053; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Flash file containing parseFloat function download detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0A|parseFloat"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38052; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Flash file containing domainMemory function download detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0C|domainMemory"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38051; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Flash file containing defaultValue function download detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0C|defaultValue"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38050; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER PDF containing U3D object download detected"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Subtype"; nocase; content:"/U3D"; within:20; fast_pattern; nocase; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38048; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER PDF containing mluc tag object download detected"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"mluc|00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38047; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER PDF ActiveX CLSID access detected"; flow:to_server, established; file_data; content:"CA8A9780-280D-11CF-A24D-444553540000"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-0527; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:attempted-user; sid:38046; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER PDF ActiveX CLSID access detected"; flow:to_server, established; file_data; content:"AcroPDF.PDF"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-0527; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:attempted-user; sid:38045; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER PDF containing AcroForm key download detected"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/AcroForm"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-1092; classtype:policy-violation; sid:38044; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER PDF containing Action key download detected"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Action"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38043; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER PDF containing Launch key download detected"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Launch"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38042; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER PDF containing U3D object download detected"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Subtype"; nocase; content:"/U3D"; within:20; fast_pattern; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38041; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER PDF containing mluc tag object download detected"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"mluc|00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38040; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER PDF ActiveX CLSID access detected"; flow:to_client, established; file_data; content:"CA8A9780-280D-11CF-A24D-444553540000"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0527; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:attempted-user; sid:38039; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER PDF ActiveX CLSID access detected"; flow:to_client, established; file_data; content:"AcroPDF.PDF"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0527; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-16.html; classtype:attempted-user; sid:38038; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER PDF containing AcroForm key download detected"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/AcroForm"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1092; classtype:policy-violation; sid:38037; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER PDF containing Action key download detected"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Action"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38036; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER PDF containing Launch key download detected"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Launch"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38035; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Flash file containing allowLoadBytesCodeExecution function download detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|6E|allowLoadBytesCodeExecution"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38034; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash file containing allowLoadBytesCodeExecution function download detected "; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|6E|allowLoadBytesCodeExecution"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38033; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash file containing atomicCompareAndSwapLength function download detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|1A|atomicCompareAndSwapLength"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38032; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash file containing loadBytes function download detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|09|loadBytes"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38031; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash file containing ExternalInterface function download detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|11|ExternalInterface"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:policy-violation; sid:38030; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Flash file containing atomicCompareAndSwapLength function download detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1A|atomicCompareAndSwapLength"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38029; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Flash file containing loadBytes function"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|09|loadBytes"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38028; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Flash file containing ExternalInterface function download detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|11|ExternalInterface"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:38027; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL/TLS weak RC4 cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|C0 16|"; within:2; metadata:service ssl; reference:bugtraq,73684; reference:cve,2015-2808; classtype:policy-violation; sid:37916; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL/TLS weak RC4 cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|C0 11|"; within:2; metadata:service ssl; reference:bugtraq,73684; reference:cve,2015-2808; classtype:policy-violation; sid:37915; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL/TLS weak RC4 cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|C0 0C|"; within:2; metadata:service ssl; reference:bugtraq,73684; reference:cve,2015-2808; classtype:policy-violation; sid:37914; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL/TLS weak RC4 cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|C0 07|"; within:2; metadata:service ssl; reference:bugtraq,73684; reference:cve,2015-2808; classtype:policy-violation; sid:37913; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL/TLS weak RC4 cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|C0 02|"; within:2; metadata:service ssl; reference:bugtraq,73684; reference:cve,2015-2808; classtype:policy-violation; sid:37912; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 9855 (msg:"POLICY-OTHER Symantec Workspace Streaming insecure java serialized data upload attempt"; flow:to_server,established; content:"xmlrpc"; nocase; content:"ManagementAgentServer.putFile"; fast_pattern:only; content:"<methodName"; nocase; content:"serializable"; nocase; content:"rO0A"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,67189; reference:cve,2014-1649; classtype:policy-violation; sid:37880; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"POLICY-OTHER SSLv2 Client Hello attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv2; content:"|01 00 02|"; depth:3; offset:2; metadata:service ssl; reference:cve,2015-3197; reference:cve,2016-0800; classtype:policy-violation; sid:38060; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER HTTP Request missing user-agent"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent:"; nocase; http_header; content:"|0D 0A|"; within:3; http_header; metadata:service http; reference:url,ietf.org/rfc/rfc2616.txt; classtype:misc-activity; sid:38130; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"POLICY-OTHER Suspicious typo squatting DNS query to .om TLD attempt"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|om|00|"; distance:0; nocase; pcre:"/(?:netflix|yahoo|htc|huffingtonpost|nbc|bankofamerica|youtube|reddit|linkedin|facebook|live|google|baidu|gmail|xbox|adidas|hilton|ctrip|dangdang|directv|douban|drugstore|dubizzle|eastmoney|enterprise|etao|fiverr|one|qq|qv|si|sogou|tuniu|usaa|weather|weibo|y8|yatra)c?\x02om\x00/si"; metadata:service dns; reference:url,blogs.splunk.com/2016/04/01/hunting-that-evil-typosquatter/; reference:url,www.endgame.com/blog/what-does-oman-house-cards-and-typosquatting-have-common-om-domain-and-dangers-typosquatting; classtype:policy-violation; sid:38457; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER PDF containing XDP structure download detected"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<xdp:xdp"; fast_pattern:only; metadata:service smtp; reference:cve,2016-1092; classtype:policy-violation; sid:38823; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER PDF containing XDP structure download detected"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<xdp:xdp"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-1092; classtype:policy-violation; sid:38822; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER VMware vCenter Chargeback Manager ImageUploadServlet arbitrary JSP file upload attempt"; flow:to_server,established; content:"POST"; http_method; content:"/cbmui/ImageUploadServlet"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,60484; reference:cve,2013-3520; reference:url,www.vmware.com/security/advisories/VMSA-2013-0008.html; classtype:policy-violation; sid:38964; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Google Chromium ClusterFuzz fuzzer generated code detected"; flow:to_server,established; file_data; content:"g_ele_ref_parent"; nocase; content:"g_ele_ref_parent"; within:300; nocase; content:"g_ele_ref_son"; nocase; content:"g_ele_ref_son"; within:300; nocase; metadata:service smtp; reference:url,www.chromium.org/Home/chromium-security/bugs/using-clusterfuzz; classtype:policy-violation; sid:39502; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Google Chromium ClusterFuzz fuzzer generated code detected"; flow:to_client,established; file_data; content:"g_ele_ref_parent"; nocase; content:"g_ele_ref_parent"; within:300; nocase; content:"g_ele_ref_son"; nocase; content:"g_ele_ref_son"; within:300; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.chromium.org/Home/chromium-security/bugs/using-clusterfuzz; classtype:policy-violation; sid:39501; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER AutoItv3 Aut2Exe interpreter - compiled script"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D|"; fast_pattern:only; content:"AU3!EA0"; metadata:service smtp; reference:url,autoitscript.com/autoit3/docs/intro/compiler.htm; reference:url,blog.didierstevens.com/2007/10/02/autoit-malware-revisited/; classtype:policy-violation; sid:40029; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER AutoItv3 Aut2Exe interpreter - compiled script"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D|"; fast_pattern:only; content:"AU3!EA0"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,autoitscript.com/autoit3/docs/intro/compiler.htm; reference:url,blog.didierstevens.com/2007/10/02/autoit-malware-revisited/; classtype:policy-violation; sid:40028; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"POLICY-OTHER SSH weak blowfish cipher suite use attempt"; flow:to_server,established; content:"|00 00 00 0C|blowfish-cbc|00 00 00 0C|blowfish-cbc"; fast_pattern:only; reference:bugtraq,92630; reference:cve,2016-2183; classtype:policy-violation; sid:40190; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"POLICY-OTHER SSH weak 3DES cipher suite use attempt"; flow:to_server,established; content:"|00 00 00 08|3des-cbc|00 00 00 08|3des-cbc"; fast_pattern:only; reference:bugtraq,92630; reference:cve,2016-2183; classtype:policy-violation; sid:40189; rev:1;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL weak 3DES cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|C0 1C|"; within:2; metadata:service ssl; reference:bugtraq,92630; reference:cve,2016-2183; classtype:policy-violation; sid:40188; rev:1;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL weak 3DES cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|00 8B|"; within:2; metadata:service ssl; reference:bugtraq,92630; reference:cve,2016-2183; classtype:policy-violation; sid:40187; rev:1;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL weak 3DES cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|00 0A|"; within:2; metadata:service ssl; reference:bugtraq,92630; reference:cve,2016-2183; classtype:policy-violation; sid:40186; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash SMTP MIME attachment detected"; flow:to_server,established; content:"Content-Disposition"; fast_pattern:only; file_data; content:"ZWS"; depth:3; metadata:policy max-detect-ips drop, service smtp; reference:url,en.wikipedia.org/wiki/SWF; classtype:policy-violation; sid:41192; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash SMTP MIME attachment detected"; flow:to_server,established; content:"Content-Disposition"; fast_pattern:only; file_data; content:"FWS"; depth:3; metadata:policy max-detect-ips drop, service smtp; reference:url,en.wikipedia.org/wiki/SWF; classtype:policy-violation; sid:41191; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Flash SMTP MIME attachment detected"; flow:to_server,established; content:"Content-Disposition"; fast_pattern:only; file_data; content:"CWS"; depth:3; metadata:policy max-detect-ips drop, service smtp; reference:url,en.wikipedia.org/wiki/SWF; classtype:policy-violation; sid:41190; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"POLICY-OTHER SunRPC Portmap GETPORT request detected"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A0 00 00 00 02 00 00 00 03|"; depth:20; offset:4; metadata:policy max-detect-ips drop, service sunrpc; reference:url,en.wikipedia.org/wiki/Portmap; classtype:policy-violation; sid:41186; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"POLICY-OTHER SunRPC Portmap GETPORT request detected"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A0 00 00 00 02 00 00 00 03|"; depth:20; offset:8; metadata:policy max-detect-ips drop, service sunrpc; reference:url,en.wikipedia.org/wiki/Portmap; classtype:policy-violation; sid:41185; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Cisco Firepower Management Console rule import access detected"; flow:to_server,established; content:"/DetectionPolicy/rules/rulesimport.cgi"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2016-6433; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc; classtype:policy-violation; sid:41389; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Cisco WebEx explicit use of web plugin"; flow:to_server,established; content:"cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html"; fast_pattern:only; http_uri; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3823; reference:cve,2017-6753; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex; classtype:policy-violation; sid:41409; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 55443 (msg:"POLICY-OTHER McAfee Virus Scan Linux outdated version detected"; flow:to_server,established; content:"/0409/nails"; content:"pg=proxy"; distance:0; nocase; content:"&tplt="; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,nation.state.actor/mcafee.html; classtype:policy-violation; sid:41515; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Wordpress Press-This page access detected"; flow:to_server,established; content:"/wp-admin/press-this.php"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2017-5610; reference:url,openwall.com/lists/oss-security/2017/01/28/5; classtype:policy-violation; sid:41649; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Piwik Analytics Platform PHP plugin installation detected"; flow:to_server,established; content:"CorePluginsAdmin"; fast_pattern:only; content:"uploadPlugin"; nocase; content:"pluginZip"; nocase; http_client_body; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:".php"; within:filename_len; distance:2; nocase; metadata:service http; reference:url,firefart.at/post/turning_piwik_superuser_creds_into_rce; classtype:policy-violation; sid:41647; rev:1;)
+# alert tcp $HOME_NET 49152:65535 -> $HOME_NET 49152:65535 (msg:"POLICY-OTHER Microsoft Active Directory DSGetNCChanges attempt"; flow:to_server,established; content:"|00|"; depth:1; offset:2; content:"|10 00 00 00|"; within:4; distance:1; content:"|03 00|"; within:2; distance:14; content:"|09 06|"; distance:0; metadata:service dcerpc; reference:url,adsecurity.org/?p=1729; classtype:policy-violation; sid:41701; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER external admin access attempt"; flow:to_server,established; content:"/admin"; fast_pattern:only; http_uri; metadata:service http; classtype:attempted-admin; sid:41742; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Microsoft Word document with large docProps/core.xml file"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; content:"docProps/core.xml"; within:17; distance:42; content:"|11 00|"; within:2; distance:-35; byte_test:4,>,2000,-6,relative, little; metadata:service smtp; reference:url,en.wikipedia.org/wiki/Macro_virus; classtype:policy-violation; sid:41762; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Microsoft Word document with large docProps/core.xml file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; content:"docProps/core.xml"; within:17; distance:42; content:"|11 00|"; within:2; distance:-35; byte_test:4,>,2000,-6,relative, little; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Macro_virus; classtype:policy-violation; sid:41761; rev:1;)
+# alert udp any any -> any any (msg:"POLICY-OTHER Cisco IOS configuration transfer via TFTP detected"; flow:stateless; content:"|00 03|"; depth:2; content:"|21 0A|version "; fast_pattern:only; metadata:service tftp; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:policy-violation; sid:41744; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 9200 (msg:"POLICY-OTHER ElasticSearch cluster health access detected"; flow:to_server,established; content:"GET /_cluster/health"; depth:20; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2015-0969; reference:url,www.kb.cert.org/vuls/id/697316; classtype:policy-violation; sid:41816; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"POLICY-OTHER SSLv3 Client Hello attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3; content:"|16 03 00|"; depth:3; metadata:service ssl; reference:cve,2002-1623; reference:cve,2013-2566; classtype:policy-violation; sid:41807; rev:1;)
+# alert udp any any -> any any (msg:"POLICY-OTHER Cisco IOS privileged user configuration transfer via TFTP detected"; flow:stateless; content:"|00 03|"; depth:2; content:" privilege 15 "; fast_pattern:only; metadata:service tftp; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:policy-violation; sid:41796; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Cisco IOS SMI imagelist download via TFTP detected"; flow:stateless; content:"|00 03 00 01|"; depth:4; content:".tar"; within:100; fast_pattern; nocase; metadata:service tftp; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:policy-violation; sid:41795; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Cisco IOS SMI imagelist download via TFTP detected"; flow:stateless; content:"|00 03 00 01|"; depth:4; content:".bin"; within:100; fast_pattern; nocase; metadata:service tftp; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:policy-violation; sid:41794; rev:1;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-OTHER SSL/TLS weak RC4 cipher suite use attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02|"; depth:1; offset:5; byte_jump:1,37,relative; content:"|00 18|"; within:2; metadata:service ssl; reference:bugtraq,73684; reference:cve,2015-2808; classtype:policy-violation; sid:41907; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER HTTP redirect to FTP server attempt"; flow:to_client,established; content:"30"; depth:2; http_stat_code; content:"Location|3A|"; nocase; http_header; content:"ftp|3A|//"; within:25; fast_pattern; nocase; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,91530; reference:cve,2016-4971; reference:url,lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html; classtype:attempted-user; sid:41906; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER ImageMagick magick vector graphics ephemeral access attempt"; flow:to_server,established; file_data; content:"stroke"; nocase; content:"ephemeral:"; distance:0; nocase; pcre:"/stroke\s+[\x27\x22]\s*?ephemeral\s*?:/i"; metadata:service smtp; reference:cve,2016-3715; classtype:policy-violation; sid:41902; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER ImageMagick magick vector graphics ephemeral access attempt"; flow:to_client,established; file_data; content:"stroke"; nocase; content:"ephemeral:"; distance:0; nocase; pcre:"/stroke\s+[\x27\x22]\s*?ephemeral\s*?:/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3715; classtype:policy-violation; sid:41901; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER ImageMagick magick vector graphics ephemeral access attempt"; flow:to_server,established; file_data; content:"fill"; nocase; content:"ephemeral:"; distance:0; nocase; pcre:"/fill\s+[\x27\x22]\s*?ephemeral\s*?:/i"; metadata:service smtp; reference:cve,2016-3715; classtype:policy-violation; sid:41900; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER ImageMagick magick vector graphics ephemeral access attempt"; flow:to_client,established; file_data; content:"fill"; nocase; content:"ephemeral:"; distance:0; nocase; pcre:"/fill\s+[\x27\x22]\s*?ephemeral\s*?:/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3715; classtype:policy-violation; sid:41899; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER ImageMagick magick vector graphics ephemeral access attempt"; flow:to_server,established; file_data; content:"image"; nocase; content:"ephemeral:"; distance:0; nocase; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x27\x22]*?[\x27\x22]\s*?ephemeral\s*?:/i"; metadata:service smtp; reference:cve,2016-3715; classtype:policy-violation; sid:41898; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER ImageMagick magick vector graphics ephemeral access attempt"; flow:to_client,established; file_data; content:"image"; nocase; content:"ephemeral:"; distance:0; nocase; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x27\x22]*?[\x27\x22]\s*?ephemeral\s*?:/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3715; classtype:policy-violation; sid:41897; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER ImageMagick magick vector graphics msl access attempt"; flow:to_server,established; file_data; content:"stroke"; nocase; content:"msl:"; distance:0; nocase; pcre:"/stroke\s+[\x27\x22]\s*?msl\s*?:/i"; metadata:service smtp; reference:cve,2016-3716; classtype:policy-violation; sid:41894; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER ImageMagick magick vector graphics msl access attempt"; flow:to_client,established; file_data; content:"stroke"; nocase; content:"msl:"; distance:0; nocase; pcre:"/stroke\s+[\x27\x22]\s*?msl\s*?:/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3716; classtype:policy-violation; sid:41893; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER ImageMagick magick vector graphics msl access attempt"; flow:to_server,established; file_data; content:"fill"; nocase; content:"msl:"; distance:0; nocase; pcre:"/fill\s+[\x27\x22]\s*?msl\s*?:/i"; metadata:service smtp; reference:cve,2016-3716; classtype:policy-violation; sid:41892; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER ImageMagick magick vector graphics msl access attempt"; flow:to_client,established; file_data; content:"fill"; nocase; content:"msl:"; distance:0; nocase; pcre:"/fill\s+[\x27\x22]\s*?msl\s*?:/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3716; classtype:policy-violation; sid:41891; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER ImageMagick magick vector graphics msl access attempt"; flow:to_server,established; file_data; content:"image"; nocase; content:"msl:"; distance:0; nocase; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x27\x22]*?[\x27\x22]\s*?msl\s*?:/i"; metadata:service smtp; reference:cve,2016-3716; classtype:policy-violation; sid:41890; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER ImageMagick magick vector graphics msl access attempt"; flow:to_client,established; file_data; content:"image"; nocase; content:"msl:"; distance:0; nocase; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x27\x22]*?[\x27\x22]\s*?msl\s*?:/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3716; classtype:policy-violation; sid:41889; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Carel PlantVisorPRO insecure SQL query transmission"; flow:to_server, established; content:"/PlantVisorPRO/arch/manager/"; fast_pattern:only; nocase; http_uri; content:"sqlcommand="; metadata:service http; reference:url,carelusa.com/product/plantvisorpro; classtype:web-application-attack; sid:41915; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 9290 (msg:"POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt"; flow:to_server,established; content:"/System/management.asp"; http_uri; content:"Authorization: Basic dXNlcjp1c2Vy"; fast_pattern:only; http_header; reference:url,attack.mitre.org/techniques/T1078; reference:url,aviosys.com/products.html; classtype:web-application-attack; sid:42068; rev:2;)
+# alert tcp $HOME_NET 9290 -> $EXTERNAL_NET any (msg:"POLICY-OTHER Aviosys IP Power 9258 W2 management.asp information disclosure"; flow:to_client,established; file_data; content:"<td><input type=|22|text|22| name=|22|admuser|22| id=|22|admuser|22| size=|22|16|22| maxlength=|22|16|22| value="; content:"<td><input type=|22|password|22| name=|22|admpass|22| id=|22|admpass|22| size=|22|16|22| maxlength=|22|32|22| value="; fast_pattern:only; reference:url,aviosys.com/9258w2.html; classtype:web-application-attack; sid:42067; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER NetBiter WebSCADA ws100/ws200 file read attempt"; flow:to_server,established; file_data; content:"/cgi-bin/read.cgi"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2010-4730; reference:cve,2010-4731; reference:cve,2010-4732; classtype:web-application-attack; sid:42093; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER NetBiter WebSCADA ws100/ws200 logo modification attempt"; flow:to_server,established; file_data; content:"/cgi-bin/read.cgi"; http_uri; content:"page=config.html"; http_uri; content:"file=/home/config/pages/2.conf"; distance:0; http_uri; content:"section=PAGE2"; distance:0; http_uri; metadata:service http; reference:cve,2010-4732; reference:url,ics-cert.us-cert.gov/advisories/ICSA-10-316-01A; reference:url,ics-cert.us-cert.gov/alerts/ICS-ALERT-10-293-01; classtype:web-application-attack; sid:42092; rev:2;)
+# alert tcp any any -> any any (msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"|CB 68 9E 19 5D 89 56 55 DB ED 56 ED D9 4B D2 60 DC 0B E2 9E 17 8C D3 70 16 C6 D3 C4 4B FB 49 EA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42376; rev:2;)
+# alert tcp any any -> any any (msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"|08 43 1F A6 84 67 40 39 48 76 D3 FE 4B 3C 80 07 33 EF 32 83 6D 24 F4 B2 3D 48 15 90 BA E2 5C 40|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3, service smtp; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42375; rev:2;)
+# alert tcp any any -> any any (msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"|44 54 CD 3C BA 76 BF 75 53 47 28 94 1E 72 15 04 41 3B 9A B6 32 85 89 31 84 81 83 A6 42 DA 42 95|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3, service smtp; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42374; rev:2;)
+# alert tcp any any -> any any (msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"|CB 68 9E 19 5D 89 56 55 DB ED 56 ED D9 4B D2 60 DC 0B E2 9E 17 8C D3 70 16 C6 D3 C4 4B FB 49 EA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3, service smtp; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42373; rev:2;)
+# alert tcp any any -> any any (msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"X5O!P%@AP[4|5C|PZX54(P^)7CC)7}-STANDARD-ANTIVIRUS-TEST-FILE!+H*"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3, service smtp; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42372; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS [445,1433] (msg:"POLICY-OTHER MSSQL CLR permission set to unsafe attempt"; flow:to_server,established; content:"W|00|I|00|T|00|H|00|"; nocase; content:"P|00|E|00|R|00|M|00|I|00|S|00|S|00|I|00|O|00|N|00|_|00|S|00|E|00|T"; within:100; nocase; content:"U|00|N|00|S|00|A|00|F|00|E"; within:100; fast_pattern; nocase; metadata:policy max-detect-ips drop, policy security-ips drop; reference:url,sekirkity.com/command-execution-in-sql-server-via-fileless-clr-based-custom-stored-procedure; classtype:attempted-admin; sid:42424; rev:2;)
+# alert tcp any [16992,16993,16994,16995,623,664] -> any any (msg:"POLICY-OTHER Intel AMT remote administration tool access attempt"; flow:to_client,established; content:"<title>Intel&reg|3B| Active Management Technology</title>"; nocase; content:"Log on to Intel&reg|3B| Active Management Technology on this computer."; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,www-ssl.intel.com/content/www/us/en/architecture-and-technology/intel-active-management-technology.html; classtype:policy-violation; sid:42491; rev:2;)
+# alert tcp any [16992,16993,16994,16995,623,664] -> any any (msg:"POLICY-OTHER Intel AMT remote administration tool access attempt"; flow:to_client,established; content:"HTTP/1"; depth:6; content:"Server: Intel|28|R|29| Active Management Technology"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,www-ssl.intel.com/content/www/us/en/architecture-and-technology/intel-active-management-technology.html; classtype:policy-violation; sid:42490; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"POLICY-OTHER Schneider Electric hardcoded FTP login attempt"; flow:to_server,established; content:"PASS factorycast@schneider"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp; classtype:attempted-admin; sid:42787; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Possible Apache Continuum saveInstallation.action command injection vulnerability check"; flow:to_server,established; content:"/continuum/about.action"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:url,issues.apache.org/jira/browse/continuum; classtype:misc-activity; sid:43785; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER D-Link DIR-645 router external authentication attempt"; flow:to_server,established; content:"/authentication.cgi"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-7389; classtype:policy-violation; sid:43784; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Teleopti WFM administrative user creation detected"; flow:to_server,established; content:"/TeleoptiWFM/Administration/AddFirstUser"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-admin; sid:43564; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Teleopti WFM administrative user credentials request detected"; flow:to_server,established; content:"/TeleoptiWFM/Administration/Users"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:43563; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Teleopti WFM database information request detected"; flow:to_server,established; content:"/TeleoptiWFM/Administration/GetOneTenant"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:43562; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"POLICY-OTHER MongoDB dropDatabase attempt"; flow:to_server,established; content:"|D4 07 00 00|"; depth:4; offset:12; content:"|2E|"; distance:5; content:"|00|"; distance:1; content:"dropDatabase"; distance:12; reference:url,www.mongodb.com/; classtype:policy-violation; sid:43409; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"POLICY-OTHER MongoDB query attempt"; flow:to_server,established; content:"|D4 07 00 00|"; depth:4; offset:12; reference:url,www.mongodb.com/; classtype:attempted-user; sid:43408; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"POLICY-OTHER MongoDB insert document attempt"; flow:to_server,established; content:"|D2 07 00 00|"; depth:4; offset:12; reference:url,www.mongodb.com/; classtype:attempted-user; sid:43407; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"POLICY-OTHER TOR Project domain request"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|torproject"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:43350; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Microsoft Browser iframe local file load attempt"; flow:to_server,established; file_data; content:"iframe"; content:"file://"; within:75; content:":|5C|"; within:25; content:"/iframe"; distance:0; metadata:service smtp; reference:cve,2017-8529; classtype:attempted-recon; sid:43162; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Microsoft Browser iframe local file load attempt"; flow:to_client,established; file_data; content:"iframe"; content:"file://"; within:75; content:":|5C|"; within:25; content:"/iframe"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-8529; classtype:attempted-recon; sid:43161; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [8000,8001] (msg:"POLICY-OTHER Pro-Face Pro-ServerEX find node invalid memory access attempt"; flow:to_server,established; content:"|62 FF FF FF|"; depth:4; content:"|1C|Find|20|Node|00|ASP"; within:14; distance:16; nocase; reference:cve,2012-3792; classtype:misc-activity; sid:43146; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [8000,8001] (msg:"POLICY-OTHER Pro-Face Pro-ServerEX find node invalid memory access attempt"; flow:to_server; content:"|62 FF FF FF|"; depth:4; content:"|1C|Find|20|Node|00|ASP"; within:14; distance:16; nocase; reference:cve,2012-3792; classtype:misc-activity; sid:43145; rev:1;)
+# alert udp $EXTERNAL_NET 8003 -> $HOME_NET 8001 (msg:"POLICY-OTHER Beck IPC network configuration overwrite attempt"; flow:to_server; content:"|3A|"; depth:1; offset:2; content:"|3A|"; within:1; distance:2; content:"|3A|"; within:1; distance:2; content:"|3A|"; within:1; distance:2; content:"|3A|"; within:1; distance:2; content:"|20|"; within:1; distance:2; content:"|20|"; distance:0; content:"."; within:3; distance:1; content:"."; within:3; distance:1; content:"."; within:3; distance:1; content:"|20|"; within:3; distance:1; content:"."; within:3; distance:1; content:"."; within:3; distance:1; content:"."; within:3; distance:1; content:"|20|"; within:3; distance:1; content:"."; within:3; distance:1; content:"."; within:3; distance:1; content:"."; within:3; distance:1; pcre:"/^[a-f0-9]{2}\x3a[a-f0-9]{2}\x3a[a-f0-9]{2}\x3a[a-f0-9]{2}\x3a[a-f0-9]{2}\x3a[a-f0-9]{2}\s.*?\s.*?\s.*?\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i"; reference:url,attack.mitre.org/techniques/T1077; reference:url,beck-ipc.com/; classtype:misc-activity; sid:43128; rev:2;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 8003 (msg:"POLICY-OTHER Beck IPC network configuration enumeration attempt"; flow:to_server; content:"|20|"; content:"."; within:3; distance:1; content:"."; within:3; distance:1; content:"."; within:3; distance:1; content:"|20|"; distance:0; content:"|3A|"; within:1; distance:2; content:"|3A|"; within:1; distance:2; content:"|3A|"; within:1; distance:2; content:"|3A|"; within:1; distance:2; content:"|3A|"; within:1; distance:2; pcre:"/^(.*?\s){2}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s(.*?\s){7}[a-f0-9]{2}\x3a[a-f0-9]{2}\x3a[a-f0-9]{2}\x3a[a-f0-9]{2}\x3a[a-f0-9]{2}\x3a[a-f0-9]{2}/i"; reference:url,attack.mitre.org/techniques/T1077; reference:url,attack.mitre.org/techniques/T1135; reference:url,beck-ipc.com/; classtype:attempted-recon; sid:43127; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Adobe Acrobat cloud file undocumented function use"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"Collab.shareFile"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3043; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42968; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Adobe Acrobat cloud file undocumented function use"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Collab.shareFile"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3043; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42967; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected"; flow:to_server,established; content:"download.conf"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2017-11587; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44004; rev:2;)
+# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"POLICY-OTHER vsFTPd denial of service attempt"; flow:to_client,established; content:"|28|vsFTPd 1.2.1|29|"; fast_pattern:only; metadata:service ftp; reference:cve,2004-2259; classtype:attempted-dos; sid:44324; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8089 (msg:"POLICY-OTHER SCADA Engine BACnet OPC Server untrusted SQL query execution attempt"; flow:to_server,established; content:"cbms.bacnet.opc.server"; fast_pattern:only; content:"<nsopc:request"; nocase; content:"0A000000"; distance:0; nocase; pcre:"/<nsopc:request[^>]*?>\s*?0A000000/i"; metadata:ruleset limited, service http; classtype:policy-violation; sid:35887; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 25922 (msg:"POLICY-OTHER Kaskad SCADA default username and password attempt"; flow:to_server,established; content:"955A8DBA810FC284E04B8E49ACF2AE855D61C136AF01"; fast_pattern:only; metadata:ruleset limited; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:35886; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER SMBv1 protocol detection attempt"; flow:to_server,established; file_data; content:"|FF|SMB|72 00 00 00 00|"; content:"|02|NT LM 0."; distance:0; nocase; metadata:service netbios-ssn; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb1.rb; classtype:policy-violation; sid:44489; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER SMBv1 protocol detection attempt"; flow:to_server,established; file_data; content:"|FF|SMB|72 00 00 00 00|"; content:"|02|LANMAN2.1"; distance:0; nocase; metadata:service netbios-ssn; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb1.rb; classtype:policy-violation; sid:44488; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER SMBv1 protocol detection attempt"; flow:to_server,established; file_data; content:"|FF|SMB|72 00 00 00 00|"; content:"|02|LM1.2X002"; distance:0; nocase; metadata:service netbios-ssn; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb1.rb; classtype:policy-violation; sid:44487; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER SMBv1 protocol detection attempt"; flow:to_server,established; file_data; content:"|FF|SMB|72 00 00 00 00|"; content:"|02|Windows for Workgroups 3.1a"; distance:0; nocase; metadata:service netbios-ssn; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb1.rb; classtype:policy-violation; sid:44486; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER SMBv1 protocol detection attempt"; flow:to_server,established; file_data; content:"|FF|SMB|72 00 00 00 00|"; content:"|02|LANMAN1.0"; distance:0; nocase; metadata:service netbios-ssn; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb1.rb; classtype:policy-violation; sid:44485; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"POLICY-OTHER SMBv1 protocol detection attempt"; flow:to_server,established; file_data; content:"|FF|SMB|72 00 00 00 00|"; content:"|02|PC NETWORK PROGRAM 1.0"; distance:0; nocase; metadata:service netbios-ssn; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb1.rb; classtype:policy-violation; sid:44484; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"POLICY-OTHER EMC Autostart default domain login attempt"; flow:to_server,established; content:"|31 00 00 00|"; content:"|00 00 00 63 00 00 00 01|"; within:8; distance:8; content:"|31 00 00 00|"; within:4; distance:4; content:"eas550"; within:6; distance:64; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:44623; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8443 (msg:"POLICY-OTHER SERVER-WEBAPP Symantec Endpoint Protection Manager authentication lock bypass attempt"; flow:to_server,established; content:"/servlet/ConsoleServlet"; fast_pattern:only; http_uri; content:"ActionType=Login"; http_uri; content:"VerifyPasswordOnly=True"; http_uri; content:"Password="; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-3648; classtype:attempted-admin; sid:44641; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER WPA2 key reuse tool attempt"; flow:to_client,established; file_data; content:"Dot11"; content:"RadioTap"; content:"FCfield"; content:"L2Socket"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-13077; reference:cve,2017-13078; reference:cve,2017-13079; reference:cve,2017-13080; reference:cve,2017-13081; reference:cve,2017-13082; reference:cve,2017-13084; reference:cve,2017-13086; reference:cve,2017-13087; reference:cve,2017-13088; reference:url,papers.mathyvanhoef.com/ccs2017.pdf; classtype:attempted-user; sid:44640; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Inedo BuildMaster web server login with default credentials attempt"; flow:to_server,established; content:"/0x44/BuildMaster.Web.WebApplication/Inedo.BuildMaster.Web.WebApplication.Pages.LogInPage/LogIn"; http_uri; content:"userName=Admin"; http_client_body; content:"password=Admin"; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/buildmaster_login.rb; classtype:policy-violation; sid:44702; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER NetSupport Manager RAT outbound connection detected"; flow:to_server,established; content:"User-Agent|3A| NetSupport Manager/"; fast_pattern:only; content:"CMD="; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/b87ef28981defd135496e25233cc7a47a376a75ddea97fcd4c0927995dd22e47/detection; classtype:trojan-activity; sid:44678; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt"; flow:to_client,established; file_data; flowbits:isset,file.zip; content:"|9A 56 03 D2 8A A9 2D 15 50 6D D3 B4 87 E0 5C C0 9B 63 A7 B1 53 D2 7F 3F 27 4E F9 10 74 9D 1F AC|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:44706; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt"; flow:to_client,established; file_data; flowbits:isset,file.zip; content:"|49 D3 21 71 26 C0 43 1F 8D 7D 00 A5 B2 E4 5A 72 43 FA F5 15 96 71 60 20 4D FD 60 D8 95 CE 6A F7|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:44705; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt"; flow:to_server,established; file_data; flowbits:isset,file.zip; content:"|9A 56 03 D2 8A A9 2D 15 50 6D D3 B4 87 E0 5C C0 9B 63 A7 B1 53 D2 7F 3F 27 4E F9 10 74 9D 1F AC|"; fast_pattern:only; metadata:service smtp; classtype:policy-violation; sid:44704; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt"; flow:to_server,established; file_data; flowbits:isset,file.zip; content:"|49 D3 21 71 26 C0 43 1F 8D 7D 00 A5 B2 E4 5A 72 43 FA F5 15 96 71 60 20 4D FD 60 D8 95 CE 6A F7|"; fast_pattern:only; metadata:service smtp; classtype:policy-violation; sid:44703; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"POLICY-OTHER RPC Portmapper getstat request attempt"; flow:to_server,no_stream; content:"|00 00 00 00 00 00 00 02 00 01 86 A0 00 00 00 04 00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:36; offset:4; detection_filter:track by_src,count 10,seconds 1; metadata:service sunrpc; reference:url,www.us-cert.gov/ncas/alerts/TA14-017A; classtype:denial-of-service; sid:45166; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"POLICY-OTHER RPC Portmapper version 2 dump request attempt"; flow:to_server,no_stream; content:"|00 00 00 00 00 00 00 02 00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:36; offset:4; detection_filter:track by_src,count 10,seconds 1; metadata:service sunrpc; reference:url,www.us-cert.gov/ncas/alerts/TA14-017A; classtype:denial-of-service; sid:45165; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"POLICY-OTHER RPC Portmapper version 3 dump request attempt"; flow:to_server,no_stream; content:"|00 00 00 00 00 00 00 02 00 01 86 A0 00 00 00 03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:36; offset:4; detection_filter:track by_src,count 10,seconds 1; metadata:service sunrpc; reference:url,www.us-cert.gov/ncas/alerts/TA14-017A; classtype:denial-of-service; sid:45164; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"POLICY-OTHER ZyXEL PK5001Z modem hardcoded admin password telnet login attempt"; flow:to_server,established; content:"admin|0D 0A|"; content:"QwestM0dem|0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service telnet; reference:cve,2016-10401; reference:url,www.zyxel.com/support/ci_general_20171211_957093.shtml; classtype:attempted-admin; sid:45245; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"POLICY-OTHER ZyXEL PK5001Z modem hardcoded root password telnet login attempt"; flow:to_server,established; content:"su|0D 0A|"; content:"zyad5001|0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service telnet; reference:cve,2016-10401; reference:url,www.zyxel.com/support/ci_general_20171211_957093.shtml; classtype:attempted-admin; sid:45244; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"POLICY-OTHER ZyXEL PK5001Z modem hardcoded admin password telnet login attempt"; flow:to_server,established; content:"admin|0D 0A|"; content:"CenturyL1nk|0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service telnet; reference:cve,2016-10401; reference:url,www.zyxel.com/support/ci_general_20171211_957093.shtml; classtype:attempted-admin; sid:45243; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Vicon Security and Infinova IP cameras IP filer state change"; flow:to_server,established; content:"/form/formChangeFirewallState"; fast_pattern:only; http_uri; content:"state="; http_client_body; metadata:service http; reference:url,github.com/mcw0/PoC#infinova-rce-authenticated; classtype:web-application-attack; sid:45311; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER CoinHive Miner client detected"; flow:to_client,established; file_data; content:".getHashesPerSecond|28|"; nocase; content:".getTotalHashes|28|"; nocase; content:".getAcceptedHashes|28|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,coinhive.com/documentation/miner; classtype:policy-violation; sid:45268; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER CoinHive Miner Javascript library download detected"; flow:to_client,established; file_data; content:"Miner.prototype.getHashesPerSecond"; nocase; content:"Miner.prototype.getTotalHashes"; fast_pattern:only; content:"Miner.prototype.isMobile"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,coinhive.com/documentation/miner; classtype:policy-violation; sid:45267; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER CoinHive Miner client detected"; flow:to_client,established; file_data; content:"new CoinHive.User"; fast_pattern:only; content:".start|28|"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,coinhive.com/documentation/miner; classtype:policy-violation; sid:45266; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER cryptomining javascript client detected"; flow:to_client,established; file_data; content:".Anonymous|28|"; nocase; content:".start|28|"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,coinhive.com/documentation/miner; reference:url,coinimp.com/documentation; classtype:policy-violation; sid:45265; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 3333 (msg:"POLICY-OTHER Stratum mining protocol outbound connection attempt"; flow:to_server,established; content:"{|22|method|22|:"; depth:10; fast_pattern; content:"|22|login|22|"; within:300; content:"|22|params|22|"; within:300; content:"{|22|login|22|"; within:300; content:"|22|pass|22|"; within:300; content:"|22|agent|22|"; within:300; reference:url,virustotal.com/file/c3ef8a6eb848c99b8239af46b46376193388c6e5fe55980d00f65818dba0b047/analysis/; classtype:policy-violation; sid:45417; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER TrendMicro ServerProtect server configuration file download detected"; flow:to_server,established; content:"/activeupdate/ini_xml.zip"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2017-9035; reference:url,www.coresecurity.com/advisories/trend-micro-serverprotect-multiple-vulnerabilities; classtype:attempted-recon; sid:45411; rev:1;)
+# alert tcp $EXTERNAL_NET 3389 -> $HOME_NET any (msg:"POLICY-OTHER Remote Desktop weak 40-bit RC4 encryption use attempt"; flow:to_client,established; content:"|02 0C|"; content:"|01 00 00 00 01 00 00 00 20 00 00 00|"; within:12; distance:2; content:"|01 00 00 00 01 00 00 00 01 00 00 00 06 00|"; within:14; distance:36; metadata:policy max-detect-ips drop, service rdp; reference:url,attack.mitre.org/techniques/T1076; classtype:policy-violation; sid:45518; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Possible Cisco IOS upgrade attempt"; content:"CW_IMAGE"; fast_pattern:only; content:"CW_MEDIA"; content:"RAM"; within:20; content:"CW_SYSDESCR"; content:"Cisco"; within:20; metadata:service tftp; classtype:policy-violation; sid:45641; rev:1;)
+# alert tcp $EXTERNAL_NET 20 -> $HOME_NET any (msg:"POLICY-OTHER Possible Cisco IOS upgrade attempt"; flow:to_server,established; content:"CW_IMAGE"; fast_pattern:only; content:"CW_MEDIA"; content:"RAM"; within:20; content:"CW_SYSDESCR"; content:"Cisco"; within:20; classtype:policy-violation; sid:45640; rev:1;)
+# alert tcp $SIP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"POLICY-OTHER Polycom VoIP config download attempt"; flow:to_client,established; file_data; content:"<APPLICATION APP_FILE_PATH"; fast_pattern:only; content:"CONFIG_FILES="; nocase; content:".cfg"; within:100; nocase; metadata:service http; reference:url,viproy.com/; classtype:attempted-user; sid:45770; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1234 (msg:"POLICY-OTHER AutomationDirect Point Of View built-in function WebGetFile usage attempt"; flow:to_server,established; content:"|02|"; depth:1; content:"W|00|e|00|b|00|G|00|e|00|t|00|F|00|i|00|l|00|e|00|(|00|"; distance:0; content:"|03|"; distance:0; reference:url,automationdirect.com; classtype:attempted-user; sid:45759; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1234 (msg:"POLICY-OTHER AutomationDirect Point Of View guest login attempt"; flow:to_server,established; content:"|02|"; depth:1; content:"G|00|u|00|e|00|s|00|t|00|"; distance:0; content:"c|00|7|00|2|00|e|00|4|00|9|00|7|00|4|00|2|00|b|00|2|00|0|00|b|00|3|00|6|00|7|00|2|00|4|00|8|00|2|00|f|00|7|00|0|00|c|00|1|00|7|00|f|00|9|00|5|00|9|00|0|00|2|00|"; within:64; distance:2; content:"|03|"; distance:0; reference:url,automationdirect.com; classtype:attempted-user; sid:45758; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Sandvine PacketLogic http redirection attempt"; flow:to_client,established; content:"Temporary Redirect"; fast_pattern:only; id:13330; fragbits:!MDR; flags:FA; content:"307"; depth:3; http_stat_code; content:"Temporary Redirect"; nocase; http_stat_msg; metadata:ruleset community, service http; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria; reference:url,github.com/citizenlab/badtraffic; classtype:misc-activity; sid:45983; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER TP-Link device enable remote management attempt"; flow:to_server,established; file_data; content:"/userRpm/ManageControlRpm.htm"; http_uri; content:"ip="; http_uri; content:"Referer"; http_header; content:"Authorization"; http_header; metadata:service http; reference:url,trendnet.com/home; classtype:misc-activity; sid:46448; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER TP-Link device reboot attempt"; flow:to_server,established; file_data; content:"/userRpm/SysRebootRpm.htm"; http_uri; content:"Reboot="; http_uri; content:"Referer"; http_header; content:"Authorization"; http_header; metadata:service http; reference:url,trendnet.com/home; classtype:misc-activity; sid:46447; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Arris VAP2500 default credentials authentication attempt"; flow:to_server,established; content:"/login.php"; http_uri; content:"user=SuperATT"; fast_pattern:only; content:"pwd="; pcre:"/pwd=DC(\x21|%21)94(\x40|%40)B3/i"; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:47070; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Magecart js page injection attempt"; flow:to_client,established; file_data; content:"Token"; nocase; content:"angularCdn"; within:100; nocase; content:"AngularPages"; within:500; fast_pattern; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:policy-violation; sid:47915; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Magecart js page injection attempt"; flow:to_client,established; file_data; content:"Angular"; nocase; content:"load"; within:50; nocase; content:"function()"; within:50; nocase; content:"angularPages"; within:500; fast_pattern; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:policy-violation; sid:47914; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Magecart redirect page detected"; flow:to_client,established; file_data; content:"algularToken"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:policy-violation; sid:47913; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER phpmyadmin external SQL query detected"; flow:to_server,established; content:"/import.php"; fast_pattern:only; http_uri; content:"sql_query"; nocase; http_client_body; pcre:"/sql(\x5f|%5f)query=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:service http; classtype:policy-violation; sid:47830; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7135 (msg:"POLICY-OTHER IntegraXor config change attempt"; flow:to_server,established; content:"{"; depth:1; content:"function_id"; distance:0; content:"parameters"; content:"prj_mSetting"; distance:0; reference:url,integraxor.com; classtype:policy-violation; sid:47455; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"POLICY-OTHER Oracle WebLogic T3 inbound connection detected"; flow:to_server,established; content:"t3"; depth:2; content:"AS|3A|"; content:"HL|3A|"; fast_pattern:only; content:"MS|3A|"; metadata:service http; classtype:policy-violation; sid:47413; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER cryptomining javascript client detected"; flow:to_client,established; file_data; content:".Token|28|"; nocase; content:".start|28|"; within:1000; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,coinhive.com/documentation/miner; reference:url,coinimp.com/documentation; classtype:policy-violation; sid:47253; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2638 (msg:"POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt"; flow:to_server,established; file_data; content:"|46 C2 72 2F 1E D0 77 3B E8 F7 05 A1 4B 03 32 E9 13 09 7F B9 7B 41 DF EF A0 38 02 9C 94 D3 08 78|"; offset:8; reference:cve,2016-8567; classtype:attempted-user; sid:47146; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Infrasightlabs vScopeServer admin user creation attempt"; flow:to_server,established; content:"/rest/usermanager/users"; fast_pattern:only; http_uri; content:"groupIds="; http_uri; content:"vscope-admins"; distance:0; http_uri; content:"|22|isNew|22|"; http_client_body; content:"true"; within:10; http_client_body; metadata:service http; reference:url,www.infrasightlabs.com; classtype:misc-activity; sid:48160; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER C-More Programming Simulator denial of service attempt"; flow:to_server,established; content:"|01 3C E8 03 06 95 F0 16 AF 1E 0D 06 82 C8 06 95 F0 16 AF 1E 0D 06 82 C8 06 95 F0 16 AF 1E 0D 06 82 C8|"; fast_pattern:only; isdataat:300; reference:url,support.automationdirect.com/products/cmore.html; classtype:attempted-dos; sid:48823; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1111 (msg:"POLICY-OTHER Linksys WAP610N command injection attempt"; flow:to_server,established; content:"system "; reference:url,www.exploit-db.com/exploits/16149; classtype:successful-admin; sid:49436; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt"; flow:to_server,established; content:"apply.cgi"; http_uri; content:"admin_password1"; http_client_body; content:"admPass2"; http_client_body; content:"remote_http_management_enable"; fast_pattern:only; http_client_body; metadata:service http; reference:url,support.dlink.com/ProductInfo.aspx?m=DIR-615; classtype:policy-violation; sid:49462; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt"; flow:to_server,established; content:"apply.cgi"; http_uri; content:"admin_password1"; http_uri; content:"admPass2"; http_uri; content:"remote_http_management_enable"; fast_pattern:only; http_uri; metadata:service http; reference:url,support.dlink.com/ProductInfo.aspx?m=DIR-615; classtype:policy-violation; sid:49461; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Thomson TWG850-4 unauthenticated backup download attempt"; flow:to_server,established; content:"/GatewaySettings.bin"; http_uri; metadata:service http; classtype:attempted-recon; sid:49506; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER WordPress Easy WP SMTP plugin config settings export attempt"; flow:to_server,established; content:"swpsmtp_export_settings"; fast_pattern:only; http_client_body; metadata:service http; reference:url,plugins.trac.wordpress.org/changeset/2052058/easy-wp-smtp/trunk/easy-wp-smtp.php; classtype:policy-violation; sid:49543; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER WordPress Easy WP SMTP plugin config settings import attempt"; flow:to_server,established; content:"swpsmtp_import_settings_file"; fast_pattern:only; http_client_body; content:"filename"; nocase; http_client_body; metadata:service http; reference:url,plugins.trac.wordpress.org/changeset/2052058/easy-wp-smtp/trunk/easy-wp-smtp.php; classtype:policy-violation; sid:49542; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER WordPress Easy WP SMTP plugin log file access attempt"; flow:to_server,established; content:"swpsmtp_action=view_log"; fast_pattern:only; http_uri; metadata:service http; reference:url,plugins.trac.wordpress.org/changeset/2052058/easy-wp-smtp/trunk/easy-wp-smtp.php; classtype:policy-violation; sid:49541; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"POLICY-OTHER Sagem Fast Router default credentials login attempt"; flow:to_server,established; content:"Menara"; fast_pattern; content:"Menara"; within:50; metadata:service telnet; classtype:default-login-attempt; sid:49521; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER TP-Link TL-WA850RE remote reboot attempt"; flow:to_server,established; content:"/data/reboot.json"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2018-12694; reference:url,www.tp-link.com; classtype:policy-violation; sid:49860; rev:1;)
--- a/docker/etc/rules/policy-social.rules
+++ b/docker/etc/rules/policy-social.rules
@@ -0,0 +1,100 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#---------------------
+# POLICY-SOCIAL RULES
+#---------------------
+
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-SOCIAL ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ"; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:541; rev:15;)
+# alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"POLICY-SOCIAL ICQ forced user addition"; flow:established,to_client; content:"Content-Type|3A| application/x-icq"; fast_pattern:only; content:"[ICQ User]"; metadata:ruleset community; reference:bugtraq,3226; reference:cve,2001-1305; classtype:policy-violation; sid:1832; rev:13;)
+# alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; metadata:ruleset community; classtype:policy-violation; sid:540; rev:17;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN outbound file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; nocase; content:"INVITE"; distance:0; nocase; metadata:ruleset community; classtype:policy-violation; sid:1986; rev:12;)
+# alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"POLICY-SOCIAL Microsoft MSN outbound file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 200 OK"; distance:0; nocase; metadata:ruleset community; classtype:policy-violation; sid:1988; rev:11;)
+# alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"POLICY-SOCIAL Microsoft MSN outbound file transfer rejected"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 603 Decline"; distance:0; nocase; metadata:ruleset community; classtype:policy-violation; sid:1989; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; metadata:ruleset community; classtype:policy-violation; sid:1990; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC nick change"; flow:to_server,established; dsize:<140; content:"NICK "; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:542; rev:20;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; nocase; content:" |3A|.DCC SEND"; distance:0; fast_pattern; nocase; metadata:ruleset community; classtype:policy-violation; sid:1639; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; nocase; content:" |3A|.DCC CHAT chat"; distance:0; fast_pattern; nocase; metadata:ruleset community; classtype:policy-violation; sid:1640; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC channel join"; flow:to_server,established; dsize:<140; content:"JOIN "; pcre:"/(&|#|\+|!)/R"; metadata:ruleset community; classtype:policy-violation; sid:1729; rev:15;)
+# alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC message"; flow:established; dsize:<140; content:"PRIVMSG "; metadata:ruleset community; classtype:policy-violation; sid:1463; rev:15;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC dns request"; flow:to_server,established; content:"USERHOST "; metadata:ruleset community; classtype:policy-violation; sid:1789; rev:12;)
+# alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"POLICY-SOCIAL IRC dns response"; flow:to_client,established; content:"|3A|"; content:" 302 "; content:"=+"; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:1790; rev:11;)
+# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM successful logon"; flow:to_client,established; content:"YMSG"; depth:4; nocase; content:"|00 01|"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2450; rev:9;)
+# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM voicechat"; flow:to_client,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2451; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2452; rev:9;)
+# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM conference invitation"; flow:to_client,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2453; rev:9;)
+# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM conference logon success"; flow:to_client,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2454; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2455; rev:8;)
+# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2456; rev:9;)
+# alert tcp any any <> any 5101 (msg:"POLICY-SOCIAL Yahoo IM message"; flow:established; content:"YMSG"; depth:4; nocase; metadata:ruleset community; classtype:policy-violation; sid:2457; rev:7;)
+# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM successful chat join"; flow:to_client,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2458; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2459; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"POLICY-SOCIAL Yahoo IM conference request"; flow:to_server,established; content:"<R"; depth:2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; metadata:ruleset community; classtype:policy-violation; sid:2460; rev:9;)
+# alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM conference watch"; flow:to_client,established; content:"|0D 00 05 00|"; depth:4; metadata:ruleset community; classtype:policy-violation; sid:2461; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"POLICY-SOCIAL Yahoo Messenger File Transfer Initiation Request"; flow:established; content:"/notifyft"; depth:14; nocase; content:"Host|3A| filetransfer.msg.yahoo.com"; nocase; classtype:policy-violation; sid:3692; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo Messenger Message"; flow:established; content:"YMSG"; depth:4; content:"|00 06|"; depth:2; offset:10; classtype:policy-violation; sid:3691; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC channel notice"; flow:to_server,established; content:"NOTICE "; classtype:policy-violation; sid:6182; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"POLICY-SOCIAL jabber file transfer request"; flow:established,to_server; content:"xmlns="; nocase; content:"jabber.org/protocol"; distance:0; nocase; content:"file-transfer"; distance:0; nocase; reference:url,www.jabber.org/jeps/jep-0096.html; reference:url,www.xmpp.org; classtype:policy-violation; sid:6468; rev:5;)
+# alert udp any 1025: -> any 1025: (msg:"POLICY-SOCIAL Microsoft Live chat video feed initiation"; content:"H|00 00 00 00 00 00 00 00 00|"; fast_pattern:only; dsize:10; reference:url,ml20rc.msnfanatic.com/vc_1_1/; classtype:policy-violation; sid:12457; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SOCIAL ebuddy.com login attempt"; flow:established,to_client; content:"Set-Cookie|3A| network="; nocase; http_header; content:"Domain=.ebuddy.com"; fast_pattern:only; metadata:service http; reference:url,www.ebuddy.com; classtype:policy-violation; sid:12611; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"POLICY-SOCIAL jabber traffic detected"; flow:established,to_server; content:"jabber|3A|client"; fast_pattern:only; reference:url,www.xmpp.org; classtype:policy-violation; sid:6467; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; metadata:ruleset community; classtype:policy-violation; sid:1991; rev:9;)
+# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo messenger http link transmission attempt"; flow:to_client,established; content:"YMSG"; depth:4; content:"|00 06|"; within:2; distance:6; content:"http|3A|//"; distance:0; pcre:"/http\x3A\x2F\x2F[^\s]/"; reference:url,en.wikipedia.org/wiki/Yahoo!_Messenger#Malware; classtype:trojan-activity; sid:15183; rev:5;)
+# alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"POLICY-SOCIAL Microsoft MSN messenger http link transmission attempt"; flow:to_client,established; content:"MSG"; depth:3; content:"http|3A|//"; distance:0; nocase; content:!"Post-URL|3A|http|3A 2F 2F|www.hotmail.com"; nocase; pcre:"/http\x3A\x2F\x2F[^\s]/i"; reference:url,en.wikipedia.org/wiki/MSN_Messenger#Malware; classtype:trojan-activity; sid:15184; rev:6;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"POLICY-SOCIAL QQ protocol detected - version 2006"; content:"|02 0E|5|00|"; depth:4; reference:url,www.qq.com; classtype:policy-violation; sid:15292; rev:4;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"POLICY-SOCIAL QQ protocol detected - version 2008"; content:"|02 12|Q|00|"; depth:4; reference:url,www.qq.com; classtype:policy-violation; sid:15293; rev:4;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-SOCIAL AIM server certificate for encrypted login"; flow:established,to_client; ssl_version:tls1.0; content:"0|16 06 03|U|04 03 13 0F|kdc.uas.aol.com"; fast_pattern:only; classtype:policy-violation; sid:15418; rev:5;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo encrypted login attempt"; flow:to_client,established; ssl_version:tls1.0; content:"login.yahoo.com"; fast_pattern:only; classtype:policy-violation; sid:15569; rev:7;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-SOCIAL AIM encrypted login attempt"; flow:to_client,established; ssl_version:tls1.0; content:"kdc.uas.aol.com"; fast_pattern:only; classtype:policy-violation; sid:15568; rev:6;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"POLICY-SOCIAL deny Gmail chat DNS request"; byte_test:1,!&,128,2; content:"|0B|chatenabled|04|mail|06|google|03|com"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:16443; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Microsoft MSN Messenger web login attempt"; flow:established,to_server; content:"/gateway/gateway.dll"; fast_pattern; nocase; http_uri; content:"Action=open"; nocase; http_uri; content:"messenger.hotmail.com"; nocase; http_uri; metadata:service http; reference:url,webmessenger.msn.com; classtype:policy-violation; sid:16525; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Yahoo Messenger web client activity"; flow:established,to_server; content:"wmsgr.account"; fast_pattern; nocase; http_uri; content:"Host|3A| webmessenger.yahoo.com"; nocase; metadata:service http; reference:url,messenger.yahoo.com; classtype:policy-violation; sid:15560; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Microsoft MSN Messenger web client activity"; flow:established,to_server; content:"/session/"; nocase; http_uri; content:"webmessenger.msn.com"; fast_pattern; nocase; http_header; metadata:service http; reference:url,webmessenger.msn.com; classtype:policy-violation; sid:15577; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL AOL Aimexpress web client login"; flow:established,to_server; content:"/aim/startSession"; fast_pattern; nocase; http_uri; content:"clientName=gromit"; nocase; http_uri; metadata:service http; reference:url,www.aim.com/aimexpress.adp/; classtype:policy-violation; sid:15561; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Microsoft MSN Messenger web client login"; flow:established,to_server; content:"login.srf"; nocase; http_uri; content:"ru=http|3A|/webmessenger.msn.com"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,webmessenger.msn.com; classtype:policy-violation; sid:15576; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL webshots desktop traffic"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"WebshotsNetClient"; fast_pattern:only; pcre:"/User-Agent\x3A[^\n\r]+WebshotsNetClient/smiH"; metadata:service http; reference:url,www.webshots.com; classtype:misc-activity; sid:6408; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 706 (msg:"POLICY-SOCIAL silc client outbound connection"; flow:to_server,established; content:"SILC"; pcre:"/SILC\x2d\d\x2e\d/smi"; reference:url,silcnet.org/docs/draft-riikonen-silc-spec-08.txt; classtype:policy-violation; sid:7031; rev:4;)
+# alert tcp $EXTERNAL_NET 706 -> $HOME_NET any (msg:"POLICY-SOCIAL silc server response"; flow:to_client,established; content:"SILC"; pcre:"/SILC\x2d\d\x2e\d/smi"; content:"silc-server"; distance:0; reference:url,silcnet.org/docs/draft-riikonen-silc-spec-08.txt; classtype:policy-violation; sid:7030; rev:4;)
+# alert tcp $EXTERNAL_NET 25999 -> $HOME_NET any (msg:"POLICY-SOCIAL Xfire login successful"; flow:established,to_client; content:"|82|"; depth:1; offset:2; content:"userid"; depth:6; offset:6; reference:url,www.fryx.ch/xfire/protocol.html; classtype:policy-violation; sid:8484; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25999 (msg:"POLICY-SOCIAL Xfire session initiated"; flow:established,to_server; content:"UA01"; depth:4; reference:url,www.fryx.ch/xfire/protocol.html; classtype:policy-violation; sid:8482; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25999 (msg:"POLICY-SOCIAL Xfire login attempted"; flow:established,to_server; content:"|01|"; depth:1; offset:2; content:"name"; depth:4; offset:6; reference:url,www.fryx.ch/xfire/protocol.html; classtype:policy-violation; sid:8483; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Google Webmail client chat applet"; flow:established,to_server; content:"POST"; nocase; content:"/mail/channel/bind"; fast_pattern:only; metadata:service http; classtype:policy-violation; sid:12391; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo Webmail client chat applet"; flow:established,to_server; content:"<Ymsg Command="; fast_pattern:only; classtype:policy-violation; sid:12390; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL AIM Express usage"; flow:to_server,established; content:"Host|3A| aimexpress.aol.com"; fast_pattern:only; metadata:service http; reference:url,www.aim.com/aimexpress.adp; classtype:policy-violation; sid:12686; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SOCIAL Habbo chat client successful login"; flow:to_client,established; file_data; content:"document.habboLoggedIn = true"; fast_pattern:only; metadata:service http; reference:url,www.habbo.com; classtype:policy-violation; sid:13863; rev:7;)
+# alert tcp $EXTERNAL_NET 38101 -> $HOME_NET any (msg:"POLICY-SOCIAL Habbo chat client avatar control"; flow:to_client,established; content:"/flatctrl useradmin/"; fast_pattern:only; reference:url,www.habbo.com; classtype:policy-violation; sid:13861; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL XBOX avatar retrieval request"; flow:to_server,established; content:"/avatar/"; http_uri; content:"User-Agent|3A| Xbox Live Client/"; http_header; content:"Host|3A|avatar.xboxlive.com|0D 0A|"; fast_pattern:only; metadata:service http; classtype:policy-violation; sid:15172; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL XBOX Netflix client activity"; flow:to_server,established; content:"User-Agent|3A| NETFLIX360|0D 0A|"; fast_pattern:only; metadata:service http; classtype:policy-violation; sid:15170; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL XBOX Marketplace http request"; flow:to_server,established; content:"/global"; http_uri; content:"/marketplace"; http_uri; content:"User-Agent|3A| Xbox Live Client/"; fast_pattern:only; metadata:service http; classtype:policy-violation; sid:15171; rev:6;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 88 (msg:"POLICY-SOCIAL XBOX Live Kerberos authentication request"; flow:to_server; content:"Xbox Version="; fast_pattern:only; content:"PASSPORT.NET"; metadata:service kerberos; reference:url,attack.mitre.org/techniques/T1097; classtype:policy-violation; sid:15169; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Google Chat web client connection"; flow:established,to_server; content:"/talkgadget/popout"; nocase; http_uri; metadata:service http; classtype:policy-violation; sid:12303; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Yahoo Messenger web client connection"; flow:established,to_server; content:"/BootStrapper.swf"; nocase; http_uri; metadata:service http; classtype:policy-violation; sid:12305; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Habbo chat client item information download"; flow:to_server,established; content:"/gamedata/external?id=external_"; nocase; http_uri; metadata:service http; reference:url,www.habbo.com; classtype:policy-violation; sid:13862; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"POLICY-SOCIAL Namazu incoming namazu.cgi access"; flow:to_server,established; content:"/namazu.cgi?"; nocase; http_uri; content:"query="; distance:0; nocase; http_uri; content:"submit=Search"; http_uri; metadata:service http; reference:url,www.namazu.org/doc/manual.html; classtype:web-application-activity; sid:5706; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL AOL Instant Messenger web client connection"; flow:established,to_server; content:"HostCheck.aspx"; fast_pattern; nocase; http_uri; content:"aimexpress.aol.com"; http_uri; pcre:"/Cookie\x3A.*s_sq=aolsnssignin/si"; metadata:service http; classtype:policy-violation; sid:12304; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Microsoft Messenger web client connection"; flow:established,to_server; content:"mainui.aspx"; fast_pattern; nocase; http_uri; content:"webmessenger"; nocase; metadata:service http; classtype:policy-violation; sid:12306; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Namazu outbound namazu.cgi access"; flow:to_server,established; content:"/namazu.cgi?"; nocase; http_uri; content:"query="; distance:0; nocase; http_uri; content:"submit=Search"; http_uri; metadata:service http; reference:url,www.namazu.org/doc/manual.html; classtype:web-application-activity; sid:5707; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Gizmo VOIP client start-up version check"; flow:established,to_server; content:"/dll/app?"; fast_pattern; nocase; http_uri; content:"class=DLL"; nocase; http_uri; content:"ApplicationID"; nocase; http_uri; content:"Gizmo"; nocase; http_uri; metadata:service http; reference:url,www.gizmoproject.com; classtype:policy-violation; sid:6406; rev:7;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-SOCIAL Apple Messages service server request attempt"; flow:to_client,established; ssl_state:server_hello; content:"|2A|.ess.apple.com"; fast_pattern:only; metadata:service ssl; reference:url,www.apple.com/osx/apps/all.html#messages; classtype:policy-violation; sid:23991; rev:1;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-SOCIAL Apple Messages client side certificate request attempt"; flow:to_client,established; ssl_state:server_hello; content:"albert.apple.com"; fast_pattern:only; metadata:service ssl; reference:url,www.apple.com/osx/apps/all.html#messages; classtype:policy-violation; sid:23990; rev:1;)
+# alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"POLICY-SOCIAL IRC G-line active"; flow:to_client,established; content:"ERROR :Closing Link:"; fast_pattern:only; content:"g-line"; nocase; metadata:service irc; reference:url,en.wikipedia.org/wiki/G-line#G-line; classtype:policy-violation; sid:25478; rev:3;)
+# alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"POLICY-SOCIAL IRC K-line active"; flow:to_client,established; content:"ERROR :Closing Link:"; fast_pattern:only; content:"k-line"; nocase; metadata:service irc; reference:url,en.wikipedia.org/wiki/G-line#G-line; classtype:policy-violation; sid:25479; rev:3;)
+alert tcp $EXTERNAL_NET [1863,3283,5060,5190,5220,5222,5269,5297,5298,5353,5678] -> $HOME_NET any (msg:"POLICY-SOCIAL multiple chat protocols link to local file attempt"; flow:to_client,established; content:"file:|2F 2F 5C 5C|"; fast_pattern:only; reference:cve,2013-6486; classtype:attempted-user; sid:28090; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [1863,3283,5060,5190,5220,5222,5269,5297,5298,5353,5678] (msg:"POLICY-SOCIAL multiple chat protocols link to local file attempt"; flow:to_server,established; content:"file:|2F 2F 5C 5C|"; fast_pattern:only; reference:cve,2013-6486; classtype:attempted-user; sid:28089; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SOCIAL Pidgin MXIT emoticon integer overflow attempt"; flow:to_client,established; content:"Content-Disposition|3A 20|attachment|3B 20|filename|3D|"; fast_pattern:22,20; http_header; content:".mxf"; within:7; distance:3; http_header; file_data; content:"MXF"; depth:3; content:"|FF|"; within:2; distance:5; content:"|7D|"; within:10; distance:7; content:"PNG"; within:4; distance:4; metadata:service http; reference:cve,2013-6489; classtype:attempted-user; sid:28088; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SOCIAL AIM GoChat URL access attempt"; flow:to_client,established; file_data; content:"aim|3A|GoChat?"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22146; reference:cve,2007-0021; reference:url,projects.info-pull.com/moab/MOAB-20-01-2007.html; classtype:misc-attack; sid:10116; rev:11;)
+# alert tcp $EXTERNAL_NET [6666:7000,50000] -> $HOME_NET any (msg:"POLICY-SOCIAL IRC server connection"; flow:to_client,established; dsize:<140; content:"NOTICE AUTH |3A 2A 2A 2A| Looking up your hostname..."; fast_pattern:only; metadata:service irc; classtype:policy-violation; sid:39995; rev:1;)
--- a/docker/etc/rules/policy-spam.rules
+++ b/docker/etc/rules/policy-spam.rules
@@ -0,0 +1,273 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-------------------
+# POLICY-SPAM RULES
+#-------------------
+
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM 1.usa.gov URL in email, possible spam redirect"; flow:to_server, established; file_data; content:"http|3A 2F 2F|1.usa.gov"; pcre:"/http\x3A\x2f\x2f1\.usa\.gov\x2f[a-f0-9]{6,8}/smi"; metadata:ruleset community, service smtp; reference:url,www.symantec.com/connect/blogs/spam-gov-urls; classtype:bad-unknown; sid:24598; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SPAM local user attempted to fill out paypal phishing form"; flow:to_server,established; content:"POST"; http_method; content:"/logindo.php"; fast_pattern:only; http_uri; content:"partner="; nocase; http_client_body; content:"&login="; distance:0; nocase; http_client_body; content:"&user="; distance:0; nocase; http_client_body; content:"&pass="; distance:0; nocase; http_client_body; content:"&submit="; distance:0; nocase; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1192; classtype:suspicious-login; sid:21637; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM appledownload.com known spam email attempt"; flow:to_server, established; content:"appledownload.com"; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.tuaw.com/2011/05/18/new-phishing-email-pretends-to-be-from-apples-online-store/; classtype:policy-violation; sid:19122; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM visiopharm-3d.eu known spam email attempt"; flow:to_server, established; content:" visiopharm-3d.eu"; nocase; metadata:service smtp; classtype:policy-violation; sid:19015; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM zueuz.onlinehamel83i.ru known spam email attempt"; flow:to_server, established; content:"zueuz.onlinehamel83i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18061; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM zeroprices.ru known spam email attempt"; flow:to_server, established; content:"zeroprices.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18060; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM yzugez.pillking74s.ru known spam email attempt"; flow:to_server, established; content:"yzugez.pillking74s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18059; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM yomy.pillking74s.ru known spam email attempt"; flow:to_server, established; content:"yomy.pillking74s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18058; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ymyuto.onlinelewiss22r.ru known spam email attempt"; flow:to_server, established; content:"ymyuto.onlinelewiss22r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18057; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ylum.onlinelewiss22r.ru known spam email attempt"; flow:to_server, established; content:"ylum.onlinelewiss22r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18056; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM yit.medicdrugsxor.ru known spam email attempt"; flow:to_server, established; content:"yit.medicdrugsxor.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18055; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ygy.onlinetommie54y.ru known spam email attempt"; flow:to_server, established; content:"ygy.onlinetommie54y.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18054; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM xob.erectnoll24k.ru known spam email attempt"; flow:to_server, established; content:"xob.erectnoll24k.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18053; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM www.visitcover.ru known spam email attempt"; flow:to_server, established; content:"www.visitcover.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18052; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM www.buhni.ru known spam email attempt"; flow:to_server, established; content:"www.buhni.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18051; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM world.onlinehill21q.ru known spam email attempt"; flow:to_server, established; content:"world.onlinehill21q.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18050; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM word.onlinephilbert42f.ru known spam email attempt"; flow:to_server, established; content:"word.onlinephilbert42f.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18049; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM was.medrayner44c.ru known spam email attempt"; flow:to_server, established; content:"was.medrayner44c.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18048; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM voiceless.pharmroyce83b.ru known spam email attempt"; flow:to_server, established; content:"voiceless.pharmroyce83b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18047; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM via.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"via.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18046; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM variation.refilldud86o.ru known spam email attempt"; flow:to_server, established; content:"variation.refilldud86o.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18045; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM uuji.refilleldredge89r.ru known spam email attempt"; flow:to_server, established; content:"uuji.refilleldredge89r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18044; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM utuqaj.pillking74s.ru known spam email attempt"; flow:to_server, established; content:"utuqaj.pillking74s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18043; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM upazo.pilltodd73p.ru known spam email attempt"; flow:to_server, established; content:"upazo.pilltodd73p.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18042; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM unasu.medicdrugsxto.ru known spam email attempt"; flow:to_server, established; content:"unasu.medicdrugsxto.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18041; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM uielij.pillking74s.ru known spam email attempt"; flow:to_server, established; content:"uielij.pillking74s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18040; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM uf.drugslevy46b.ru known spam email attempt"; flow:to_server, established; content:"uf.drugslevy46b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18039; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM uboi.onlinehamel83i.ru known spam email attempt"; flow:to_server, established; content:"uboi.onlinehamel83i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18038; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tyqaja.pilltodd73p.ru known spam email attempt"; flow:to_server, established; content:"tyqaja.pilltodd73p.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18037; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM twodays.ru known spam email attempt"; flow:to_server, established; content:"twodays.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18036; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM trusting-me.ru known spam email attempt"; flow:to_server, established; content:"trusting-me.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18035; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM trails.pharmroyce83b.ru known spam email attempt"; flow:to_server, established; content:"trails.pharmroyce83b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18034; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM to.medrayner44c.ru known spam email attempt"; flow:to_server, established; content:"to.medrayner44c.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18033; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM the.onlineruggiero33q.ru known spam email attempt"; flow:to_server, established; content:"the.onlineruggiero33q.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18032; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM the.onlinehill21q.ru known spam email attempt"; flow:to_server, established; content:"the.onlinehill21q.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18031; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tanuen.dimedicdrugsx.ru known spam email attempt"; flow:to_server, established; content:"tanuen.dimedicdrugsx.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18030; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tabwebster77c.ru known spam email attempt"; flow:to_server, established; content:"tabwebster77c.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18029; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tablangston19a.ru known spam email attempt"; flow:to_server, established; content:"tablangston19a.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18028; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tabgordan13n.ru known spam email attempt"; flow:to_server, established; content:"tabgordan13n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18027; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tabdarin80s.ru known spam email attempt"; flow:to_server, established; content:"tabdarin80s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18026; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM sya.onlinehamel83i.ru known spam email attempt"; flow:to_server, established; content:"sya.onlinehamel83i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18025; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM store-softwarebuy-7.ru known spam email attempt"; flow:to_server, established; content:"store-softwarebuy-7.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18024; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM starring.pharmroyce83b.ru known spam email attempt"; flow:to_server, established; content:"starring.pharmroyce83b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18023; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM specialyou.ru known spam email attempt"; flow:to_server, established; content:"specialyou.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18022; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM software-buyshop-7.ru known spam email attempt"; flow:to_server, established; content:"software-buyshop-7.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18021; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ryhux.medicdrugsxpa.ru known spam email attempt"; flow:to_server, established; content:"ryhux.medicdrugsxpa.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18020; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ruuav.erectnoll24k.ru known spam email attempt"; flow:to_server, established; content:"ruuav.erectnoll24k.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18019; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM riwaro.erectjefferey85n.ru known spam email attempt"; flow:to_server, established; content:"riwaro.erectjefferey85n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18018; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM right.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"right.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18017; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM returning.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"returning.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18016; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM research.onlinehill21q.ru known spam email attempt"; flow:to_server, established; content:"research.onlinehill21q.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18015; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM reobaj.onlinehamel83i.ru known spam email attempt"; flow:to_server, established; content:"reobaj.onlinehamel83i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18014; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM records.onlinephilbert42f.ru known spam email attempt"; flow:to_server, established; content:"records.onlinephilbert42f.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18013; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM recently.refilldud86o.ru known spam email attempt"; flow:to_server, established; content:"recently.refilldud86o.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18012; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pillrolfe64l.ru known spam email attempt"; flow:to_server, established; content:"pillrolfe64l.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18011; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM oxuc.pillking74s.ru known spam email attempt"; flow:to_server, established; content:"oxuc.pillking74s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18010; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ouu.almedicdrugsx.ru known spam email attempt"; flow:to_server, established; content:"ouu.almedicdrugsx.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18009; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM orderbuzz.ru known spam email attempt"; flow:to_server, established; content:"orderbuzz.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18008; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM opy.erectjefferey85n.ru known spam email attempt"; flow:to_server, established; content:"opy.erectjefferey85n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18007; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM onotye.onlinelewiss22r.ru known spam email attempt"; flow:to_server, established; content:"onotye.onlinelewiss22r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18006; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM oji.medicdrugsxto.ru known spam email attempt"; flow:to_server, established; content:"oji.medicdrugsxto.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18005; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM oipek.onlinehamel83i.ru known spam email attempt"; flow:to_server, established; content:"oipek.onlinehamel83i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18004; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM of.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"of.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18003; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM of.refilldud86o.ru known spam email attempt"; flow:to_server, established; content:"of.refilldud86o.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18002; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM of.onlinephilbert42f.ru known spam email attempt"; flow:to_server, established; content:"of.onlinephilbert42f.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18001; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM oeqio.erectnoll24k.ru known spam email attempt"; flow:to_server, established; content:"oeqio.erectnoll24k.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18000; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM oekaka.aimedicdrugsx.ru known spam email attempt"; flow:to_server, established; content:"oekaka.aimedicdrugsx.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17999; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM odoog.onlinelewiss22r.ru known spam email attempt"; flow:to_server, established; content:"odoog.onlinelewiss22r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17998; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM odimys.medicdrugsxlb.ru known spam email attempt"; flow:to_server, established; content:"odimys.medicdrugsxlb.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17997; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM niqiv.erectjefferey85n.ru known spam email attempt"; flow:to_server, established; content:"niqiv.erectjefferey85n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17996; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM negotiations.refilldud86o.ru known spam email attempt"; flow:to_server, established; content:"negotiations.refilldud86o.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17995; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM nazuwu.onlinelewiss22r.ru known spam email attempt"; flow:to_server, established; content:"nazuwu.onlinelewiss22r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17994; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM minionspre.ru known spam email attempt"; flow:to_server, established; content:"minionspre.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17993; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM medpenny17j.ru known spam email attempt"; flow:to_server, established; content:"medpenny17j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17992; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM masa.erectjefferey85n.ru known spam email attempt"; flow:to_server, established; content:"masa.erectjefferey85n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17991; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM manila.onlinephilbert42f.ru known spam email attempt"; flow:to_server, established; content:"manila.onlinephilbert42f.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17990; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM lybah.pilltodd73p.ru known spam email attempt"; flow:to_server, established; content:"lybah.pilltodd73p.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17989; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM koosaf.erectnoll24k.ru known spam email attempt"; flow:to_server, established; content:"koosaf.erectnoll24k.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17988; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM jyzyv.refilleldredge89r.ru known spam email attempt"; flow:to_server, established; content:"jyzyv.refilleldredge89r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17987; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM jyn.medicdrugsxdl.ru known spam email attempt"; flow:to_server, established; content:"jyn.medicdrugsxdl.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17986; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM joseph.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"joseph.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17985; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM john.onlinehill21q.ru known spam email attempt"; flow:to_server, established; content:"john.onlinehill21q.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17984; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM jex.remedicdrugsx.ru known spam email attempt"; flow:to_server, established; content:"jex.remedicdrugsx.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17983; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM jael.pillking74s.ru known spam email attempt"; flow:to_server, established; content:"jael.pillking74s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17982; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM jaecoh.erectnoll24k.ru known spam email attempt"; flow:to_server, established; content:"jaecoh.erectnoll24k.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17981; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM iyw.refilleldredge89r.ru known spam email attempt"; flow:to_server, established; content:"iyw.refilleldredge89r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17980; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM iycyde.medicdrugsxco.ru known spam email attempt"; flow:to_server, established; content:"iycyde.medicdrugsxco.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17979; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM iweqyz.erectjefferey85n.ru known spam email attempt"; flow:to_server, established; content:"iweqyz.erectjefferey85n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17978; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ive.pilltodd73p.ru known spam email attempt"; flow:to_server, established; content:"ive.pilltodd73p.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17977; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM itaca.erectnoll24k.ru known spam email attempt"; flow:to_server, established; content:"itaca.erectnoll24k.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17976; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM is.medrayner44c.ru known spam email attempt"; flow:to_server, established; content:"is.medrayner44c.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17975; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM iqor.pilltodd73p.ru known spam email attempt"; flow:to_server, established; content:"iqor.pilltodd73p.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17974; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ipiig.drugslevy46b.ru known spam email attempt"; flow:to_server, established; content:"ipiig.drugslevy46b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17973; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM inunuw.medicdrugsxpo.ru known spam email attempt"; flow:to_server, established; content:"inunuw.medicdrugsxpo.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17972; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM intelpost.ru known spam email attempt"; flow:to_server, established; content:"intelpost.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17971; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM in.onlinehill21q.ru known spam email attempt"; flow:to_server, established; content:"in.onlinehill21q.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17970; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM iner.medicdrugsxdl.ru known spam email attempt"; flow:to_server, established; content:"iner.medicdrugsxdl.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17969; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM iki.onlinetommie54y.ru known spam email attempt"; flow:to_server, established; content:"iki.onlinetommie54y.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17968; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM iiy.refilleldredge89r.ru known spam email attempt"; flow:to_server, established; content:"iiy.refilleldredge89r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17967; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM icysa.refilleldredge89r.ru known spam email attempt"; flow:to_server, established; content:"icysa.refilleldredge89r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17966; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM hyem.pilltodd73p.ru known spam email attempt"; flow:to_server, established; content:"hyem.pilltodd73p.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17965; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM huhuh.pilltodd73p.ru known spam email attempt"; flow:to_server, established; content:"huhuh.pilltodd73p.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17964; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM headtest.ru known spam email attempt"; flow:to_server, established; content:"headtest.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17963; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM have.medrayner44c.ru known spam email attempt"; flow:to_server, established; content:"have.medrayner44c.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17962; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM has.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"has.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17961; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM gueepa.erectnoll24k.ru known spam email attempt"; flow:to_server, established; content:"gueepa.erectnoll24k.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17960; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM goyry.ramedicdrugsx.ru known spam email attempt"; flow:to_server, established; content:"goyry.ramedicdrugsx.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17959; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM generality.onlinehill21q.ru known spam email attempt"; flow:to_server, established; content:"generality.onlinehill21q.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17958; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM food.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"food.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17957; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM fauxy.pillking74s.ru known spam email attempt"; flow:to_server, established; content:"fauxy.pillking74s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17956; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM fashionchannel.ru known spam email attempt"; flow:to_server, established; content:"fashionchannel.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17955; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM eyu.onlinehamel83i.ru known spam email attempt"; flow:to_server, established; content:"eyu.onlinehamel83i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17954; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM exa.drugslevy46b.ru known spam email attempt"; flow:to_server, established; content:"exa.drugslevy46b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17953; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM erol.camedicdrugsx.ru known spam email attempt"; flow:to_server, established; content:"erol.camedicdrugsx.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17952; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM erectgodart30s.ru known spam email attempt"; flow:to_server, established; content:"erectgodart30s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17951; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM epeno.onlinelewiss22r.ru known spam email attempt"; flow:to_server, established; content:"epeno.onlinelewiss22r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17950; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM elik.drugslevy46b.ru known spam email attempt"; flow:to_server, established; content:"elik.drugslevy46b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17949; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM election.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"election.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17948; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM eka.onlinehamel83i.ru known spam email attempt"; flow:to_server, established; content:"eka.onlinehamel83i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17947; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ehyw.cumedicdrugsx.ru known spam email attempt"; flow:to_server, established; content:"ehyw.cumedicdrugsx.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17946; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM egi.refilleldredge89r.ru known spam email attempt"; flow:to_server, established; content:"egi.refilleldredge89r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17945; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM eeez.onlinehamel83i.ru known spam email attempt"; flow:to_server, established; content:"eeez.onlinehamel83i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17944; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM eaihar.refilleldredge89r.ru known spam email attempt"; flow:to_server, established; content:"eaihar.refilleldredge89r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17943; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM dypoh.erectjefferey85n.ru known spam email attempt"; flow:to_server, established; content:"dypoh.erectjefferey85n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17942; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM dux.erectnoll24k.ru known spam email attempt"; flow:to_server, established; content:"dux.erectnoll24k.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17941; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM drugsgeorge65g.ru known spam email attempt"; flow:to_server, established; content:"drugsgeorge65g.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17940; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM divyo.pillking74s.ru known spam email attempt"; flow:to_server, established; content:"divyo.pillking74s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17939; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM direct.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"direct.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17938; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM diet.medrayner44c.ru known spam email attempt"; flow:to_server, established; content:"diet.medrayner44c.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17937; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM delegate.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"delegate.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17936; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM deepcenter.ru known spam email attempt"; flow:to_server, established; content:"deepcenter.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17935; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM cyacaz.pilltodd73p.ru known spam email attempt"; flow:to_server, established; content:"cyacaz.pilltodd73p.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17934; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM current.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"current.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17933; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM cswjlxey.ru known spam email attempt"; flow:to_server, established; content:"cswjlxey.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17932; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM compensate.refilldud86o.ru known spam email attempt"; flow:to_server, established; content:"compensate.refilldud86o.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17931; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM classification.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"classification.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17930; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM chula.pharmroyce83b.ru known spam email attempt"; flow:to_server, established; content:"chula.pharmroyce83b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17929; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM chemist.onlineruggiero33q.ru known spam email attempt"; flow:to_server, established; content:"chemist.onlineruggiero33q.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17928; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM cardinals.refilldud86o.ru known spam email attempt"; flow:to_server, established; content:"cardinals.refilldud86o.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17927; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM by.pharmroyce83b.ru known spam email attempt"; flow:to_server, established; content:"by.pharmroyce83b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17926; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM back.pharmroyce83b.ru known spam email attempt"; flow:to_server, established; content:"back.pharmroyce83b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17925; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM azo.onlinetommie54y.ru known spam email attempt"; flow:to_server, established; content:"azo.onlinetommie54y.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17924; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM axoseb.medicdrugsxck.ru known spam email attempt"; flow:to_server, established; content:"axoseb.medicdrugsxck.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17923; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ava.refilleldredge89r.ru known spam email attempt"; flow:to_server, established; content:"ava.refilleldredge89r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17922; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM argue.medrayner44c.ru known spam email attempt"; flow:to_server, established; content:"argue.medrayner44c.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17921; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM aobuii.onlinelewiss22r.ru known spam email attempt"; flow:to_server, established; content:"aobuii.onlinelewiss22r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17920; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM akiq.onlinetommie54y.ru known spam email attempt"; flow:to_server, established; content:"akiq.onlinetommie54y.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17919; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM aaof.onlinelewiss22r.ru known spam email attempt"; flow:to_server, established; content:"aaof.onlinelewiss22r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17918; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM signpearl.ru known spam email attempt"; flow:to_server, established; content:"signpearl.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17033; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM centtry.ru known spam email attempt"; flow:to_server, established; content:"centtry.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17032; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM burnshy.ru known spam email attempt"; flow:to_server, established; content:"burnshy.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17031; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM fewvalley.ru known spam email attempt"; flow:to_server, established; content:"fewvalley.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17030; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tenderpower.ru known spam email attempt"; flow:to_server, established; content:"tenderpower.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17029; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM scoreenjoy.ru known spam email attempt"; flow:to_server, established; content:"scoreenjoy.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17027; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM redlead.ru known spam email attempt"; flow:to_server, established; content:"redlead.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17026; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM thoughthese.ru known spam email attempt"; flow:to_server, established; content:"thoughthese.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17025; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM writeobject.ru known spam email attempt"; flow:to_server, established; content:"writeobject.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17024; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM hillfoot.ru known spam email attempt"; flow:to_server, established; content:"hillfoot.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17023; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM thatmile.ru known spam email attempt"; flow:to_server, established; content:"thatmile.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17022; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM nearpass.ru known spam email attempt"; flow:to_server, established; content:"nearpass.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17021; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM sheerwheel.ru known spam email attempt"; flow:to_server, established; content:"sheerwheel.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17020; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ensureequate.ru known spam email attempt"; flow:to_server, established; content:"ensureequate.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17018; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM beatmoon.ru known spam email attempt"; flow:to_server, established; content:"beatmoon.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17017; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM boxdouble.ru known spam email attempt"; flow:to_server, established; content:"boxdouble.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17016; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pamperletter.ru known spam email attempt"; flow:to_server, established; content:"pamperletter.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17015; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM rowsay.ru known spam email attempt"; flow:to_server, established; content:"rowsay.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17014; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM reapcomfy.ru known spam email attempt"; flow:to_server, established; content:"reapcomfy.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17013; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM oneus.ru known spam email attempt"; flow:to_server, established; content:"oneus.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17012; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM beginwisdom.ru known spam email attempt"; flow:to_server, established; content:"beginwisdom.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17011; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM starknow.ru known spam email attempt"; flow:to_server, established; content:"starknow.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17010; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM butleft.ru known spam email attempt"; flow:to_server, established; content:"butleft.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17009; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM hisoffer.ru known spam email attempt"; flow:to_server, established; content:"hisoffer.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17008; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pharmerastus.ru known spam email attempt"; flow:to_server, established; content:"pharmerastus.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17007; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM lovingover.ru known spam email attempt"; flow:to_server, established; content:"lovingover.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17006; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM paintwater.ru known spam email attempt"; flow:to_server, established; content:"paintwater.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17005; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM 2047757.kaskad-travel.ru known spam email attempt"; flow:to_server, established; content:"2047757.kaskad-travel.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17004; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM younglaugh.ru known spam email attempt"; flow:to_server, established; content:"younglaugh.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17003; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM swellliquid.ru known spam email attempt"; flow:to_server, established; content:"swellliquid.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17002; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM dillonline.ru known spam email attempt"; flow:to_server, established; content:"dillonline.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17001; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ximenezdrug.ru known spam email attempt"; flow:to_server, established; content:"ximenezdrug.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17000; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM jasemed.ru known spam email attempt"; flow:to_server, established; content:"jasemed.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16999; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM drugsnevile.ru known spam email attempt"; flow:to_server, established; content:"drugsnevile.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16998; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM giacoporx.ru known spam email attempt"; flow:to_server, established; content:"giacoporx.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16997; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM quincytab.ru known spam email attempt"; flow:to_server, established; content:"quincytab.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16996; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM miltyrefil.ru known spam email attempt"; flow:to_server, established; content:"miltyrefil.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16995; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM abletool.ru known spam email attempt"; flow:to_server, established; content:"abletool.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16994; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tabwinn2a.ru known spam email attempt"; flow:to_server, established; content:"tabwinn2a.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16993; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM liquideat.ru known spam email attempt"; flow:to_server, established; content:"liquideat.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16992; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM fruitone.ru known spam email attempt"; flow:to_server, established; content:"fruitone.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16991; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM nextmail.ru known spam email attempt"; flow:to_server, established; content:"nextmail.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16990; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tabferd49a.ru known spam email attempt"; flow:to_server, established; content:"tabferd49a.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16989; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM moderneight.ru known spam email attempt"; flow:to_server, established; content:"moderneight.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16988; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tabemmerich86b.ru known spam email attempt"; flow:to_server, established; content:"tabemmerich86b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16987; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM extoleye.ru known spam email attempt"; flow:to_server, established; content:"extoleye.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16985; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM freshmuch.ru known spam email attempt"; flow:to_server, established; content:"freshmuch.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16984; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM heatsettle.ru known spam email attempt"; flow:to_server, established; content:"heatsettle.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16983; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM 64.com1.ru known spam email attempt"; flow:to_server, established; content:"64.com1.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16982; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM livelycall.ru known spam email attempt"; flow:to_server, established; content:"livelycall.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16981; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM stillvisit.ru known spam email attempt"; flow:to_server, established; content:"stillvisit.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16980; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM solvecalm.ru known spam email attempt"; flow:to_server, established; content:"solvecalm.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16979; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM outhave.ru known spam email attempt"; flow:to_server, established; content:"outhave.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16978; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM energypotent.ru known spam email attempt"; flow:to_server, established; content:"energypotent.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16977; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM logzest.ru known spam email attempt"; flow:to_server, established; content:"logzest.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16976; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM oldsheer.ru known spam email attempt"; flow:to_server, established; content:"oldsheer.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16975; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM numberenough.ru known spam email attempt"; flow:to_server, established; content:"numberenough.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16974; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM milklowly.ru known spam email attempt"; flow:to_server, established; content:"milklowly.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16973; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM drugsrey95a.ru known spam email attempt"; flow:to_server, established; content:"drugsrey95a.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16972; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM mystick.ru known spam email attempt"; flow:to_server, established; content:"mystick.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16971; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM drugsmayne5a.ru known spam email attempt"; flow:to_server, established; content:"drugsmayne5a.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16970; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM steadfig.ru known spam email attempt"; flow:to_server, established; content:"steadfig.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16969; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM bassmax.ru known spam email attempt"; flow:to_server, established; content:"bassmax.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16968; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM wereif.ru known spam email attempt"; flow:to_server, established; content:"wereif.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16967; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM thingpath.ru known spam email attempt"; flow:to_server, established; content:"thingpath.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16966; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM givehome.ru known spam email attempt"; flow:to_server, established; content:"givehome.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16965; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM smellexact.ru known spam email attempt"; flow:to_server, established; content:"smellexact.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16964; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM erecttaylor49i.ru known spam email attempt"; flow:to_server, established; content:"erecttaylor49i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16963; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM onlinelovell30p.ru known spam email attempt"; flow:to_server, established; content:"onlinelovell30p.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16962; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM drugsdemott21o.ru known spam email attempt"; flow:to_server, established; content:"drugsdemott21o.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16961; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM erectvincent21v.ru known spam email attempt"; flow:to_server, established; content:"erectvincent21v.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16960; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM medforster79j.ru known spam email attempt"; flow:to_server, established; content:"medforster79j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16959; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tablennard88q.ru known spam email attempt"; flow:to_server, established; content:"tablennard88q.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16958; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tabmario94r.ru known spam email attempt"; flow:to_server, established; content:"tabmario94r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16957; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM medebeneser68c.ru known spam email attempt"; flow:to_server, established; content:"medebeneser68c.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16956; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM drugspenn84f.ru known spam email attempt"; flow:to_server, established; content:"drugspenn84f.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16955; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pillgaylor21n.ru known spam email attempt"; flow:to_server, established; content:"pillgaylor21n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16954; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM medgaultiero11e.ru known spam email attempt"; flow:to_server, established; content:"medgaultiero11e.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16953; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pharmharman55y.ru known spam email attempt"; flow:to_server, established; content:"pharmharman55y.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16952; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM drugsjudd45f.ru known spam email attempt"; flow:to_server, established; content:"drugsjudd45f.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16951; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tabscotti71i.ru known spam email attempt"; flow:to_server, established; content:"tabscotti71i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16950; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM erectnormie71a.ru known spam email attempt"; flow:to_server, established; content:"erectnormie71a.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16949; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM onlineheindrick60i.ru known spam email attempt"; flow:to_server, established; content:"onlineheindrick60i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16948; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pharmrolland95h.ru known spam email attempt"; flow:to_server, established; content:"pharmrolland95h.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16947; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pillrenault15j.ru known spam email attempt"; flow:to_server, established; content:"pillrenault15j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16946; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tabwinn77t.ru known spam email attempt"; flow:to_server, established; content:"tabwinn77t.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16945; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pilldory92n.ru known spam email attempt"; flow:to_server, established; content:"pilldory92n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16944; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM erectguthry99c.ru known spam email attempt"; flow:to_server, established; content:"erectguthry99c.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16943; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM drugshayyim77n.ru known spam email attempt"; flow:to_server, established; content:"drugshayyim77n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16942; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM drugshershel38w.ru known spam email attempt"; flow:to_server, established; content:"drugshershel38w.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16941; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM medfreddie55a.ru known spam email attempt"; flow:to_server, established; content:"medfreddie55a.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16940; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM refillleonardo59y.ru known spam email attempt"; flow:to_server, established; content:"refillleonardo59y.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16939; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pharmrik66y.ru known spam email attempt"; flow:to_server, established; content:"pharmrik66y.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16938; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM bestdrug-store.com known spam email attempt"; flow:to_server, established; content:"bestdrug-store.com"; nocase; metadata:service smtp; classtype:policy-violation; sid:16937; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM xoposuhop.cn xoposuhop.cn known spam email attempt"; flow:to_server, established; content:"xoposuhop.cn"; nocase; metadata:service smtp; classtype:policy-violation; sid:16936; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM sjtu-edp.cn known spam email attempt"; flow:to_server, established; content:"sjtu-edp.cn"; nocase; metadata:service smtp; classtype:policy-violation; sid:16935; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pku-edp.cn known spam email attempt"; flow:to_server, established; content:"pku-edp.cn"; nocase; metadata:service smtp; classtype:policy-violation; sid:16934; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SPAM FedEX spam campaign outbound connection"; flow:to_server,established; content:"/main.php?label="; nocase; http_uri; content:"= HTTP/"; metadata:impact_flag red, service http; classtype:trojan-activity; sid:27604; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip statement filename download with .exe name within .zip the same"; flow:to_client,established; content:"statement"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}statement[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29399; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip voicemail filename download with .exe name within .zip the same"; flow:to_client,established; content:"voicemail"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}voicemail[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29398; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip shipping filename download with .exe name within .zip the same"; flow:to_client,established; content:"Shipping"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}shipping[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29397; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip receipt filename download with .exe name within .zip the same"; flow:to_client,established; content:"Receipt"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}receipt[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29396; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt"; flow:to_server,established; file_data; content:"@font-face"; nocase; content:"url|28|"; within:500; nocase; content:"data:application/font-woff"; within:50; content:"base64"; within:100; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1192; classtype:policy-violation; sid:48895; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt"; flow:to_client,established; file_data; content:"@font-face"; nocase; content:"url|28|"; within:500; nocase; content:"data:application/font-woff"; within:50; content:"base64"; within:100; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1192; classtype:policy-violation; sid:48894; rev:2;)
--- a/docker/etc/rules/policy.rules
+++ b/docker/etc/rules/policy.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#--------------
+# POLICY RULES
+#--------------
+
--- a/docker/etc/rules/pop2.rules
+++ b/docker/etc/rules/pop2.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#------------
+# POP2 RULES
+#------------
+
--- a/docker/etc/rules/pop3.rules
+++ b/docker/etc/rules/pop3.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#------------
+# POP3 RULES
+#------------
+
--- a/docker/etc/rules/protocol-dns.rules
+++ b/docker/etc/rules/protocol-dns.rules
@@ -0,0 +1,88 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#--------------------
+# PROTOCOL-DNS RULES
+#--------------------
+
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS root query traffic amplification attempt"; flow:to_server,no_stream; content:"|00 01|"; depth:2; offset:4; content:"|00 00 02 00 01|"; within:5; distance:6; detection_filter:track by_src, count 5, seconds 30; metadata:service dns; reference:url,isc.sans.org/diary.html?storyid=5713; classtype:misc-activity; sid:15259; rev:6;)
+# alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"PROTOCOL-DNS DNS root query response traffic amplification attempt"; flow:to_client,no_stream; content:"|00 01|"; depth:2; offset:4; content:"|00 00 02 00 01|"; within:5; distance:6; detection_filter:track by_dst, count 5, seconds 30; metadata:service dns; reference:url,isc.sans.org/diary.html?storyid=5713; classtype:misc-activity; sid:15260; rev:6;)
+# alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND DNSSEC authority response record overflow attempt"; flow:to_client, established; content:"|84 23|"; depth:2; offset:4; byte_test:2,>,40,4,relative; metadata:service dns; reference:cve,2011-1910; classtype:denial-of-service; sid:19125; rev:4;)
+# alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND DNSSEC authority response record overflow attempt"; flow:established,to_client; byte_test:1,&,128,4; byte_test:1,&,4,4; byte_test:1,&,2,5; byte_test:1,&,1,5; content:"|00 2E 00 01|"; fast_pattern; byte_test:2,>,512,4,big,relative; content:"|00 06 05|"; within:3; distance:6; metadata:policy max-detect-ips drop, service dns; reference:cve,2011-1910; classtype:denial-of-service; sid:21421; rev:7;)
+# alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND NAPTR record regular expression handling denial of service attempt"; flow:to_client,established; byte_test:2,&,0x8000,4; content:"|00 FC 00 01|"; fast_pattern; content:"|00 06 00 01|"; within:4; distance:2; content:"|00 23 00 01|"; distance:0; byte_jump:1,10,relative; byte_jump:1,0,relative,post_offset 1; pcre:"/\x21[^\x21]+?\x7b[^\x7d\x21]+?\x7d[\x28\x29]*?\x7b[^\x7d\x21]+?\x7d[\x28\x29]*?\x7b[^\x7d\x21]+?\x7d/R"; metadata:service dns; reference:cve,2013-2266; reference:url,www.isc.org/software/bind/advisories/cve-2013-2266; classtype:attempted-dos; sid:26324; rev:5;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC libdns client NAPTR record regular expression handling denial of service attempt"; flow:to_client; byte_test:2,&,0x8000,2; content:"|00 23 00 01|"; fast_pattern; content:"|00 23 00 01|"; within:4; distance:2; byte_jump:1,10,relative; byte_jump:1,0,relative,post_offset 1; pcre:"/\x21[^\x21]+?\x7b[^\x7d\x21]+?\x7d[\x28\x29]*?\x7b[^\x7d\x21]+?\x7d[\x28\x29]*?\x7b[^\x7d\x21]+?\x7d/R"; metadata:service dns; reference:cve,2013-2266; reference:url,www.isc.org/software/bind/advisories/cve-2013-2266; classtype:attempted-dos; sid:26427; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dns zone transfer via TCP detected"; flow:to_server,established; content:"|00 01 00 00 00 00 00|"; depth:8; offset:6; byte_test:1,!&,0xF8,4; content:"|00 00 FC 00 01|"; fast_pattern; isdataat:!1,relative; metadata:ruleset community, service dns; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:23;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dns zone transfer via UDP detected"; flow:to_server; content:"|00 01 00 00 00 00 00|"; depth:8; offset:4; byte_test:1,!&,0xF8,2; content:"|00 00 FC 00 01|"; fast_pattern; isdataat:!1,relative; metadata:ruleset community, service dns; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:15;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named authors attempt"; flow:to_server; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named version attempt"; flow:to_server; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:16;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority"; flow:to_client; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:bad-unknown; sid:253; rev:14;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority"; flow:to_client; content:"|81 80|"; depth:4; offset:2; fast_pattern; byte_test:2,>,0,0,relative,big; byte_test:2,>,0,2,relative,big; content:"|00 00 00 00|"; within:4; distance:4; content:"|C0 0C 00 01 00 01|"; distance:0; byte_test:4,<,61,0,relative,big; byte_test:4,>,0,0,relative,big; metadata:ruleset community, service dns; classtype:bad-unknown; sid:254; rev:15;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS UDP inverse query"; flow:to_server; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:ruleset community, service dns; reference:bugtraq,2321; reference:cve,2001-0012; reference:nessus,10605; classtype:attempted-recon; sid:2921; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS TCP inverse query"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; metadata:ruleset community, service dns; reference:bugtraq,2321; reference:cve,2001-0012; reference:nessus,10605; classtype:attempted-recon; sid:2922; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; metadata:ruleset community, service dns; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3153; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS UDP inverse query overflow"; flow:to_server; isdataat:400; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:ruleset community, service dns; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3154; rev:11;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning"; flow:to_client,no_stream; byte_test:1,&,2,3; byte_test:1,&,1,3; byte_test:1,&,128,2; detection_filter:track by_src, count 1000, seconds 5; metadata:policy max-detect-ips drop, service dns; reference:cve,2008-1447; reference:cve,2009-0233; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-008; reference:url,www.kb.cert.org/vuls/id/800113; classtype:misc-attack; sid:13948; rev:13;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS single byte encoded name response"; byte_test:1, &, 128, 2; byte_test:2, >, 0, 4; byte_test:2, >, 0, 6; pcre:"/^.{12}(\x01.){20}/"; metadata:service dns; reference:cve,2004-0444; classtype:misc-attack; sid:14777; rev:4;)
+# alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"PROTOCOL-DNS dns response for rfc1918 192.168/16 address detected"; flow:to_client; content:"|00 01 00 01|"; content:"|00 04 C0 A8|"; within:4; distance:4; fast_pattern; metadata:service dns; reference:url,www.faqs.org/rfcs/rfc1918.html; classtype:policy-violation; sid:15935; rev:6;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt"; flow:to_client; byte_test:1,&,0x80,2; byte_test:2,!&,0x7a0f,2; content:"|00|"; offset:12; content:"|00 0C 00 01|"; within:4; content:"|00 0C 00 01|"; distance:2; byte_test:2,>,98,4,relative,big; metadata:service dns; reference:bugtraq,37733; reference:cve,2010-0072; reference:cve,2017-14491; classtype:attempted-admin; sid:20242; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS excessive queries of type ANY - potential DoS"; flow:stateless,no_stream; content:"|00 01|"; depth:2; offset:4; byte_test:1,!&,0xF8,2; content:"|00 00 FF 00 01|"; fast_pattern:only; detection_filter:track by_src, count 30, seconds 30; metadata:service dns; reference:url,foxpa.ws/2010/07/21/thwarting-the-isc-org-dns-ddos/; classtype:attempted-dos; sid:21817; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dead alive6 DNS attempt"; content:"|DE AD|"; depth:2; metadata:service dns; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24304; rev:2;)
+# alert udp $HOME_NET any -> any 53 (msg:"PROTOCOL-DNS IPv6 host name enumeration"; flow:to_server,no_stream; byte_test:1,!&,0xF8,2; content:"|00 00 1C 00 01|"; offset:12; detection_filter:track by_src, count 40, seconds 1; metadata:service dns; reference:url,thc.org/thc-ipv6/; classtype:attempted-recon; sid:27938; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS Malformed DNS query with HTTP content"; flow:to_server; content:"|54 20|"; fast_pattern:only; content:"GET |2F| HTTP"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.ietf.org/rfc/rfc2616.txt; classtype:misc-activity; sid:28557; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS query amplification attempt"; flow:to_server; content:"|00 01|"; depth:2; offset:4; content:"|00 01|"; within:2; distance:4; byte_test:1,!&,0xF8,2; content:"|00 00 FF 00 01 00 00 29|"; byte_test:2,>,0x7FFF,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.us-cert.gov/ncas/alerts/TA13-088A; classtype:attempted-dos; sid:28556; rev:3;)
+# alert udp $HOME_NET any -> any 53 (msg:"PROTOCOL-DNS ISC libdns client NAPTR record regular expression handling denial of service attempt"; flow:stateless; byte_test:2,&,0x8000,2; content:"|00 23 00 01|"; fast_pattern; content:"|00 23 00 01|"; within:4; distance:2; byte_jump:1,10,relative; byte_jump:1,0,relative,post_offset 1; pcre:"/\x21[^\x21]+?\x7b[^\x7d\x21]+?\x7d[\x28\x29]*?\x7b[^\x7d\x21]+?\x7d[\x28\x29]*?\x7b[^\x7d\x21]+?\x7d/R"; metadata:service dns; reference:cve,2013-2266; reference:url,www.isc.org/software/bind/advisories/cve-2013-2266; classtype:attempted-dos; sid:29935; rev:1;)
+# alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS Microsoft SMTP excessive answer records buffer overflow attempt"; flow:to_client,established; byte_test:1,&,0x01,4; byte_test:2,>=,100,8; content:"|00 01 00 01|"; fast_pattern:only; metadata:service dns; reference:cve,2004-0840; classtype:attempted-user; sid:32959; rev:1;)
+# alert udp $HOME_NET 53 -> any any (msg:"PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt"; flow:to_client,no_stream; byte_test:2,&,0x8080,2; content:"|00 01 C0 0C 00 02 00 01|"; offset:20; detection_filter:track by_dst, count 75, seconds 20; metadata:service dns; reference:cve,2014-8500; reference:url,www.kb.cert.org/vuls/id/264212; classtype:attempted-dos; sid:33583; rev:5;)
+# alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS Exim DKIM decoding buffer overflow attempt"; flow:to_client,established; byte_test:1,>,0x80,4; content:"|00 01 00 01|"; depth:4; offset:6; content:"_domainkey"; distance:4; content:"|00 00 10 00 01|"; distance:0; content:"|00 10 00 01|"; within:4; distance:2; byte_test:2,>,4096,4,relative; metadata:policy max-detect-ips drop, service dns; reference:cve,2012-5671; classtype:attempted-admin; sid:25333; rev:7;)
+# alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"PROTOCOL-DNS Tftpd32 DNS server denial of service attempt"; flow:to_server; content:"|00 00 00 00 00 00|"; depth:12; offset:6; byte_test:1,>,0x7f,12; byte_test:1,<,0xc0,12; metadata:policy max-detect-ips drop, service dns; classtype:denial-of-service; sid:23368; rev:7;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS Symantec Gateway products DNS cache poisoning attempt"; flow:to_client; content:"|C8 C8 C8 C8|"; fast_pattern; content:"|00 02 00 01|"; within:10; distance:2; content:"fake"; within:20; distance:7; metadata:policy max-detect-ips drop, service dns; reference:cve,2004-1754; reference:cve,2005-0817; classtype:misc-attack; sid:17485; rev:9;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS squid proxy dns PTR record response denial of service attempt"; flow:to_client; content:"|00 0C 00 01|"; content:"|00 0C 00 01|"; within:4; distance:2; content:"|00 01 00|"; within:3; distance:4; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,12551; reference:cve,2005-0446; classtype:attempted-dos; sid:17484; rev:10;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS squid proxy dns A record response denial of service attempt"; flow:to_client; content:"|00 01 00 01|"; content:"|00 01 00 01|"; within:4; distance:2; isdataat:6,relative; content:!"|00 04|"; within:2; distance:4; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,12551; reference:cve,2005-0446; classtype:attempted-dos; sid:17483; rev:9;)
+# alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"PROTOCOL-DNS dns response for rfc1918 172.16/12 address detected"; flow:to_client; content:"|00 01 00 01|"; content:"|00 04 AC|"; within:3; distance:4; fast_pattern; byte_test:1,>,15,0,relative; byte_test:1,<,32,0,relative; metadata:service dns; reference:url,www.faqs.org/rfcs/rfc1918.html; classtype:policy-violation; sid:15934; rev:11;)
+# alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"PROTOCOL-DNS excessive outbound NXDOMAIN replies - possible spoof of domain run by local DNS servers"; flow:to_client,no_stream; byte_test:1,&,2,3; byte_test:1,&,1,3; byte_test:1,&,128,2; detection_filter:track by_dst, count 1000, seconds 5; metadata:policy max-detect-ips drop, service dns; reference:cve,2008-1447; reference:cve,2009-0233; reference:cve,2012-0006; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-017; reference:url,www.kb.cert.org/vuls/id/800113; classtype:misc-attack; sid:13949; rev:17;)
+# alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"PROTOCOL-DNS dns response for rfc1918 10/8 address detected"; flow:to_client; content:"|00 01 00 01|"; content:"|00 04 0A|"; within:3; distance:4; fast_pattern; metadata:policy max-detect-ips drop, service dns; reference:url,www.faqs.org/rfcs/rfc1918.html; classtype:policy-violation; sid:13249; rev:14;)
+# alert udp $DNS_SERVERS 53 -> $EXTERNAL_NET any (msg:"PROTOCOL-DNS Microsoft Windows DNS Server ANY query cache weakness"; flow:to_client,no_stream; content:"|03|www|03|exa|03|dpn"; byte_test:1,&,2,3; byte_test:1,&,1,3; detection_filter:track by_src, count 20, seconds 20; metadata:policy max-detect-ips drop, service dns; reference:cve,2009-0234; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-008; classtype:misc-activity; sid:17696; rev:9;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND DNSSEC response unsupported DNSKEY cryptographic algorithm attempt"; flow:to_client; byte_test:1, &, 0x80,2; content:"|C0 0C 00 30 00 01|"; content:"|02|"; within:1; distance:9; metadata:policy max-detect-ips drop, service dns; reference:cve,2015-5722; reference:url,www.isc.org/blogs/cve-2015-5722-parsing-malformed-keys-may-cause-bind-to-exit-due-to-a-failed-assertion-in-buffer-c/; classtype:attempted-dos; sid:36055; rev:3;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND zero length OPENPGPKEY rdata response attempt"; flow:to_client; byte_test:1, &, 0x80,2; content:"|00 3D 00 01|"; content:"|00 00|"; within:2; distance:4; metadata:policy max-detect-ips drop, service dns; reference:cve,2015-5986; reference:url,www.isc.org/blogs/cve-2015-5986-an-incorrect-boundary-check-can-trigger-a-require-assertion-failure-in-openpgpkey_61-c/; classtype:attempted-dos; sid:36130; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS DNAME query detected - possible attack attempt"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00 00 27 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2015-6125; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-127; classtype:attempted-admin; sid:37015; rev:2;)
+# alert udp any 53 -> $HOME_NET any (msg:"PROTOCOL-DNS glibc getaddrinfo AAAA record stack buffer overflow attempt"; flow:to_client; dsize:>2000; byte_test:1,&,2,2; byte_test:1,&,0x80,2; byte_test:1,!&,0x78,2; content:"|00 01|"; depth:2; offset:4; content:"|00 00 1C 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:cve,2015-7547; reference:url,googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html; classtype:attempted-user; sid:37731; rev:5;)
+# alert udp any 53 -> $HOME_NET any (msg:"PROTOCOL-DNS glibc getaddrinfo A record stack buffer overflow attempt"; flow:to_client; dsize:>2000; byte_test:1,&,2,2; byte_test:1,&,0x80,2; byte_test:1,!&,0x78,2; content:"|00 01|"; depth:2; offset:4; content:"|00 00 01 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:cve,2015-7547; reference:url,googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html; classtype:attempted-user; sid:37730; rev:5;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 2A 00 01|"; content:"|90|"; within:1; distance:9; byte_test:2,>,0x270F,-4,relative; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,81329; reference:cve,2015-8704; reference:url,kb.isc.org/article/AA-01335; classtype:attempted-dos; sid:38284; rev:1;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 2A 00 01|"; content:"|84|"; within:1; distance:9; byte_test:2,>,0x270F,-4,relative; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,81329; reference:cve,2015-8704; reference:url,kb.isc.org/article/AA-01335; classtype:attempted-dos; sid:38283; rev:1;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 2A 00 01|"; content:"|00 02|"; within:2; distance:6; content:"|90|"; within:1; distance:1; byte_test:2,>,0x270F,16,relative; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,81329; reference:cve,2015-8704; reference:url,kb.isc.org/article/AA-01335; classtype:attempted-dos; sid:38282; rev:1;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND totext_in_apl denial of service attempt"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 2A 00 01|"; content:"|00 01|"; within:2; distance:6; content:"|84|"; within:1; distance:1; byte_test:2,>,0x270F,4,relative; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,81329; reference:cve,2015-8704; reference:url,kb.isc.org/article/AA-01335; classtype:attempted-dos; sid:38281; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS TSIG query denial of service attempt"; flow:to_server; byte_test:1,!&,0x80,2; content:!"|00 00|"; depth:2; offset:10; content:"|C0 0C 00 FA|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39953; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS TSIG query denial of service attempt"; flow:to_server; byte_test:1,!&,0x80,2; content:!"|00 00|"; depth:2; offset:10; content:"|00 00 FA|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39952; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5353 (msg:"PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt"; flow:to_server,established; byte_test:1,!&,0x80,3; content:!"|00 00|"; depth:2; offset:11; content:"|C0 0C 00 FA|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39951; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5353 (msg:"PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt"; flow:to_server,established; byte_test:1,!&,0x80,3; content:!"|00 00|"; depth:2; offset:11; content:"|00 00 FA|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39950; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5353 (msg:"PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt"; flow:to_server,established; byte_test:1,!&,0x80,3; content:!"|00 00|"; depth:2; offset:11; content:"|00 00 F9|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39949; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5353 (msg:"PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt"; flow:to_server,established; byte_test:1,!&,0x80,3; content:!"|00 00|"; depth:2; offset:11; content:"|C0 0C 00 F9|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39948; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS TKEY query denial of service attempt"; flow:to_server; byte_test:1,!&,0x80,2; content:!"|00 00|"; depth:2; offset:10; content:"|C0 0C 00 F9|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39947; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS TKEY query denial of service attempt"; flow:to_server; byte_test:1,!&,0x80,2; content:!"|00 00|"; depth:2; offset:10; content:"|00 00 F9|"; distance:0; content:!"|00|"; within:1; byte_jump:2,6,relative,big,post_offset -1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:bugtraq,77522; reference:cve,2015-5311; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-03/; classtype:attempted-dos; sid:39946; rev:2;)
+alert udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS ISC BIND isc__buffer_add assertion failure denial of service attempt"; flow:to_server; dsize:>512; byte_test:1,!&,0xFE,2; content:!"|00 00|"; depth:2; offset:10; content:"|00 FA 00 FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2016-2776; reference:url,kb.isc.org/article/AA-01419/74/CVE-2016-2776; classtype:attempted-dos; sid:40344; rev:2;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND DNS duplicate cookie denial of service attempt"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 00 29|"; content:"|00 00|"; within:2; distance:2; content:"|00 0A|"; within:2; distance:4; byte_jump:2,0,relative; content:"|00 0A|"; within:2; metadata:policy max-detect-ips drop, service dns; reference:cve,2016-2088; reference:url,kb.isc.org/article/AA-01351/0/CVE-2016-2088%3A-A-response-containing-multiple-DNS-cookies-causes-servers-with-cookie-support-enabled-to-exit-with-an-assertion-failure.html; classtype:attempted-dos; sid:40362; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS name compression pointer loop denial of service attempt"; flow:to_server; content:"|01 00|"; depth:2; offset:2; content:"|00 00 00 00 00 00|"; within:6; distance:2; content:"|00 05 00 01|"; fast_pattern; content:"|C0|"; within:1; distance:-6; byte_jump:1,0,relative,from_beginning; content:"|01 C0|"; within:2; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,74306; reference:cve,2015-1868; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-01/; classtype:attempted-dos; sid:41905; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS name compression pointer loop denial of service attempt"; flow:to_server; content:"|01 00|"; depth:2; offset:2; content:"|00 00 00 00 00 00|"; within:6; distance:2; content:"|00 05 00 01|"; fast_pattern; content:"|C0|"; within:1; distance:-6; byte_jump:1,0,relative,from_beginning; content:"|01 01|"; within:2; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,74306; reference:cve,2015-1868; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-01/; classtype:attempted-dos; sid:41904; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS name compression pointer loop denial of service attempt"; flow:to_server,established; content:"|01 00|"; depth:2; offset:4; content:"|00 00 00 00 00 00|"; within:6; distance:2; content:"|00 05 00 01|"; fast_pattern; content:"|C0|"; within:1; distance:-6; byte_jump:1,0,relative,from_beginning,post_offset 2; content:"|01 01|"; within:2; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,74306; reference:cve,2015-1868; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-01/; classtype:attempted-dos; sid:41903; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS PowerDNS name compression pointer loop denial of service attempt"; flow:to_server,established; content:"|01 00|"; depth:2; offset:4; content:"|00 00 00 00 00 00|"; within:6; distance:2; content:"|00 05 00 01|"; fast_pattern; content:"|C0|"; within:1; distance:-6; byte_jump:1,0,relative,from_beginning,post_offset 2; content:"|01 C0|"; within:2; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,74306; reference:cve,2015-1868; reference:url,doc.powerdns.com/md/security/powerdns-advisory-2015-01/; classtype:attempted-dos; sid:41852; rev:2;)
+# alert udp any 53 -> $HOME_NET any (msg:"PROTOCOL-DNS ISC BIND unexpected DNAME CNAME ordering denial of service attempt"; flow:to_client; content:"|85 00 00 01 00 03|"; depth:6; offset:2; content:"|00 00 01 00 01|"; within:100; content:"|00 27 00 01|"; within:4; distance:2; content:"|00 C0 0C 00 05 00 01|"; within:100; content:"|00 01 00 01|"; within:100; content:"|C0|"; within:1; distance:-6; metadata:service dns; reference:cve,2017-3137; reference:url,kb.isc.org/article/AA-01466; classtype:attempted-dos; sid:42458; rev:1;)
+# alert udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00 00 00 00 00|"; depth:6; offset:4; content:"|00 00 29|"; within:3; distance:2; content:"|FE|"; within:1; distance:8; byte_test:2,>,4,-3,relative; byte_math:bytes 2,offset -3,oper -,rvalue 4,result rdlen_minus_four,relative; byte_test:2,>,rdlen_minus_four,1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-14496; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-admin; sid:44482; rev:2;)
+# alert udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq overly large DNS query denial of service attempt"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; dsize:>512; metadata:service dns; reference:cve,2017-13704; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-dos; sid:44479; rev:2;)
+# alert udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt"; flow:to_server,no_stream; content:"|08 1B|"; depth:2; offset:2; fast_pattern; content:"|00 00 29|"; within:3; distance:8; detection_filter:track by_dst, count 50, seconds 1; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-14495; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-dos; sid:44478; rev:3;)
+# alert udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt"; flow:to_server; content:"|20 00 01|"; depth:3; offset:3; content:"|01 00 00 29 10|"; depth:5; offset:11; detection_filter:track by_dst, count 10, seconds 1; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-14495; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-dos; sid:47881; rev:1;)
--- a/docker/etc/rules/protocol-finger.rules
+++ b/docker/etc/rules/protocol-finger.rules
@@ -0,0 +1,35 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------------------
+# PROTOCOL-FINGER RULES
+#-----------------------
+
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER / execution attempt"; flow:to_server,established; content:"/"; pcre:"/^\x2f/smi"; metadata:ruleset community; reference:cve,1999-0612; reference:cve,2000-0915; classtype:attempted-recon; sid:3151; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER version query"; flow:to_server,established; content:"version"; metadata:ruleset community; classtype:attempted-recon; sid:1541; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER . query"; flow:to_server,established; content:"."; metadata:ruleset community; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:333; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER 0 query"; flow:to_server,established; content:"0"; metadata:ruleset community; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:332; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER cybercop query"; flow:to_server,established; content:"|0A|     "; depth:10; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:331; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER redirection attempt"; flow:to_server,established; content:"@"; metadata:ruleset community; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:330; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER bomb attempt"; flow:to_server,established; content:"@@"; metadata:ruleset community; reference:cve,1999-0106; classtype:attempted-dos; sid:328; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; metadata:ruleset community; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:327; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER remote command execution attempt"; flow:to_server,established; content:"|3B|"; metadata:ruleset community; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:326; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER null request"; flow:to_server,established; content:"|00|"; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:324; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER root query"; flow:to_server,established; content:"root"; metadata:ruleset community; classtype:attempted-recon; sid:323; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER search query"; flow:to_server,established; content:"search"; metadata:ruleset community; reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f"; nocase; metadata:ruleset community; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; metadata:ruleset community; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320; rev:15;)
--- a/docker/etc/rules/protocol-ftp.rules
+++ b/docker/etc/rules/protocol-ftp.rules
@@ -0,0 +1,133 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#--------------------
+# PROTOCOL-FTP RULES
+#--------------------
+
+# alert tcp $EXTERNAL_NET !80 -> $HOME_NET [1023:65535] (msg:"PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt"; flow:to_client,established; dsize:>512; content:"-rwxr-xr-x "; isdataat:512,relative; content:!"|0A|"; within:512; metadata:service ftp; reference:bugtraq,50614; reference:cve,2011-5164; classtype:attempted-user; sid:26471; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP Multiple Products FTP MKD buffer overflow attempt"; flow:to_server,established; content:"MKD "; depth:4; isdataat:75,relative; content:!"|0A|"; within:75; metadata:ruleset community, service ftp; reference:bugtraq,11772; reference:bugtraq,15457; reference:bugtraq,23885; reference:bugtraq,39041; reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; reference:cve,1999-0911; reference:cve,2004-1135; reference:cve,2005-3683; reference:cve,2007-2586; reference:cve,2009-3023; reference:cve,2010-0625; reference:nessus,12108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053; reference:url,www.exploit-db.com/exploits/14399/; reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin; sid:23055; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ACCT overflow attempt"; flow:to_server,established; content:"ACCT"; nocase; isdataat:200,relative; pcre:"/^ACCT(?!\n)\s[^\n]{200}/smi"; metadata:service ftp; reference:url,seclists.org/bugtraq/2010/Feb/202; classtype:attempted-admin; sid:18580; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ProFTPD mod_site_misc module directory traversal attempt"; flow:to_server,established; content:"SITE"; fast_pattern:only; pcre:"/^SITE\s+(MKDIR|RMDIR|SYMLINK|UTIME)[^\r\n]*?\x2F\x2E\x2E\x2F/i"; metadata:service ftp; reference:bugtraq,44562; reference:cve,2010-3867; classtype:attempted-user; sid:18326; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ProFTPd 1.3.3c backdoor help access attempt"; flow:to_server,established; content:"HELP ACIDBITCHEZ"; fast_pattern:only; metadata:service ftp; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; classtype:trojan-activity; sid:18182; rev:5;)
+# alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"PROTOCOL-FTP ProFTPd 1.3.3c backdoor activity"; flow:to_server, established; content:"GET /AB HTTP/1.0"; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; classtype:trojan-activity; sid:18181; rev:3;)
+# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"PROTOCOL-FTP FlashGet PWD command stack buffer overflow attempt"; flow:to_client,established; content:"257|20|"; pcre:"/^257\x20\S{257,}\x20/mi"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,30685; reference:cve,2008-4321; classtype:attempted-user; sid:17518; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP Vermillion 1.31 vftpd port command memory corruption"; flow:to_server,established; content:"PORT"; depth:4; isdataat:50,relative; content:!"|0A|"; within:50; metadata:service ftp; reference:url,www.exploit-db.com/exploits/11293; reference:url,www.global-evolution.info/news/files/vftpd/vftpd.txt; classtype:misc-attack; sid:17059; rev:5;)
+# alert tcp any any -> any 21 (msg:"PROTOCOL-FTP httpdx PASS null byte denial of service"; flow:established,to_server; content:"PASS"; nocase; pcre:"/PASS\s{0,2}\x00/ims"; metadata:service ftp; reference:url,secunia.com/advisories/38933; reference:url,www.exploit-db.com/exploits/11734; classtype:attempted-dos; sid:16698; rev:3;)
+# alert tcp any any -> any 21 (msg:"PROTOCOL-FTP httpdx USER null byte denial of service"; flow:established,to_server; content:"USER"; nocase; pcre:"/USER\s{0,2}\x00/ims"; metadata:service ftp; reference:url,secunia.com/advisories/38933; reference:url,www.exploit-db.com/exploits/11734; classtype:attempted-dos; sid:16697; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP multiple extension code execution attempt"; flow:established,to_server; content:"STOR"; depth:4; nocase; content:".asp|3B|."; distance:0; nocase; pcre:"/^STOR[^\n]+\.asp\x3B\./smi"; metadata:service ftp; reference:cve,2009-4444; classtype:web-application-attack; sid:16357; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP LIST globbing denial of service attack"; flow:to_server,established; content:"ST -R"; nocase; content:"*/.."; within:20; distance:1; metadata:service ftp; reference:cve,2009-2521; reference:url,technet.microsoft.com/en-us/security/advisory/975191; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053; classtype:attempted-dos; sid:15932; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP Ipswitch Ws_ftp XMD5 overflow attempt"; flow:to_server,established; content:"XMD5"; nocase; isdataat:200,relative; pcre:"/^XMD5(?!\n)\s[^\n]{200}/smi"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,20076; reference:cve,2006-4847; reference:cve,2006-5000; classtype:attempted-admin; sid:10188; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PASV overflow attempt"; flow:to_server,established; content:"PASV"; nocase; isdataat:493,relative; pcre:"/^PASV(?!\n)\s[^\n]{493}/smi"; metadata:service ftp; reference:url,www.milw0rm.com/exploits/2952; classtype:attempted-admin; sid:9792; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP WZD-FTPD SITE arbitrary command execution attempt"; flow:established,to_server; content:"SITE"; fast_pattern:only; pcre:"/^SITE\s*(\w+\s*)+\x7c/smi"; metadata:service ftp; reference:bugtraq,14935; reference:cve,2005-3081; classtype:attempted-admin; sid:8707; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP Microsoft NLST * dos attempt"; flow:to_server,established; content:"NLST"; fast_pattern:only; pcre:"/^NLST\s+[^\n]*\x2a{10}/smi"; metadata:service ftp; reference:bugtraq,2717; reference:cve,2001-0334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-026; classtype:attempted-dos; sid:8481; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP HELP overflow attempt"; flow:to_server,established; content:"HELP"; nocase; isdataat:200,relative; pcre:"/^HELP(?!\n)\s[^\n]{200}/smi"; metadata:service ftp; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:8479; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SIZE overflow attempt"; flow:to_server,established; content:"SIZE"; nocase; isdataat:500,relative; pcre:"/^SIZE\s[\x2F\x5C][^\x0a]{500}/smi"; metadata:service ftp; reference:bugtraq,19617; reference:cve,2006-4318; classtype:attempted-admin; sid:8415; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE INDEX format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"INDEX"; distance:0; nocase; pcre:"/^SITE\s+INDEX\s[^\n]*?%[^\n]*?%/smi"; metadata:service ftp; reference:bugtraq,1387; reference:cve,2000-0573; classtype:bad-unknown; sid:3523; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP REST with numeric argument"; flow:to_server,established; content:"REST"; fast_pattern:only; pcre:"/REST\s+[0-9]+\n/i"; metadata:ruleset community, service ftp; reference:bugtraq,7825; classtype:attempted-recon; sid:3460; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR"; nocase; isdataat:200,relative; pcre:"/^RNFR\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,14339; classtype:attempted-admin; sid:3077; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RETR format string attempt"; flow:to_server,established; content:"RETR"; fast_pattern:only; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9800; reference:cve,2004-1883; classtype:attempted-admin; sid:2574; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2546; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ALLO overflow attempt"; flow:to_server,established; content:"ALLO"; nocase; isdataat:200,relative; pcre:"/^ALLO(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9953; reference:cve,2004-1883; reference:nessus,14598; classtype:attempted-admin; sid:2449; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP format string attempt"; flow:to_server,established; content:"%"; fast_pattern:only; pcre:"/\s+.*?%.*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,15352; reference:bugtraq,30993; reference:bugtraq,9800; reference:cve,2002-2074; reference:cve,2007-1195; reference:cve,2009-4769; classtype:string-detect; sid:2417; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; fast_pattern:only; pcre:"/^MDTM \d+[-+]\D/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2416; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP APPE overflow attempt"; flow:to_server,established; content:"APPE"; nocase; isdataat:200,relative; pcre:"/^APPE(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,8315; reference:bugtraq,8542; reference:cve,2000-0133; reference:cve,2003-0466; reference:cve,2003-0772; classtype:attempted-admin; sid:2391; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:200,relative; pcre:"/^STOU\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2390; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:200,relative; pcre:"/^NLST(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,7909; reference:cve,1999-1544; reference:cve,2009-3023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053; reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin; sid:2374; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:200,relative; pcre:"/^XMKD(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2373; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP XCWD overflow attempt"; flow:to_server,established; content:"XCWD"; nocase; isdataat:100,relative; pcre:"/^XCWD(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,11542; reference:bugtraq,8704; reference:cve,2004-2728; classtype:attempted-admin; sid:2344; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STOR overflow attempt"; flow:to_server,established; content:"STOR"; nocase; isdataat:200,relative; content:!"|0D|"; within:200; content:!"|0A|"; within:200; content:!"|00|"; within:200; metadata:ruleset community, service ftp; reference:bugtraq,8668; reference:cve,2000-0133; reference:url,exploit-db.com/exploits/39662/; classtype:attempted-admin; sid:2343; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE CHMOD overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHMOD"; distance:0; nocase; isdataat:200,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,10181; reference:bugtraq,9483; reference:bugtraq,9675; reference:cve,1999-0838; reference:nessus,12037; classtype:attempted-admin; sid:2340; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"PROTOCOL-FTP RMD / attempt"; flow:to_server,established; content:"RMD"; fast_pattern:only; pcre:"/^RMD\s+\x2f$/smi"; metadata:ruleset community; reference:bugtraq,9159; classtype:attempted-dos; sid:2335; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"PROTOCOL-FTP Yak! FTP server default account login attempt"; flow:to_server,established; content:"USER"; nocase; content:"y049575046"; fast_pattern:only; pcre:"/^USER\s+y049575046/smi"; metadata:ruleset community; reference:bugtraq,9072; reference:url,attack.mitre.org/techniques/T1078; classtype:suspicious-login; sid:2334; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RENAME format string attempt"; flow:to_server,established; content:"RENAME"; fast_pattern:only; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9262; classtype:misc-attack; sid:2333; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP MKD format string attempt"; flow:to_server,established; content:"MKD"; fast_pattern:only; pcre:"/^MKD\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9262; classtype:misc-attack; sid:2332; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; fast_pattern:only; pcre:"/^LIST\s+\x22-W\s+\d+/smi"; metadata:ruleset community, service ftp; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; reference:nessus,11912; classtype:misc-attack; sid:2272; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; fast_pattern:only; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800; reference:cve,2000-0699; reference:cve,2007-1195; reference:nessus,10490; classtype:misc-attack; sid:2179; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP USER format string attempt"; flow:to_server,established; content:"USER"; fast_pattern:only; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; reference:nessus,10041; reference:nessus,11687; classtype:misc-attack; sid:2178; rev:23;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD Root directory traversal attempt"; flow:to_server,established; content:"CWD"; nocase; content:"C|3A 5C|"; distance:1; metadata:ruleset community, service ftp; reference:bugtraq,7674; reference:cve,2003-0392; reference:nessus,11677; classtype:protocol-command-decode; sid:2125; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP LIST directory traversal attempt"; flow:to_server,established; content:"LIST"; nocase; content:".."; distance:1; content:".."; distance:1; metadata:ruleset community, service ftp; reference:bugtraq,2618; reference:cve,2001-0680; reference:cve,2002-1054; reference:nessus,11112; classtype:protocol-command-decode; sid:1992; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP REST overflow attempt"; flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,2972; reference:cve,2001-0826; reference:nessus,11755; classtype:attempted-admin; sid:1974; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,1387; reference:bugtraq,1505; reference:cve,2000-0573; classtype:bad-unknown; sid:1971; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RMDIR overflow attempt"; flow:to_server,established; content:"RMDIR"; nocase; isdataat:100,relative; pcre:"/^RMDIR(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,819; classtype:attempted-admin; sid:1942; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP shadow retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; pcre:"/^RETR[^\n]*shadow$/smi"; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:1928; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP authorized_keys"; flow:to_server,established; content:"authorized_keys"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:1927; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:cve,2000-0040; classtype:attempted-admin; sid:1921; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-admin; sid:1920; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD overflow attempt"; flow:to_server,established; content:"CWD"; nocase; isdataat:180,relative; pcre:"/^CWD(?!\n)\s[^\n]{180}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,11069; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7950; reference:cve,1999-0219; reference:cve,1999-1058; reference:cve,1999-1510; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0781; reference:cve,2002-0126; reference:cve,2002-0405; classtype:attempted-admin; sid:1919; rev:31;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE"; nocase; content:"CPWD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,5427; reference:cve,2002-0826; classtype:misc-attack; sid:1888; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:1; nocase; pcre:"/^SITE\s+NEWER/smi"; metadata:ruleset community, service ftp; reference:cve,1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:1864; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP EXPLOIT STAT ? dos attempt"; flow:to_server,established; content:"STAT"; fast_pattern:only; pcre:"/^STAT\s+[^\n]*\x3f/smi"; metadata:ruleset community, service ftp; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:attempted-dos; sid:1778; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP EXPLOIT STAT asterisk dos attempt"; flow:to_server,established; content:"STAT"; fast_pattern:only; pcre:"/^STAT\s+[^\n]*\x2a/smi"; metadata:ruleset community, service ftp; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:attempted-dos; sid:1777; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SYST overflow attempt"; flow:to_server,established; content:"SYST"; nocase; isdataat:100,relative; pcre:"/^SYST(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:url,www.faqs.org/rfcs/rfc959.html; classtype:protocol-command-decode; sid:1625; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PWD overflow attempt"; flow:to_server,established; content:"PWD"; nocase; isdataat:190,relative; pcre:"/^PWD\s.{190}/smi"; metadata:ruleset community, service ftp; classtype:protocol-command-decode; sid:1624; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP invalid MODE"; flow:to_server,established; content:"MODE"; fast_pattern:only; pcre:"/^MODE\s+[^ABSC]{1}/msi"; metadata:ruleset community, service ftp; reference:url,www.faqs.org/rfcs/rfc959.html; classtype:protocol-command-decode; sid:1623; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR "; fast_pattern:only; content:" ././"; metadata:ruleset community, service ftp; reference:cve,1999-0081; classtype:misc-attack; sid:1622; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:200,relative; pcre:"/^CMD(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; classtype:attempted-admin; sid:1621; rev:20;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHOWN"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,2120; reference:cve,2001-0065; reference:nessus,10579; classtype:attempted-admin; sid:1562; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:1529; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:190,relative; pcre:"/^STAT(?!\n)\s[^\n]{190}/mi"; metadata:ruleset community, service ftp; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:cve,2003-0772; reference:cve,2011-0762; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:23;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"{"; distance:0; metadata:ruleset community, service ftp; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack; sid:1378; rev:23;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"["; distance:0; metadata:ruleset community, service ftp; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack; sid:1377; rev:23;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; metadata:ruleset community, service ftp; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:13;)
+# alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"PROTOCOL-FTP Bad login"; flow:to_client,established; content:"530 "; fast_pattern:only; pcre:"/^530\s+(Login|User)/smi"; metadata:ruleset community, service ftp; classtype:bad-unknown; sid:491; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; fast_pattern:only; metadata:ruleset community, service ftp; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:362; rev:20;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; metadata:ruleset community, service ftp; reference:bugtraq,2241; reference:cve,1999-0080; reference:cve,1999-0955; classtype:bad-unknown; sid:361; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP serv-u directory traversal"; flow:to_server,established; content:".%20."; fast_pattern:only; metadata:ruleset community, service ftp; reference:bugtraq,2052; reference:cve,2001-0054; reference:nessus,10565; classtype:bad-unknown; sid:360; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP satan scan"; flow:to_server,established; content:"pass -satan"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:359; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP saint scan"; flow:to_server,established; content:"pass -saint"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:358; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; fast_pattern:only; metadata:ruleset community, service ftp; reference:url,www.mines.edu/fs_home/dlarue/cc/baby-doe.html; classtype:suspicious-login; sid:357; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:356; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:355; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:354; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP adm scan"; flow:to_server,established; content:"PASS ddd@|0A|"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:353; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CEL overflow attempt"; flow:to_server,established; content:"CEL"; nocase; isdataat:100,relative; pcre:"/^CEL(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,679; reference:cve,1999-0789; reference:nessus,10009; classtype:attempted-admin; sid:337; rev:21;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; metadata:ruleset community, service ftp; reference:cve,1999-0082; classtype:bad-unknown; sid:336; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP .forward"; flow:to_server,established; content:".forward"; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:334; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:144; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"PROTOCOL-FTP CoreFTP FTP Server TYPE command denial of service attempt"; flow:to_server,established; content:"TYPE"; fast_pattern:only; pcre:"/^TYPE\s+?\w{210}/smi"; metadata:service ftp; reference:bugtraq,67613; classtype:attempted-dos; sid:31128; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"PROTOCOL-FTP ProFTPD mod_copy remote code execution attempt"; flow:to_server,established; content:"SITE"; depth:4; nocase; content:"CPFR"; within:4; distance:1; nocase; content:"/proc/"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp; reference:bugtraq,74238; reference:cve,2015-3306; classtype:attempted-admin; sid:34225; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP Ipswitch Ws_ftp XCRC overflow attempt"; flow:to_server,established; content:"XCRC"; nocase; isdataat:200,relative; pcre:"/^XCRC(?!\n)\s[^\n]{200}/smi"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,20076; reference:cve,2006-4847; classtype:attempted-admin; sid:18588; rev:9;)
+# alert tcp $EXTERNAL_NET [20,1024:] -> $HOME_NET [20,1024:] (msg:"PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt"; flow:established; stream_size:either,>,12800; content:"4096"; fast_pattern:only; pcre:"/[D\x2D][RWX\x2D]{9}\s+\w+\s+\w+\s+\w+\s+4096/i"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,29528; reference:cve,2008-2541; classtype:attempted-user; sid:18575; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP EPRT overflow attempt"; flow:established,to_server; content:"EPRT "; nocase; isdataat:128,relative; pcre:"/^EPRT\x20[^\n]{128}/smi"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,15998; reference:cve,2005-4459; classtype:attempted-admin; sid:17329; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ProFTPD username sql injection attempt"; flow:to_server, established; content:"|25 27|"; fast_pattern:only; content:"USER"; pcre:"/USER\s*[^\x0d]+\x25\x27/smi"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,33722; reference:cve,2009-0542; reference:url,attack.mitre.org/techniques/T1190; classtype:attempted-admin; sid:16524; rev:10;)
+# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"PROTOCOL-FTP Ipswitch WS_FTP client format string attempt"; flow:to_client,established; content:"%"; fast_pattern:only; pcre:"/^(\d{3}\x20)?\S*\x25\w/i"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,30720; reference:cve,2008-3734; classtype:attempted-user; sid:14770; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RNTO directory traversal attempt"; flow:to_server,established; content:"RNTO"; depth:4; nocase; pcre:"/^rnto\s[^\s\x0d\x0a]*\x2e\x2e(\x2f|\x5c)/i"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,31563; reference:cve,2008-4501; classtype:suspicious-filename-detect; sid:14743; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-FTP Computer Associates eTrust Secure Content Manager PASV stack overflow attempt"; flow:to_client,established; content:"227"; depth:3; pcre:"/\x28((\d{4,}|[3-9]\d\d|2[6-9]\d|25[7-9]),\d+,\d+,\d+|\d+,(\d{4,}|[3-9]\d\d|2[6-9]\d|25[7-9]),\d+,\d+|\d+,\d+,(\d{4,}|[3-9]\d\d|2[6-9]\d|25[7-9]),\d+|\d+,\d+,\d+(\d{4,}|[3-9]\d\d|2[6-9]\d|25[7-9])),\d+,\d+\x29/"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,29528; reference:cve,2008-2541; classtype:attempted-user; sid:13925; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PORT overflow attempt"; flow:to_server,established; content:"PORT "; nocase; isdataat:400,relative; pcre:"/^PORT\x20[^\n]{400}/smi"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,15998; reference:bugtraq,18711; reference:cve,2005-4459; reference:cve,2006-2226; classtype:attempted-admin; sid:8480; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PORT bounce attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,126; reference:cve,1999-0017; reference:nessus,10081; classtype:misc-attack; sid:3441; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:200,relative; pcre:"/^RETR(?!\n)\s[^\n]{200}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,15457; reference:bugtraq,23168; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; reference:cve,2005-3683; classtype:attempted-admin; sid:2392; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:200,relative; pcre:"/^RNTO(?!\n)\s[^\n]{200}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,15457; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; reference:cve,2005-3683; classtype:attempted-admin; sid:2389; rev:21;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP LIST buffer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:128,relative; pcre:"/^LIST(?!\n)\s[^\n]{128}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,10181; reference:bugtraq,14339; reference:bugtraq,33454; reference:bugtraq,58247; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7861; reference:bugtraq,8486; reference:bugtraq,9675; reference:cve,1999-0349; reference:cve,1999-1510; reference:cve,2000-0129; reference:cve,2004-1992; reference:cve,2005-2373; reference:cve,2007-0019; reference:cve,2009-0351; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-003; classtype:misc-attack; sid:2338; rev:35;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RMD overflow attempt"; flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD(?!\n)\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,15457; reference:bugtraq,2972; reference:bugtraq,39041; reference:cve,2000-0133; reference:cve,2001-0826; reference:cve,2001-1021; reference:cve,2005-3683; reference:cve,2010-0625; classtype:attempted-admin; sid:1976; rev:23;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; pcre:"/^DELE(?!\n)\s[^\n]{100}/mi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,15457; reference:bugtraq,2972; reference:bugtraq,46922; reference:cve,2001-0826; reference:cve,2001-1021; reference:cve,2005-3683; reference:cve,2010-4228; reference:nessus,11755; classtype:attempted-admin; sid:1975; rev:27;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP MKD overflow attempt"; flow:to_server,established; content:"MKD"; nocase; isdataat:150,relative; pcre:"/^MKD(?!\n)\s[^\n]{150}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,11772; reference:bugtraq,15457; reference:bugtraq,39041; reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; reference:cve,1999-0911; reference:cve,2004-1135; reference:cve,2005-3683; reference:cve,2009-3023; reference:cve,2010-0625; reference:nessus,12108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053; reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin; sid:1973; rev:31;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS(?!\n)\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,15457; reference:bugtraq,1690; reference:bugtraq,22045; reference:bugtraq,3884; reference:bugtraq,45957; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-1035; reference:cve,2002-0126; reference:cve,2002-0895; reference:cve,2005-3683; reference:cve,2006-6576; classtype:attempted-admin; sid:1972; rev:32;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:100,relative; pcre:"/^USER(?!\n)\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,15352; reference:bugtraq,1690; reference:bugtraq,22044; reference:bugtraq,22045; reference:bugtraq,4638; reference:bugtraq,49750; reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510; reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0761; reference:cve,2000-0943; reference:cve,2000-1194; reference:cve,2001-0256; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286; reference:cve,2004-0695; reference:cve,2005-3683; classtype:attempted-admin; sid:1734; rev:50;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; fast_pattern:only; pcre:"/^CWD\s+~/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,2601; reference:bugtraq,9215; reference:cve,2001-0421; classtype:denial-of-service; sid:1672; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP no password"; flow:to_server,established; content:"PASS"; fast_pattern:only; pcre:"/^PASS\s*\n/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; classtype:unknown; sid:489; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP .rhosts"; flow:to_server,established; content:".rhosts"; metadata:policy max-detect-ips drop, ruleset community, service ftp; classtype:suspicious-filename-detect; sid:335; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt"; flow:to_server,established; content:"testAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,29528; reference:cve,2008-2541; classtype:attempted-user; sid:37934; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PUT overflow attempt"; flow:to_server,established; content:"PUT "; nocase; isdataat:200,relative; content:!"|0D|"; within:200; content:!"|0A|"; within:200; content:!"|00|"; within:200; metadata:service ftp; reference:url,exploit-db.com/exploits/39662/; classtype:attempted-admin; sid:39378; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"PROTOCOL-FTP z/OS FTP Job Entry Subsystem JCL execution attempt"; flow:to_server,established; content:"site file=jes"; fast_pattern:only; nocase; metadata:service ftp; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/mainframe/ftp/ftp_jcl_creds.rb; classtype:policy-violation; sid:40355; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP Easy File Sharing FTP server directory traversal attempt"; flow:to_server,established; content:"RETR|20|"; content:"../"; within:20; pcre:"/retr[^&]*?\x2e\x2e\x2f/i"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,96944; reference:cve,2017-6510; classtype:attempted-admin; sid:42862; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP WS-FTP REST command overly large file creation attempt"; flow:to_server,established; content:"REST "; byte_test:10,>,1000000000, 0, relative, string, dec; metadata:service ftp; reference:bugtraq,9953; reference:cve,2004-1848; classtype:attempted-dos; sid:43239; rev:1;)
+# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt"; flow:to_client,established; content:"|41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; depth:16; content:!"|0D|"; depth:1500; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp; reference:bugtraq,101602; reference:cve,2017-15222; reference:url,www.exploit-db.com/exploits/43025/; reference:url,www.exploit-db.com/exploits/43236/; classtype:attempted-user; sid:45461; rev:2;)
+# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt"; flow:to_client,established; content:"|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; depth:16; content:!"|0D|"; within:1500; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp; reference:cve,2017-15222; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/ftp/ayukov_nftp.rb; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/ftp/labf_nfsaxe.rb; classtype:attempted-user; sid:45460; rev:3;)
+# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"PROTOCOL-FTP LabF nfsAxe FTP Client buffer overflow attempt"; flow:to_client,established; content:"220"; depth:3; isdataat:1500,relative; content:!"|0A|"; within:1500; metadata:service ftp; reference:url,www.exploit-db.com/exploits/42011/; classtype:attempted-user; sid:45591; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt"; flow:to_server,established; content:"d"; content:"|20 20 20 20 20 20 20 20 20|4096|20|"; within:14; distance:28; content:!"|0D 0A|"; within:255; distance:13; metadata:policy max-detect-ips drop, service ftp; reference:cve,2008-2541; classtype:attempted-user; sid:45828; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"PROTOCOL-FTP GP-Pro EX HMI WinGP Runtime Arbitrary File Disclosure attempt"; flow:to_server,established; content:"DRRD"; fast_pattern; content:"NAND"; distance:0; content:".."; distance:0; metadata:service ftp; reference:url,www.profaceamerica.com; classtype:attempted-user; sid:49426; rev:1;)
--- a/docker/etc/rules/protocol-icmp.rules
+++ b/docker/etc/rules/protocol-icmp.rules
@@ -0,0 +1,168 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#---------------------
+# PROTOCOL-ICMP RULES
+#---------------------
+
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP invalid ICMPv6 header attempt"; dsize:32; content:"|3A 01 66 0D 66 0D 66 0D 66 0D 00 00 00 00 00 00|"; depth:16; content:"|80 00|"; within:2; content:"|DE AD BE EF|"; within:4; distance:2; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24305; rev:2;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 multicast neighbor delete attempt"; itype:132; icode:0; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24302; rev:2;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 MLD multicast listener query attempt"; itype:130; icode:0; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24301; rev:3;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 invalid router advertisement attempt"; itype:134; icode:0; content:"|00 00 00 05|"; isdataat:!1,relative; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24299; rev:2;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 0xdeadbeef ICMP ping attempt"; itype:128; icode:0; icmp_id:57005; icmp_seq:48879; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24298; rev:2;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 oversized ICMP ping attempt"; itype:128; icode:0; icmp_id:0; dsize:>1500; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24297; rev:2;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 router advertisement invalid prefix option attempt"; itype:134; icode:0; isdataat:36; content:"|03 04|"; offset:11; byte_test:4,>,0,10,relative,little; reference:bugtraq,65409; reference:cve,2014-0254; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-006; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24296; rev:7;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP suspicious IPv6 router advertisement attempt"; itype:134; icode:0; content:"|03 04 80|"; offset:11; content:"|11 11 11 11 04 04 04 04|"; within:8; distance:1; content:!"|00 00 00 00|"; within:4; reference:url,thc.org/thc-ipv6/; classtype:attempted-admin; sid:24295; rev:2;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 neighbor advertisement flood attempt"; itype:136; icode:0; detection_filter:track by_dst, count 500, seconds 1; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24294; rev:2;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 router advertisement flood attempt"; itype:134; icode:0; detection_filter:track by_dst, count 50, seconds 1; reference:bugtraq,65409; reference:cve,2014-0254; reference:cve,2014-2309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-006; reference:url,www.thc.org/thc-ipv6/; classtype:attempted-dos; sid:23178; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP ICMPv6 Echo Request"; icode:0; itype:128; classtype:misc-activity; sid:18474; rev:3;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP ICMPv6 Echo Reply"; icode:0; itype:129; classtype:misc-activity; sid:18473; rev:3;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP record route rr denial of service attempt"; ipopts:rr; icode:0; itype:8; reference:bugtraq,870; reference:cve,1999-0986; reference:cve,1999-1339; reference:cve,2001-0752; classtype:attempted-dos; sid:8730; rev:6;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PATH MTU denial of service attempt"; itype:3; icode:4; byte_test:2,<,576,2; metadata:policy max-detect-ips drop; reference:bugtraq,13124; reference:cve,2004-1060; classtype:attempted-dos; sid:3626; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; fast_pattern:only; metadata:ruleset community; classtype:network-scan; sid:1918; rev:10;)
+# alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; metadata:ruleset community; reference:cve,2000-0138; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:13;)
+# alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; metadata:ruleset community; reference:cve,2000-0138; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:13;)
+# alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; metadata:ruleset community; reference:cve,2000-0138; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1854; rev:13;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP digital island bandwidth query"; content:"mailto|3A|ops@digisle.com"; depth:22; metadata:ruleset community; classtype:misc-activity; sid:1813; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32; metadata:ruleset community; classtype:misc-activity; sid:484; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:483; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:482; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:481; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; metadata:ruleset community; classtype:misc-activity; sid:480; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:476; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:474; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:467; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; metadata:ruleset community; classtype:attempted-recon; sid:466; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; metadata:ruleset community; classtype:attempted-recon; sid:465; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 7 undefined code"; itype:7; metadata:ruleset community; reference:cve,1999-0454; classtype:misc-activity; sid:463; rev:14;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 7"; icode:0; itype:7; metadata:ruleset community; classtype:misc-activity; sid:462; rev:12;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 2 undefined code"; itype:2; metadata:ruleset community; classtype:misc-activity; sid:461; rev:12;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 2"; icode:0; itype:2; metadata:ruleset community; classtype:misc-activity; sid:460; rev:12;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 1 undefined code"; itype:1; metadata:ruleset community; classtype:misc-activity; sid:459; rev:12;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 1"; icode:0; itype:1; metadata:ruleset community; classtype:misc-activity; sid:458; rev:12;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Traceroute undefined code"; icode:>0; itype:30; metadata:ruleset community; classtype:misc-activity; sid:457; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Traceroute"; icode:0; itype:30; metadata:ruleset community; classtype:misc-activity; sid:456; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp Request undefined code"; icode:>0; itype:13; metadata:ruleset community; classtype:misc-activity; sid:454; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp Request"; icode:0; itype:13; metadata:ruleset community; classtype:misc-activity; sid:453; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp Reply undefined code"; icode:>0; itype:14; metadata:ruleset community; classtype:misc-activity; sid:452; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp Reply"; icode:0; itype:14; metadata:ruleset community; classtype:misc-activity; sid:451; rev:8;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; metadata:ruleset community; classtype:misc-activity; sid:450; rev:11;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; metadata:ruleset community; classtype:misc-activity; sid:449; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Source Quench undefined code"; icode:>0; itype:4; metadata:ruleset community; classtype:misc-activity; sid:448; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP SKIP undefined code"; icode:>0; itype:39; metadata:ruleset community; classtype:misc-activity; sid:446; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP SKIP"; icode:0; itype:39; metadata:ruleset community; classtype:misc-activity; sid:445; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Router Selection"; icode:0; itype:10; metadata:ruleset community; classtype:misc-activity; sid:443; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Router Advertisement"; icode:0; itype:9; metadata:ruleset community; classtype:misc-activity; sid:441; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Reserved for Security Type 19 undefined code"; icode:>0; itype:19; metadata:ruleset community; classtype:misc-activity; sid:440; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Reserved for Security Type 19"; icode:0; itype:19; metadata:ruleset community; classtype:misc-activity; sid:439; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Redirect undefined code"; icode:>3; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:438; rev:13;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Redirect for TOS and Network"; icode:2; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:437; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Redirect for TOS and Host"; icode:3; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:436; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris undefined code!"; icode:>3; itype:40; metadata:ruleset community; classtype:misc-activity; sid:433; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris Valid Security Parameters, But Decryption Failed"; icode:3; itype:40; metadata:ruleset community; classtype:misc-activity; sid:432; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris Valid Security Parameters, But Authentication Failed"; icode:2; itype:40; metadata:ruleset community; classtype:misc-activity; sid:431; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris Unknown Security Parameters Index"; icode:1; itype:40; metadata:ruleset community; classtype:misc-activity; sid:430; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris Reserved"; icode:0; itype:40; metadata:ruleset community; classtype:misc-activity; sid:429; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter Problem undefined Code"; icode:>2; itype:12; metadata:ruleset community; classtype:misc-activity; sid:428; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter Problem Unspecified Error"; icode:0; itype:12; metadata:ruleset community; classtype:misc-activity; sid:427; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter Problem Missing a Required Option"; icode:1; itype:12; metadata:ruleset community; classtype:misc-activity; sid:426; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter Problem Bad Length"; icode:2; itype:12; metadata:ruleset community; classtype:misc-activity; sid:425; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Registration Request undefined code"; icode:>0; itype:35; metadata:ruleset community; classtype:misc-activity; sid:424; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Registration Request"; icode:0; itype:35; metadata:ruleset community; classtype:misc-activity; sid:423; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Registration Reply undefined code"; icode:>0; itype:36; metadata:ruleset community; classtype:misc-activity; sid:422; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Registration Reply"; icode:0; itype:36; metadata:ruleset community; classtype:misc-activity; sid:421; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Host Redirect undefined code"; icode:>0; itype:32; metadata:ruleset community; classtype:misc-activity; sid:420; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Host Redirect"; icode:0; itype:32; metadata:ruleset community; classtype:misc-activity; sid:419; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Information Request undefined code"; icode:>0; itype:15; metadata:ruleset community; classtype:misc-activity; sid:418; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Information Request"; icode:0; itype:15; metadata:ruleset community; classtype:misc-activity; sid:417; rev:8;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Information Reply undefined code"; icode:>0; itype:16; metadata:ruleset community; classtype:misc-activity; sid:416; rev:10;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Information Reply"; icode:0; itype:16; metadata:ruleset community; classtype:misc-activity; sid:415; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33; metadata:ruleset community; classtype:misc-activity; sid:414; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 Where-Are-You"; icode:0; itype:33; metadata:ruleset community; classtype:misc-activity; sid:413; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34; metadata:ruleset community; classtype:misc-activity; sid:412; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 I-Am-Here"; icode:0; itype:34; metadata:ruleset community; classtype:misc-activity; sid:411; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Fragment Reassembly Time Exceeded"; icode:1; itype:11; metadata:ruleset community; classtype:misc-activity; sid:410; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Echo Reply undefined code"; icode:>0; itype:0; metadata:ruleset community; classtype:misc-activity; sid:409; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Echo Reply"; icode:0; itype:0; metadata:ruleset community; classtype:misc-activity; sid:408; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable cndefined code"; icode:>15; itype:3; metadata:ruleset community; classtype:misc-activity; sid:407; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Source Route Failed"; icode:5; itype:3; metadata:ruleset community; classtype:misc-activity; sid:406; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Source Host Isolated"; icode:8; itype:3; metadata:ruleset community; classtype:misc-activity; sid:405; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3; metadata:ruleset community; classtype:misc-activity; sid:403; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Network Unreachable"; icode:0; itype:3; metadata:ruleset community; classtype:misc-activity; sid:401; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; metadata:ruleset community; classtype:misc-activity; sid:400; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Host Unreachable"; icode:1; itype:3; metadata:ruleset community; classtype:misc-activity; sid:399; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; metadata:ruleset community; classtype:misc-activity; sid:398; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Host Precedence Violation"; icode:14; itype:3; metadata:ruleset community; classtype:misc-activity; sid:397; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; reference:cve,2015-7759; classtype:misc-activity; sid:396; rev:12;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Destination Network Unknown"; icode:6; itype:3; metadata:ruleset community; classtype:misc-activity; sid:395; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Destination Host Unknown"; icode:7; itype:3; metadata:ruleset community; classtype:misc-activity; sid:394; rev:9;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Datagram Conversion Error undefined code"; icode:>0; itype:31; metadata:ruleset community; classtype:misc-activity; sid:393; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Datagram Conversion Error"; icode:0; itype:31; metadata:ruleset community; classtype:misc-activity; sid:392; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Alternate Host Address undefined code"; icode:>0; itype:6; metadata:ruleset community; classtype:misc-activity; sid:391; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Alternate Host Address"; icode:0; itype:6; metadata:ruleset community; classtype:misc-activity; sid:390; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Address Mask Request undefined code"; icode:>0; itype:17; metadata:ruleset community; classtype:misc-activity; sid:389; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Address Mask Request"; icode:0; itype:17; metadata:ruleset community; classtype:misc-activity; sid:388; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Address Mask Reply undefined code"; icode:>0; itype:18; metadata:ruleset community; classtype:misc-activity; sid:387; rev:10;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Address Mask Reply"; icode:0; itype:18; metadata:ruleset community; classtype:misc-activity; sid:386; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP traceroute"; itype:8; ttl:1; metadata:ruleset community; classtype:attempted-recon; sid:385; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING"; icode:0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:384; rev:8;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; metadata:ruleset community; classtype:misc-activity; sid:382; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Oracle Solaris"; dsize:8; itype:8; metadata:ruleset community; classtype:misc-activity; sid:381; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Seer Windows"; itype:8; content:"|88 04|              "; depth:32; metadata:ruleset community; classtype:misc-activity; sid:380; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:379; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:378; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Network Toolbox 3 Windows"; itype:8; content:"================"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:377; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:376; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING LINUX/*BSD"; dsize:8; id:13170; itype:8; metadata:ruleset community; classtype:misc-activity; sid:375; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:374; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:373; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Delphi-Piette Windows"; itype:8; content:"Pinging from Del"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:372; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:371; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:370; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:369; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:368; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Unix"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:366; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING undefined code"; icode:>0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:365; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IRDP router selection"; itype:10; metadata:ruleset community; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:364; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IRDP router advertisement"; itype:9; metadata:ruleset community; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:363; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP ath"; itype:8; content:"+++ath"; fast_pattern:only; metadata:ruleset community; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:13;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:251; rev:11;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP TFN server response"; icmp_id:123; itype:0; content:"shell bound"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:238; rev:14;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:236; rev:13;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:229; rev:12;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:228; rev:11;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:227; rev:13;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:226; rev:13;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:225; rev:13;)
+# alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Stacheldraht server spoof"; icmp_id:666; itype:0; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:224; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:222; rev:10;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP TFN Probe"; icmp_id:678; itype:8; content:"1234"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:221; rev:12;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Truncated ICMPv6 denial of service attempt"; content:"|60|"; depth:1; isdataat:!40,relative; reference:cve,2013-3182; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-064; classtype:denial-of-service; sid:27611; rev:1;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Truncated ICMPv6 denial of service attempt"; content:"|60 58 58 58 58 58 58 58|"; fast_pattern:only; reference:cve,2013-3182; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-064; classtype:denial-of-service; sid:27610; rev:1;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 0xfacebabe ICMP ping attempt"; itype:128; icode:0; icmp_id:64206; icmp_seq:47806; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:28292; rev:1;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual Microsoft Windows 7 Ping detected"; icode:0; itype:8; dsize:>32; content:"abcdefghijklmnopqrstuvwabcdefghi"; depth:32; metadata:ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29457; rev:1;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual PING detected"; icode:0; itype:8; fragbits:!M; content:!"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; content:!"0123456789abcdefghijklmnopqrstuv"; depth:32; content:!"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; depth:36; content:!"WANG2"; content:!"cacti-monitoring-system"; depth:65; content:!"SolarWinds"; depth:72; metadata:ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29456; rev:2;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual Microsoft Windows Ping detected"; icode:0; itype:8; dsize:>32; content:"0123456789abcdefghijklmnopqrstuv"; depth:32; metadata:ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29455; rev:1;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual L3retriever Ping detected"; icode:0; itype:8; dsize:>32; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; metadata:ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29454; rev:1;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP FreeBSD rtsold dname_labeldec stack buffer overflow attempt"; itype:134; content:"|1F|"; depth:1; offset:12; content:"|00 00|"; within:2; distance:1; byte_test:1,>,0x80,-3,relative; reference:bugtraq,70694; reference:cve,2014-3954; classtype:attempted-admin; sid:32369; rev:3;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 multicast neighbor add attempt"; itype:135; icode:0; metadata:policy max-detect-ips drop; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24303; rev:6;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Protocol Unreachable"; icode:2; itype:3; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; classtype:misc-activity; sid:404; rev:14;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP destination unreachable port unreachable packet detected"; icode:3; itype:3; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; classtype:misc-activity; sid:402; rev:16;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Route Information stack buffer overflow attempt "; itype:134; icode:0; content:"|18|"; depth:1; offset:12; byte_test:1,>,3,0,relative; reference:cve,2010-0241; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-009; classtype:attempted-admin; sid:18249; rev:5;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt "; itype:134; icode:0; content:"|03|"; depth:1; offset:12; byte_test:1,>,4,0,relative; metadata:policy max-detect-ips drop; reference:cve,2010-0239; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-009; classtype:attempted-admin; sid:16405; rev:6;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Squid Pinger IPv6 denial of service attempt"; icode:0; itype:>160; reference:cve,2014-7142; reference:url,squid-cache.org/Advisories/SQUID-2014_4.txt; classtype:attempted-dos; sid:36651; rev:1;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Squid Pinger IPv6 denial of service attempt"; icode:0; itype:11<>127; reference:cve,2014-7142; reference:url,squid-cache.org/Advisories/SQUID-2014_4.txt; classtype:attempted-dos; sid:36650; rev:1;)
--- a/docker/etc/rules/protocol-imap.rules
+++ b/docker/etc/rules/protocol-imap.rules
@@ -0,0 +1,70 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#---------------------
+# PROTOCOL-IMAP RULES
+#---------------------
+
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP CAPABILITY overflow attempt"; flow:established,to_server; content:"CAPABILITY"; nocase; isdataat:100,relative; pcre:"/\sCAPABILITY\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,15006; reference:cve,2005-3155; classtype:misc-attack; sid:5705; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP unsubscribe directory traversal attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; fast_pattern:only; pcre:"/\sUNSUBSCRIBE[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/smi"; metadata:service imap; reference:bugtraq,15488; reference:cve,2005-3189; classtype:misc-attack; sid:5703; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP subscribe directory traversal attempt"; flow:established,to_server; content:"SUBSCRIBE"; fast_pattern:only; pcre:"/\sSUBSCRIBE[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/smi"; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:bugtraq,23050; reference:bugtraq,26219; reference:cve,2004-1211; reference:cve,2005-3189; reference:cve,2007-3510; reference:nessus,15867; classtype:attempted-admin; sid:5702; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP status directory traversal attempt"; flow:established,to_server; content:"STATUS"; fast_pattern:only; pcre:"/\sSTATUS\s*\S*\x2e\x2e\x2f/smi"; metadata:service imap; reference:bugtraq,15488; reference:cve,2005-3189; classtype:misc-attack; sid:5701; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP rename directory traversal attempt"; flow:established,to_server; content:"RENAME"; fast_pattern:only; pcre:"/\sRENAME[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/smi"; metadata:service imap; reference:bugtraq,15488; reference:cve,2005-3189; classtype:misc-attack; sid:5700; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP lsub directory traversal attempt"; flow:established,to_server; content:"LSUB"; fast_pattern:only; pcre:"/\sLSUB[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/smi"; metadata:service imap; reference:bugtraq,15488; reference:cve,2005-3189; classtype:misc-attack; sid:5699; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP list directory traversal attempt"; flow:established,to_server; content:"LIST"; fast_pattern:only; pcre:"/\sLIST\s*\S*\x2e\x2e\x2f/smi"; metadata:service imap; reference:bugtraq,15488; reference:cve,2005-3189; classtype:misc-attack; sid:5698; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP examine directory traversal attempt"; flow:established,to_server; content:"EXAMINE"; fast_pattern:only; pcre:"/\sEXAMINE[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/smi"; metadata:service imap; reference:bugtraq,15488; reference:cve,2005-3189; classtype:misc-attack; sid:5697; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP delete directory traversal attempt"; flow:established,to_server; content:"DELETE"; fast_pattern:only; pcre:"/\sDELETE[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/smi"; metadata:service imap; reference:bugtraq,15488; reference:cve,2005-3189; classtype:misc-attack; sid:5696; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP search literal format string attempt"; flow:established,to_server; content:"SEARCH"; fast_pattern:only; pcre:"/\sSEARCH\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; metadata:service imap; reference:bugtraq,10976; reference:cve,2004-0777; classtype:attempted-admin; sid:4646; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP search format string attempt"; flow:established,to_server; content:"SEARCH"; fast_pattern:only; pcre:"/\sSEARCH\s[^\n]*?%/smi"; metadata:service imap; reference:bugtraq,10976; reference:cve,2005-2878; classtype:attempted-admin; sid:4645; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP UNSUBSCRIBE overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100; pcre:"/^\w+\s+UNSUBSCRIBE\s[^\n]{100}/smi"; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:cve,2004-1211; reference:cve,2005-3189; reference:nessus,15867; classtype:attempted-admin; sid:3076; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; fast_pattern:only; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3075; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP status literal overflow attempt"; flow:established,to_server; content:"STATUS"; fast_pattern:only; pcre:"/\sSTATUS[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,15491; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3071; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP fetch overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:256,relative; pcre:"/\sFETCH\s[^\n]{256}/smi"; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3070; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; fast_pattern:only; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3069; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; fast_pattern:only; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3067; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP APPEND overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:256,relative; content:!"|0D 0A|"; within:256; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,21729; reference:cve,2004-1211; reference:cve,2006-6425; reference:nessus,15867; classtype:misc-attack; sid:3066; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP append literal overflow attempt"; flow:established,to_server; content:"APPEND"; fast_pattern:only; pcre:"/\sAPPEND\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3065; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; fast_pattern:only; pcre:"/\sCOPY\s[^\n]*?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:3058; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; fast_pattern:only; pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11675; reference:cve,2005-1520; reference:nessus,15771; classtype:misc-attack; sid:3008; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; fast_pattern:only; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,10976; reference:cve,2007-0221; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-026; classtype:attempted-admin; sid:2665; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login format string attempt"; flow:established,to_server; content:"LOGIN"; fast_pattern:only; pcre:"/\sLOGIN\s[^\n]*?%/smi"; metadata:ruleset community, service imap; reference:bugtraq,10976; reference:cve,2004-0777; classtype:attempted-admin; sid:2664; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP auth overflow attempt"; flow:to_server,established; content:"AUTH"; isdataat:368,relative; content:!"|0A|"; within:368; metadata:ruleset community, service imap; reference:bugtraq,8861; reference:cve,2003-1177; reference:nessus,11910; classtype:misc-attack; sid:2330; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login brute force attempt"; flow:to_server,established,no_stream; content:"LOGIN"; fast_pattern:only; detection_filter:track by_dst, count 30, seconds 30; metadata:ruleset community, service imap; reference:url,attack.mitre.org/techniques/T1110; classtype:suspicious-login; sid:2273; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; fast_pattern:only; pcre:"/\sCREATE\s*\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,7446; reference:cve,2003-1470; classtype:misc-attack; sid:2120; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; fast_pattern:only; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2119; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; metadata:ruleset community, service imap; reference:bugtraq,7446; reference:cve,2003-1470; classtype:misc-attack; sid:2107; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,1110; reference:bugtraq,15006; reference:cve,2000-0284; reference:cve,2005-3155; reference:nessus,10374; classtype:misc-attack; sid:2106; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP authenticate literal overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; fast_pattern:only; pcre:"/\sAUTHENTICATE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,21724; reference:cve,1999-0042; reference:cve,2006-6424; reference:nessus,10292; classtype:misc-attack; sid:2105; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; metadata:ruleset community, service imap; reference:bugtraq,4713; reference:cve,2002-0379; reference:nessus,10966; classtype:misc-attack; sid:2046; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; fast_pattern:only; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,21724; reference:cve,1999-0005; reference:cve,2006-6424; classtype:misc-attack; sid:1930; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/^\sFIND\s[^\n]{100}/smi"; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1904; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1903; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; fast_pattern:only; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1902; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; fast_pattern:only; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1845; rev:24;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; metadata:ruleset community, service imap; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:1844; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; isdataat:1024,relative; pcre:"/\sPARTIAL.*?BODY\[[^\]]{1024}/smi"; metadata:ruleset community, service imap; reference:bugtraq,4713; reference:cve,2002-0379; reference:nessus,10966; classtype:misc-attack; sid:1755; rev:24;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP CRAM-MD5 authentication method buffer overflow attempt"; flow:to_server,established; flowbits:isset,imap.cram_md5; flowbits:unset,imap.cram_md5; content:"|0D 0A|"; fast_pattern:only; isdataat:300; content:!"|0D 0A|"; depth:300; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,11675; reference:bugtraq,14317; reference:bugtraq,23172; reference:cve,2005-1520; reference:cve,2007-1675; classtype:attempted-admin; sid:15484; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP CRAM-MD5 authentication request detected"; flow:to_server,established; content:"AUTHENTICATE CRAM-MD5"; fast_pattern:only; flowbits:set,imap.cram_md5; flowbits:noalert; metadata:service imap; reference:url,en.wikipedia.org/wiki/CRAM-MD5; classtype:protocol-command-decode; sid:11004; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP SELECT overflow attempt"; flow:established,to_server; content:"SELECT"; nocase; isdataat:100,relative; pcre:"/\sSELECT\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,15006; reference:cve,2005-3155; reference:cve,2005-3691; reference:cve,2006-1255; classtype:misc-attack; sid:5704; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP SUBSCRIBE overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:bugtraq,23050; reference:bugtraq,26219; reference:cve,2004-1211; reference:cve,2005-3189; reference:cve,2007-1579; reference:cve,2007-3510; reference:nessus,15867; classtype:attempted-admin; sid:3074; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP SUBSCRIBE literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; fast_pattern:only; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,relative,string; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:bugtraq,23050; reference:bugtraq,26219; reference:cve,2004-1211; reference:cve,2005-3189; reference:cve,2007-3510; reference:nessus,15867; classtype:attempted-admin; sid:3073; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP STATUS overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; content:!"|0D 0A|"; within:100; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,13727; reference:bugtraq,14243; reference:bugtraq,15491; reference:cve,2004-1211; reference:cve,2005-1256; reference:cve,2005-2278; reference:cve,2005-3314; reference:cve,2017-1274; reference:nessus,15867; classtype:misc-attack; sid:3072; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP command overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\s(APPEND|CHECK|CLOSE|CREATE|DELETE|EXAMINE|EXPUNGE|FETCH|LIST|RENAME|SEARCH|SELECT|STATUS|SUBSCRIBE|UNSUBSCRIBE)\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11675; reference:bugtraq,11775; reference:bugtraq,15006; reference:bugtraq,15753; reference:cve,2004-1211; reference:cve,2005-0707; reference:cve,2005-1520; reference:cve,2005-2923; reference:cve,2005-3155; reference:nessus,15771; classtype:misc-attack; sid:3007; rev:21;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,1110; reference:bugtraq,15006; reference:cve,2000-0284; reference:cve,2005-3155; reference:nessus,10374; classtype:misc-attack; sid:2118; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login literal buffer overflow attempt"; flow:established,to_server; pcre:"/\sLOGIN\s[^\n]*?\{\s*(-|[3-9][0-9]{2}|2[6-9][0-9]|25[7-9]|[0-9]{4})/smi"; content:"LOGIN"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,14718; reference:bugtraq,21724; reference:bugtraq,23810; reference:bugtraq,6298; reference:cve,2002-1580; reference:cve,2005-1758; reference:cve,2006-6424; reference:cve,2007-0221; reference:nessus,12532; classtype:misc-attack; sid:1993; rev:24;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/i"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,13727; reference:bugtraq,21110; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2004-1011; reference:cve,2005-1255; reference:cve,2006-5961; reference:cve,2007-1373; reference:cve,2007-2795; reference:cve,2007-3925; reference:nessus,10123; reference:nessus,10125; classtype:attempted-user; sid:1842; rev:34;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP IMAP CRAM-MD5 authentication attempt"; flow:to_server; content:"a001 authenticate cram-md5"; fast_pattern:only; flowbits:set,file.crammd5; flowbits:noalert; metadata:policy max-detect-ips drop, service imap; reference:cve,2007-1675; classtype:protocol-command-decode; sid:43067; rev:2;)
--- a/docker/etc/rules/protocol-nntp.rules
+++ b/docker/etc/rules/protocol-nntp.rules
@@ -0,0 +1,35 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#---------------------
+# PROTOCOL-NNTP RULES
+#---------------------
+
+# alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"PROTOCOL-NNTP return code buffer overflow attempt"; flow:to_client,established; content:"200"; isdataat:256,relative; pcre:"/^200\s[^\n]{256}/smi"; metadata:ruleset community; reference:bugtraq,4900; reference:cve,2002-0909; classtype:protocol-command-decode; sid:1792; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; metadata:ruleset community; reference:bugtraq,1156; reference:cve,2000-0341; reference:nessus,10388; classtype:attempted-admin; sid:1538; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; fast_pattern:only; pcre:"/^sendsys\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2424; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; fast_pattern:only; pcre:"/^senduuname\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2425; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP version overflow attempt"; flow:to_server,established; content:"version"; fast_pattern:only; pcre:"/^version\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2426; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; fast_pattern:only; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2427; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; fast_pattern:only; pcre:"/^ihave\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2428; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; fast_pattern:only; pcre:"/^sendme\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2429; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; fast_pattern:only; pcre:"/^newgroup\x3a[^\n]{32}/smi"; metadata:ruleset community, service nntp; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2430; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; fast_pattern:only; pcre:"/^rmgroup\x3a[^\n]{32}/smi"; metadata:ruleset community, service nntp; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2431; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; fast_pattern:only; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; metadata:ruleset community; classtype:attempted-admin; sid:2432; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP cancel overflow attempt"; flow:to_server,established; content:"cancel"; fast_pattern:only; pcre:"/^cancel\x3a[^\n]{32}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:12464; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt"; flow:to_server,established; content:"SEARCH|20|"; depth:7; nocase; isdataat:160,relative; pcre:"/^SEARCH\s+[^\n]{160}/i"; metadata:ruleset community; reference:cve,2004-0574; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-036; classtype:attempted-admin; sid:3078; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP Control overflow attempt"; flow:to_server,established; content:"Control|3A| "; isdataat:23,relative; content:!"|0D 0A|"; within:23; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:43760; rev:1;)
--- a/docker/etc/rules/protocol-other.rules
+++ b/docker/etc/rules/protocol-other.rules
@@ -0,0 +1,44 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#----------------------
+# PROTOCOL-OTHER RULES
+#----------------------
+
+alert tcp any any -> $HOME_NET 445 (msg:"PROTOCOL-OTHER NETBIOS SMB IPC share access attempt"; flow:to_server,established; content:"|FF|SMB|75 00 00 00 00|"; depth:9; offset:4; content:"I|00|P|00|C|00|$|00 00 00|"; fast_pattern:only; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; metadata:ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1077; classtype:misc-activity; sid:43003; rev:5;)
+alert tcp any any -> $HOME_NET 445 (msg:"PROTOCOL-OTHER NETBIOS SMB IPC share access attempt"; flow:to_server,established; content:"|FF|SMB|75 00 00 00 00|"; depth:9; offset:4; content:"IPC$|00|"; fast_pattern:only; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; metadata:ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1077; classtype:misc-activity; sid:43002; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1040 (msg:"PROTOCOL-OTHER TP-Link TDDP Get_config configuration leak attempt"; flow:to_server; content:"|01 02 00|"; depth:3; content:"|00 00|"; within:2; distance:7; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities; classtype:attempted-recon; sid:40907; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1040 (msg:"PROTOCOL-OTHER TP-Link TDDP SET_CONFIG type buffer overflow attempt"; flow:to_server; dsize:>336; content:"|01 01 00|"; depth:3; byte_test:4,>=,0x0264,4,big; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities; classtype:attempted-user; sid:40866; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-OTHER Websocket upgrade request without a client key detected"; flow:to_server,established; content:"Upgrade: ws"; fast_pattern:only; http_header; content:!"Sec-WebSocket-Key"; http_header; metadata:service http; reference:cve,2015-8027; classtype:misc-activity; sid:37028; rev:1;)
+alert tcp $HOME_NET 1900 -> $HOME_NET any (msg:"PROTOCOL-OTHER MiniUPNP rootdesc.xml buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rootdesc; file_data; content:"<?xml"; content:"<specVersion"; isdataat:100,relative; content:!">"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-6031; reference:url,www.talosintelligence.com/reports/TALOS-2015-0035; classtype:attempted-user; sid:35690; rev:4;)
+# alert tcp $HOME_NET 1900 -> $HOME_NET any (msg:"PROTOCOL-OTHER MiniUPNP rootdesc.xml buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rootdesc; file_data; content:"<?xml"; content:"<"; isdataat:100,relative; content:!">"; within:100; pcre:"/<\s*[^\s]{100}/"; metadata:service http; reference:cve,2015-6031; reference:url,www.talosintelligence.com/reports/TALOS-2015-0035; classtype:attempted-user; sid:35689; rev:4;)
+alert tcp $HOME_NET any -> $HOME_NET 1900 (msg:"PROTOCOL-OTHER MiniUPNP rootdesc.xml file request"; flow:to_server,established; content:"/rootDesc.xml HTTP/1."; fast_pattern:only; flowbits:set,file.rootdesc; flowbits:noalert; metadata:service http; reference:cve,2015-6031; reference:url,www.talosintelligence.com/reports/TALOS-2015-0035; classtype:misc-activity; sid:35688; rev:5;)
+# alert tcp $EXTERNAL_NET 3389 -> $HOME_NET any (msg:"PROTOCOL-OTHER FreeRDP invalid MCS serverRandomLen out of bounds read attempt"; flow:to_client,established; content:"|03 00|"; content:"|02 F0 80 7F 66|"; within:5; distance:2; content:"|03 0C 08 00 EB 03 00 00 02 0C|"; byte_test:4,>,0x7FFFFFFF,10,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service rdp; reference:cve,2017-2837; reference:url,www.talosintelligence.com/reports/TALOS-2017-0339/; classtype:attempted-user; sid:42998; rev:3;)
+# alert tcp $EXTERNAL_NET 3389 -> $HOME_NET any (msg:"PROTOCOL-OTHER FreeRDP invalid EncryptedPlatformChallenge null pointer dereference attempt"; flow:to_client,established; content:"|03 00|"; byte_extract:2,0,pktlen,relative; content:"|02 F0 80 68 00 01 03 EB 70|"; within:9; content:"|80 00|"; within:2; distance:2; content:"|02|"; within:1; distance:2; byte_test:2,>,pktlen,9,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service rdp; reference:cve,2017-2839; reference:url,www.talosintelligence.com/reports/TALOS-2017-0341/; classtype:attempted-user; sid:42975; rev:3;)
+# alert tcp $EXTERNAL_NET 3389 -> $HOME_NET any (msg:"PROTOCOL-OTHER FreeRDP invalid cbCompanyName out of bounds read attempt"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80 68 00 01 03 EB 70|"; within:9; distance:2; content:"|80 00|"; within:2; distance:2; content:"|01|"; within:1; distance:2; byte_test:4,>,0xFFFFFFFB,39,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service rdp; reference:cve,2017-2838; reference:url,www.talosintelligence.com/reports/TALOS-2017-0340/; classtype:attempted-user; sid:42974; rev:3;)
+# alert tcp $EXTERNAL_NET 3389 -> $HOME_NET any (msg:"PROTOCOL-OTHER FreeRDP RSA modulus length integer underflow attempt"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80 68 00 01 03 EB 70|"; within:9; distance:2; content:"|01 00 00 00 01 00 00 00 06 00|"; content:"RSA1"; within:4; distance:2; byte_test:4,<,8,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service rdp; reference:cve,2017-2836; reference:url,www.talosintelligence.com/reports/TALOS-2017-0338/; classtype:attempted-user; sid:42973; rev:3;)
+# alert tcp $EXTERNAL_NET 3389 -> $HOME_NET any (msg:"PROTOCOL-OTHER FreeRDP PER length integer underflow attempt"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80 68 00 01 03 EB 70|"; within:9; distance:2; byte_test:1,<,4,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service rdp; reference:cve,2017-2834; reference:cve,2017-2835; reference:url,www.talosintelligence.com/reports/TALOS-2017-0336/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0337/; classtype:attempted-user; sid:42941; rev:3;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"PROTOCOL-OTHER ARM mbed TLS x509 invalid public key remote code execution attempt"; flow:to_client,established; content:"|04 08 30 06 01 01 FF 02 01 0A 30 22 06 03 55 1D 0E 04 1B 04 63 6F C0 C0 30 0A 06 08 2A 86 48 CE 3D 04 03 02 03|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,www.talosintelligence.com/reports/TALOS-2017-0274; classtype:attempted-user; sid:41364; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [445,139] (msg:"PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt"; flow:to_server,established,no_stream; dsize:4; content:"|00 01|"; depth:2; byte_test:2,>=,0x2710, 0, relative; detection_filter:track by_src, count 25, seconds 1; metadata:service netbios-ssn; reference:url,smbloris.com/; classtype:attempted-dos; sid:43928; rev:2;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-OTHER STCP heartbeat chunk denial of service attempt"; ip_proto:132; content:"|04 00|"; byte_jump:2,0,relative,post_offset -4; content:"|04 00|"; within:2; byte_jump:2,0,relative,post_offset -4; content:"|04 00|"; within:2; byte_jump:2,0,relative,post_offset -4; content:"|04 00|"; within:2; reference:url,ietf.org/rfc/rfc5062.txt; classtype:denial-of-service; sid:44015; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_server,established; isdataat:6; content:"ScMM"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46124; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_server,established; isdataat:6; content:"MMcS"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46123; rev:2;)
+# alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_client,established; isdataat:6; content:"ScMM"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46122; rev:2;)
+# alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_client,established; isdataat:6; content:"MMcS"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46121; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 520 (msg:"PROTOCOL-OTHER Routing Information Protocol version 1 potential amplified distributed denial of service attempt"; flow:to_server; content:"|01 01 00 00 00|"; depth:5; fast_pattern; content:"|00 00|"; within:2; distance:1; detection_filter:track by_src, count 50, seconds 1; reference:url,blogs.akamai.com/2015/07/ripv1-reflection-ddos-making-a-comeback.html; classtype:attempted-dos; sid:46098; rev:1;)
+# alert udp $EXTERNAL_NET 389 -> $HOME_NET any (msg:"PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt"; flow:to_server; content:"|30 84 00 00 00|"; depth:5; dsize:>2000; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; classtype:attempted-dos; sid:46374; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt"; flow:to_server; content:"|30 84 00 00 00|"; depth:5; detection_filter:track by_src, count 5, seconds 60; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; classtype:attempted-dos; sid:46373; rev:1;)
--- a/docker/etc/rules/protocol-pop.rules
+++ b/docker/etc/rules/protocol-pop.rules
@@ -0,0 +1,45 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#--------------------
+# PROTOCOL-POP RULES
+#--------------------
+
+# alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"PROTOCOL-POP libcurl MD5 digest buffer overflow attempt"; flow:to_client,established; content:"+ "; depth:2; base64_decode:relative; base64_data; content:"realm=|22|"; isdataat:32,relative; content:!"|22|"; within:32; metadata:service pop3; reference:bugtraq,57842; reference:cve,2013-0249; classtype:attempted-user; sid:26391; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 110 (msg:"PROTOCOL-POP STAT command"; flow:to_server, established; content:"STAT"; nocase; flowbits:set,pop3.stat; flowbits:noalert; metadata:service pop3; classtype:protocol-command-decode; sid:16594; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP PASS format string attempt"; flow:to_server,established; content:"PASS"; fast_pattern:only; pcre:"/^PASS\s+[^\n]*?%/smi"; metadata:ruleset community, service pop3; reference:bugtraq,10976; reference:cve,2004-0777; classtype:attempted-admin; sid:2666; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; metadata:ruleset community, service pop3; reference:bugtraq,9794; reference:cve,2004-2375; classtype:attempted-admin; sid:2409; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP login brute force attempt"; flow:to_server,established,no_stream; content:"USER"; fast_pattern:only; detection_filter:track by_dst, count 30, seconds 30; metadata:ruleset community, service pop3; reference:url,attack.mitre.org/techniques/T1110; classtype:suspicious-login; sid:2274; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP USER format string attempt"; flow:to_server,established; content:"USER"; fast_pattern:only; pcre:"/^USER\s+[^\n]*?%/smi"; metadata:ruleset community, service pop3; reference:bugtraq,10976; reference:bugtraq,7667; reference:cve,2003-0391; reference:nessus,11742; classtype:attempted-admin; sid:2250; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP UIDL negative argument attempt"; flow:to_server,established; content:"UIDL"; fast_pattern:only; pcre:"/^UIDL\s+-\d/smi"; metadata:ruleset community, service pop3; reference:bugtraq,6053; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2122; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP DELE negative argument attempt"; flow:to_server,established; content:"DELE"; fast_pattern:only; pcre:"/^DELE\s+-\d/smi"; metadata:ruleset community, service pop3; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2121; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:2112; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:2111; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:2110; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:50,relative; pcre:"/^TOP\s[^\n]{50}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:2109; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:2108; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:1938; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; metadata:ruleset community, service pop3; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:1937; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; metadata:ruleset community, service pop3; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:1936; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; metadata:ruleset community, service pop3; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community, service pop3; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:290; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; fast_pattern:only; metadata:ruleset community, service pop3; reference:bugtraq,133; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:289; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:288; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; fast_pattern:only; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:287; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; fast_pattern:only; metadata:ruleset community, service pop3; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:286; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP USER overflow attempt"; flow:to_server,established; content:"USER"; isdataat:50,relative; pcre:"/^USER\s[^\n]{50}/smi"; metadata:policy max-detect-ips drop, ruleset community, service pop3; reference:bugtraq,11256; reference:bugtraq,19651; reference:bugtraq,789; reference:cve,1999-0494; reference:cve,2002-1781; reference:cve,2006-2502; reference:cve,2006-4364; reference:nessus,10311; reference:url,www.delegate.org/mail-lists/delegate-en/1475; classtype:attempted-admin; sid:1866; rev:25;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; metadata:policy max-detect-ips drop, ruleset community, service pop3; reference:bugtraq,21645; reference:bugtraq,791; reference:cve,1999-1511; reference:cve,2006-6605; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:24;)
--- a/docker/etc/rules/protocol-rpc.rules
+++ b/docker/etc/rules/protocol-rpc.rules
@@ -0,0 +1,225 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#--------------------
+# PROTOCOL-RPC RULES
+#--------------------
+
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC Solaris TCP portmap sadmin port query request attempt"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; reference:bugtraq,8615; reference:cve,2003-0722; classtype:rpc-portmap-decode; sid:12458; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,7123; reference:cve,2003-0028; reference:nessus,11420; classtype:rpc-portmap-decode; sid:2093; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy integer overflow attempt UDP"; flow:to_server; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,36564; reference:bugtraq,7123; reference:cve,2003-0028; reference:nessus,11420; classtype:rpc-portmap-decode; sid:2092; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1922; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy attempt UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1923; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap listing UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1280; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1949; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap SET attempt UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1950; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2014; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap UNSET attempt UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,1892; reference:cve,2011-0321; classtype:rpc-portmap-decode; sid:2015; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"PROTOCOL-RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:599; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"PROTOCOL-RPC portmap listing UDP 32771"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1281; rev:14;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cachefsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; reference:nessus,10951; classtype:rpc-portmap-decode; sid:1746; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; reference:nessus,10951; classtype:rpc-portmap-decode; sid:1747; rev:18;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rwalld request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:cve,1999-0181; classtype:rpc-portmap-decode; sid:1732; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:cve,1999-0181; classtype:rpc-portmap-decode; sid:1733; rev:16;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap admind request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:575; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1262; rev:16;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap amountd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,235; reference:bugtraq,450; reference:bugtraq,614; reference:cve,1999-0088; reference:cve,1999-0210; reference:cve,1999-0493; reference:cve,1999-0704; classtype:rpc-portmap-decode; sid:576; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,235; reference:bugtraq,450; reference:bugtraq,614; reference:cve,1999-0088; reference:cve,1999-0210; reference:cve,1999-0493; reference:cve,1999-0704; classtype:rpc-portmap-decode; sid:1263; rev:18;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap bootparam request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:577; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1264; rev:21;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nisd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:cve,1999-0008; classtype:rpc-portmap-decode; sid:580; rev:20;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1267; rev:18;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap pcnfsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,4816; reference:cve,1999-0078; reference:cve,1999-0353; reference:cve,2002-0910; classtype:rpc-portmap-decode; sid:581; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,4816; reference:cve,1999-0078; reference:cve,1999-0353; reference:cve,2002-0910; classtype:rpc-portmap-decode; sid:1268; rev:19;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rexd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:582; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1269; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rusers request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:1271; rev:21;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap selection_svc request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,8; reference:cve,1999-0209; classtype:rpc-portmap-decode; sid:586; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:cve,1999-0209; classtype:rpc-portmap-decode; sid:1273; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap status request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:587; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:2016; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap espd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2017; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:595; rev:22;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC status GHBN format string attack"; flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:misc-attack; sid:1890; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC status GHBN format string attack"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:misc-attack; sid:1891; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap mountd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:579; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:574; rev:14;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP export request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:attempted-recon; sid:1924; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:1925; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP exportall request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:attempted-recon; sid:1926; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP mount path overflow attempt"; flow:to_server,established; content:"|00 01 86 A5 00|"; depth:5; offset:16; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2184; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:cve,1999-0210; classtype:attempted-recon; sid:1951; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:2018; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP dump request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:attempted-recon; sid:2019; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:2020; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP unmount request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:attempted-recon; sid:2021; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:2022; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP unmountall request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:attempted-recon; sid:2023; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1905; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1906; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1953; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD UDP pid request"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1954; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1955; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD UDP version request"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,1554; reference:cve,2000-0696; classtype:rpc-portmap-decode; sid:1956; rev:14;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cmsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:578; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1265; rev:16;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,36615; reference:bugtraq,524; reference:cve,1999-0696; reference:cve,2009-3699; classtype:attempted-admin; sid:1907; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1908; rev:14;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,36615; reference:bugtraq,5356; reference:cve,2002-0391; reference:cve,2009-3699; reference:nessus,11418; classtype:attempted-admin; sid:2094; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,5356; reference:cve,2002-0391; reference:nessus,11418; classtype:attempted-admin; sid:2095; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,524; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1272; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap sadmind request UDP attempt"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:585; rev:16;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1911; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1912; rev:16;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind UDP PING"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,866; reference:cve,1999-0977; reference:nessus,10229; classtype:protocol-command-decode; sid:1957; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,866; reference:cve,1999-0977; reference:nessus,10229; classtype:protocol-command-decode; sid:1958; rev:15;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rstatd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:583; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1270; rev:18;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt"; flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1913; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1914; rev:18;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt"; flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1915; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1916; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap NFS request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1959; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1960; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1961; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1962; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:1963; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC RQUOTA getquota overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 AB|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:2024; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:26;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1274; rev:26;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC tooltalk UDP overflow attempt"; flow:to_server; content:"|00 01 86 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-admin; sid:1964; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,122; reference:cve,1999-0003; reference:cve,2001-0717; classtype:attempted-admin; sid:1965; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"PROTOCOL-RPC DOS ttdbserv Solaris"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; depth:32; offset:16; metadata:ruleset community; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-dos; sid:572; rev:14;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:589; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1275; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd old password overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2027; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2028; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd username overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; reference:nessus,10684; classtype:rpc-portmap-decode; sid:2025; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; reference:nessus,10684; classtype:rpc-portmap-decode; sid:2026; rev:15;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd new password overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2029; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2030; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd user update UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2031; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd user update TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2032; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypserv request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:590; rev:21;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:1276; rev:21;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypserv maplist request UDP"; flow:to_server; content:"|00 01 86 A4|"; depth:4; offset:12; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; reference:nessus,13976; classtype:rpc-portmap-decode; sid:2033; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; depth:4; offset:16; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2034; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap network-status-monitor request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:2035; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:2036; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC network-status-monitor mon-callback request UDP"; flow:to_server; content:"|00 03 0D|p"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:rpc-portmap-decode; sid:2037; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D|p"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:2038; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nlockmgr request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,1372; reference:cve,2000-0508; reference:nessus,10220; classtype:rpc-portmap-decode; sid:2079; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,1372; reference:cve,2000-0508; reference:nessus,10220; classtype:rpc-portmap-decode; sid:2080; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rpc.xfsmd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2081; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2082; rev:15;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP"; flow:to_server; content:"|00 05 F7|h"; depth:4; offset:12; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2083; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7|h"; depth:4; offset:16; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2084; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap kcms_server request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:21;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"PROTOCOL-RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; metadata:ruleset community; classtype:misc-attack; sid:2255; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC sadmind query with root credentials attempt UDP"; flow:to_server; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; metadata:ruleset community, service sunrpc; classtype:misc-attack; sid:2256; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC UNIX authentication machinename string overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:8; byte_test:4,>,255,8,relative; isdataat:264,relative; reference:bugtraq,20941; reference:cve,2006-5780; classtype:attempted-user; sid:9623; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC UNIX authentication machinename string overflow attempt UDP"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:8; byte_test:4,>,255,8,relative; isdataat:264,relative; reference:bugtraq,20941; reference:cve,2006-5780; classtype:attempted-user; sid:9624; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap HP-UX Single Logical Screen SLSD udp request"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 5C E0|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; reference:bugtraq,22551; reference:cve,2007-0915; classtype:rpc-portmap-decode; sid:10411; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap HP-UX Single Logical Screen SLSD udp request"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:" |00 00 01|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; reference:bugtraq,22551; reference:cve,2007-0915; classtype:rpc-portmap-decode; sid:10409; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap HP-UX Single Logical Screen SLSD tcp request"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:" |00 00 01|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; reference:bugtraq,22551; reference:cve,2007-0915; classtype:rpc-portmap-decode; sid:10408; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap HP-UX Single Logical Screen SLSD tcp request"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 5C E0|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; reference:bugtraq,22551; reference:cve,2007-0915; classtype:rpc-portmap-decode; sid:10410; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC portmap CA BrightStor ARCserve udp procedure 191 attempt"; flow:to_server; content:"|00 06 09|~"; depth:4; offset:12; content:"|00 00 00 BF|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; metadata:policy max-detect-ips drop; reference:bugtraq,23209; reference:cve,2007-1785; classtype:rpc-portmap-decode; sid:10485; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 191 attempt"; flow:to_server,established; content:"|00 06 09|~"; depth:4; offset:16; content:"|00 00 00 BF|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; metadata:policy max-detect-ips drop; reference:bugtraq,23209; reference:cve,2007-1785; classtype:rpc-portmap-decode; sid:10484; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap CA BrightStor ARCserve udp request"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 06 09|~"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,23209; reference:cve,2007-1785; classtype:rpc-portmap-decode; sid:10483; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap 2112 udp request"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 00 08|@"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,24653; reference:cve,2007-2798; reference:url,attack.mitre.org/techniques/T1097; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=548; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt; classtype:rpc-portmap-decode; sid:12186; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [749,1024:] (msg:"PROTOCOL-RPC portmap 2112 udp rename_principal attempt"; flow:to_server; content:"|00 00 08|@"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,8192,4,relative; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,24653; reference:cve,2007-2798; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt; classtype:rpc-portmap-decode; sid:12188; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap 2112 tcp request"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 00 08|@"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,24653; reference:cve,2007-2798; reference:url,attack.mitre.org/techniques/T1097; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=548; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt; classtype:rpc-portmap-decode; sid:12185; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap walld udp format string attack attempt"; flow:to_server; content:"|00 01 86 A8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%"; reference:bugtraq,4639; reference:cve,2002-0573; classtype:rpc-portmap-decode; sid:12609; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC Solaris UDP portmap sadmin port query request attempt"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; reference:bugtraq,8615; reference:cve,2003-0722; classtype:rpc-portmap-decode; sid:12626; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC Solaris UDP portmapper sadmin port query attempt"; flow:to_server; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; reference:bugtraq,8615; reference:cve,2003-0722; classtype:rpc-portmap-decode; sid:12628; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap walld udp request"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; reference:bugtraq,4639; reference:cve,2002-0573; classtype:rpc-portmap-decode; sid:12608; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC Solaris TCP portmapper sadmin port query attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; reference:bugtraq,8615; reference:cve,2003-0722; classtype:rpc-portmap-decode; sid:12627; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"PROTOCOL-RPC MIT Kerberos kadmind auth buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 00 00 01|"; within:4; distance:16; byte_test:4,>,2147483647,8,relative,big; metadata:policy max-detect-ips drop, service http; reference:bugtraq,24657; reference:cve,2007-2443; reference:url,attack.mitre.org/techniques/T1097; classtype:rpc-portmap-decode; sid:12708; rev:7;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap 390113 udp request"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F3 E1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13251; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 04 93 E1 00 00 00 00|"; within:8; distance:16; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,24655; reference:cve,2007-2442; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt; classtype:attempted-admin; sid:13223; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap 390113 udp procedure 4 attempt"; content:"|00 05 F3 E1|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst"; within:11; distance:12; byte_test:4,>,234,5,relative; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13253; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap 390113 udp procedure 5 attempt"; content:"|00 05 F3 E1|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst"; within:11; distance:12; byte_test:4,>,234,5,relative; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13257; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap 390113 tcp request"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F3 E1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13250; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap 390113 tcp procedure 5 attempt"; flow:to_server,established; content:"|00 05 F3 E1|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst"; within:11; distance:12; byte_test:4,>,234,5,relative; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13256; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 232 attempt"; flow:to_server,established; content:"|00 06 09|~"; depth:4; offset:16; content:"|00 00 00 E8|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; metadata:policy max-detect-ips drop; reference:bugtraq,23209; reference:cve,2007-1785; classtype:rpc-portmap-decode; sid:13716; rev:7;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap CA BrightStor ARCserve udp procedure 232 attempt"; content:"|00 06 09|~"; depth:4; offset:12; content:"|00 00 00 E8|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; metadata:policy max-detect-ips drop; reference:bugtraq,23209; reference:cve,2007-1785; classtype:rpc-portmap-decode; sid:13717; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 234 attempt"; flow:to_server,established; content:"|00 06 09|~"; depth:4; offset:16; content:"|00 00 00 EA|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; metadata:policy max-detect-ips drop; reference:bugtraq,23209; reference:cve,2007-1785; classtype:rpc-portmap-decode; sid:13805; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC portmap CA BrightStor ARCserve udp procedure 234 attempt"; flow:to_server; content:"|00 06 09|~"; depth:4; offset:12; content:"|00 00 00 EA|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; metadata:policy max-detect-ips drop; reference:bugtraq,23209; reference:cve,2007-1785; classtype:rpc-portmap-decode; sid:13806; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap 395650 udp request"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 06 09 82|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service sunrpc; reference:cve,2008-2242; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798; classtype:rpc-portmap-decode; sid:16084; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap 395650 tcp xml buffer overflow attempt"; flow:to_server,established; content:"|00 06 09 82|"; depth:4; offset:16; content:"|00 00 00|y"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,28,relative,align; byte_jump:4,32,relative,align; byte_test:4,>,1988,240,relative; metadata:policy max-detect-ips drop; reference:cve,2008-2242; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798; classtype:rpc-portmap-decode; sid:16085; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap 395650 udp XDR SString buffer overflow attempt"; content:"|00 06 09 82|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"SString"; byte_test:4,>,4096,1,relative; metadata:policy max-detect-ips drop; reference:bugtraq,29283; reference:cve,2008-2242; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798; classtype:rpc-portmap-decode; sid:16082; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap 395650 udp xml buffer overflow attempt"; content:"|00 06 09 82|"; depth:4; offset:12; content:"|00 00 00|y"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,28,relative,align; byte_jump:4,32,relative,align; byte_test:4,>,1988,240,relative; metadata:policy max-detect-ips drop; reference:cve,2008-2242; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798; classtype:rpc-portmap-decode; sid:16086; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap 395650 tcp XDR SString buffer overflow attempt"; flow:to_server,established; content:"|00 06 09 82|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"SString"; byte_test:4,>,4096,1,relative; metadata:policy max-detect-ips drop; reference:bugtraq,29283; reference:cve,2008-2242; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798; classtype:rpc-portmap-decode; sid:16081; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"PROTOCOL-RPC AIX ttdbserv function 15 buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 00|"; depth:32; offset:16; isdataat:256,relative; reference:bugtraq,35419; reference:cve,2009-2727; reference:url,www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4699&myns=paix52&mync=E; classtype:attempted-admin; sid:16285; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap Solaris sadmin tcp request"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,31751; reference:cve,2008-4556; classtype:rpc-portmap-decode; sid:16446; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap Solaris sadmin tcp adm_build_path overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; byte_jump:4,8,relative,align; byte_jump:4,4,relative,align; content:"ADM_METHOD"; content:"|00 00 00 09|"; within:8; byte_test:4,>,999,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,31751; reference:cve,2008-4556; classtype:rpc-portmap-decode; sid:16448; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap Solaris sadmin udp adm_build_path overflow attempt"; content:"|00 01 87 88|"; depth:4; offset:12; byte_jump:4,8,relative,align; byte_jump:4,4,relative,align; content:"ADM_METHOD"; content:"|00 00 00 09|"; within:8; byte_test:4,>,999,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,31751; reference:cve,2008-4556; classtype:rpc-portmap-decode; sid:16449; rev:4;)
+# alert tcp $EXTERNAL_NET [1024:] -> $HOME_NET 2049 (msg:"PROTOCOL-RPC IBM AIX and Oracle Solaris nfsd v4 nfs_portmon security bypass attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 A3 00 00 00|"; within:7; distance:4; fast_pattern; pcre:"/^.{8}\x00\x00\x00\x00\x00\x00\x00[\x01\x02\x03]\x00\x01\x86\xA3\x00\x00\x00[\x02\x03\x04]/"; reference:bugtraq,35546; reference:bugtraq,36544; reference:cve,2009-2296; reference:cve,2009-3517; classtype:misc-attack; sid:20248; rev:3;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET [1234,32778] (msg:"PROTOCOL-RPC Novell Netware xdr decode string length buffer overflow attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 B8|"; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; metadata:policy max-detect-ips drop; reference:cve,2011-4191; reference:url,download.novell.com/Download?buildid=Cfw1tDezgbw~; classtype:attempted-user; sid:21100; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP unmount path overflow attempt"; flow:to_server; content:"|00 01 86 A5 00|"; depth:5; offset:12; content:"|00 00 00 03|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,46535; reference:bugtraq,8179; reference:cve,2003-0252; reference:cve,2010-4227; reference:nessus,11800; classtype:misc-attack; sid:32356; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [7937:] (msg:"PROTOCOL-RPC EMC NetWorker nsrindexd service buffer overflow attempt"; flow:to_server,established; content:"|00 05 F3 D9 00 00 00 05 00 00 00 09|"; depth:12; offset:16; isdataat:200,relative; byte_test:4,>,0xC8,16,relative; byte_test:4,<=,0x600,16,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,57182; reference:cve,2012-4607; classtype:attempted-admin; sid:25542; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7937:65535 (msg:"PROTOCOL-RPC EMC Networker nsrindexd.exe procedure 0x01 buffer overflow attempt"; flow:to_server,established; content:"|00 05 F3 D9|"; depth:200; fast_pattern; byte_test:4,>,4,0,big,relative; byte_test:4,<,7,0,big,relative; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00 00 00 00 00|"; within:8; byte_test:4,>=,0x100,8,big,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service sunrpc; reference:cve,2012-0395; classtype:attempted-user; sid:24696; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 122 invalid function call attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 06 09 80|"; within:4; distance:4; fast_pattern; content:"|00 00 00 7A|"; within:4; distance:4; content:!"|00 00 00 05|Slist|00|"; distance:0; nocase; metadata:policy max-detect-ips drop, service sunrpc; reference:cve,2012-2971; reference:url,www.securityfocus.com/archive/1/524461; classtype:attempted-admin; sid:24639; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC xdrDecodeString caller_name stack overflow attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 B5|"; depth:12; offset:4; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,46535; reference:cve,2010-4227; classtype:misc-attack; sid:24503; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"PROTOCOL-RPC CDE Calendar Manager service memory corruption attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 0A|"; within:4; distance:4; isdataat:272,relative; metadata:policy max-detect-ips drop; reference:bugtraq,36615; reference:cve,2010-4435; classtype:attempted-admin; sid:19173; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 36890 (msg:"PROTOCOL-RPC IBM Informix Dynamic Server librpc.dll buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 75 3D|"; within:4; distance:8; fast_pattern; byte_extract:4,0,credlen,relative,big; byte_test:4,>,credlen,4,relative,big; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,38471; reference:cve,2009-2753; classtype:attempted-admin; sid:18558; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC IBM Informix Dynamic Server librpc.dll buffer overflow attempt"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 75 3D|"; within:4; distance:8; fast_pattern; byte_extract:4,0,credlen,relative,big; byte_test:4,>,credlen,4,relative,big; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,38471; reference:cve,2009-2753; classtype:attempted-admin; sid:18557; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC Linux Kernel nfsd v4 CAP_MKNOD security bypass attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 04 00 00 00 01|"; depth:28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,0,relative,big; content:"|00 00 00 06 00 00 00|"; byte_test:1,>,2,0,relative; byte_test:1,<,5,0,relative; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:17749; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [111,36890] (msg:"PROTOCOL-RPC Multiple vendors librpc.dll stack buffer overflow attempt - tcp"; flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 01|"; within:4; distance:7; byte_test:1,&,0x80,8,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop; reference:bugtraq,38472; reference:cve,2009-2754; classtype:attempted-admin; sid:17206; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC Multiple vendors librpc.dll stack buffer overflow attempt - udp"; flow:to_server; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 01|"; within:4; distance:7; byte_test:1,&,0x80,8,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,38472; reference:cve,2009-2754; classtype:attempted-admin; sid:17205; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"PROTOCOL-RPC Oracle Solaris sadmind TCP data length integer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 87 88|"; within:4; distance:4; fast_pattern; byte_jump:4,12,relative,big,align; byte_jump:4,4,relative,big,align; byte_jump:4,108,relative,big,align; byte_jump:4,0,relative,big,align; byte_jump:4,0,relative,big,align; byte_test:4,>,0xFFFFFEFF,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,35083; reference:cve,2008-3870; classtype:attempted-admin; sid:16797; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"PROTOCOL-RPC Oracle Solaris sadmind UDP data length integer overflow attempt"; flow:to_server; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 87 88|"; within:4; distance:4; fast_pattern; byte_jump:4,12,relative,big,align; byte_jump:4,4,relative,big,align; byte_jump:4,108,relative,big,align; byte_jump:4,0,relative,big,align; byte_jump:4,0,relative,big,align; byte_test:4,>,0xFFFFFEFF,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,35083; reference:cve,2008-3870; classtype:attempted-admin; sid:16796; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"PROTOCOL-RPC Oracle Solaris sadmind TCP array size buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 87 88|"; within:4; distance:4; fast_pattern; byte_jump:4,12,relative,big,align; byte_jump:4,4,relative,big,align; byte_jump:4,108,relative,big,align; byte_jump:4,0,relative,big,align; byte_jump:4,0,relative,big,align; content:"|00 00 00 00 00 00 00 00|"; distance:0; byte_test:4,!=,0,0,relative; byte_jump:4,0,relative,big,align; content:"|00 00 00 11|"; within:4; byte_jump:4,0,relative,big,align; isdataat:7; content:!"|00 00 00 00 00 00 00 00|"; within:8; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,35083; reference:cve,2008-3869; classtype:attempted-admin; sid:16706; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"PROTOCOL-RPC Oracle Solaris sadmind UDP array size buffer overflow attempt"; flow:to_server; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 87 88|"; within:4; distance:4; fast_pattern; byte_jump:4,12,relative,big,align; byte_jump:4,4,relative,big,align; byte_jump:4,108,relative,big,align; byte_jump:4,0,relative,big,align; byte_jump:4,0,relative,big,align; content:"|00 00 00 00 00 00 00 00|"; distance:0; byte_test:4,!=,0,0,relative; byte_jump:4,0,relative,big,align; content:"|00 00 00 11|"; within:4; byte_jump:4,0,relative,big,align; isdataat:7; content:!"|00 00 00 00 00 00 00 00|"; within:8; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,35083; reference:cve,2008-3869; classtype:attempted-admin; sid:16705; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC Linux Kernel nfsd v3 tcp CAP_MKNOD security bypass attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 03 00 00 00 0B|"; depth:28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,0,relative,big; byte_jump:4,0,relative,big; pcre:"/^.\x00{3}(\x03|\x04)/sR"; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:16702; rev:7;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC Linux Kernel nfsd v3 udp CAP_MKNOD security bypass attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 03 00 00 00 0B|"; depth:28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,0,relative,big; byte_jump:4,0,relative,big; pcre:"/^.\x00{3}(\x03|\x04)/sR"; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:16701; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC Linux Kernel nfsd v2 tcp CAP_MKNOD security bypass attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 02 00 00 00 09|"; depth:28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,32,relative,big; content:"|00 00|"; within:2; distance:1; byte_test:1,&,0x20,0,relative; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:16700; rev:7;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC Linux Kernel nfsd v2 udp CAP_MKNOD security bypass attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 02 00 00 00 09|"; depth:28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,32,relative,big; content:"|00 00|"; within:2; distance:1; byte_test:1,&,0x20,0,relative; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:16699; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC Solaris UDP portmap sadmin request attempt"; flow:to_client; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,31751; reference:cve,2008-4556; classtype:rpc-portmap-decode; sid:16447; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap 395650 tcp request"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 06 09 82|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, service sunrpc; reference:cve,2008-2242; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798; classtype:rpc-portmap-decode; sid:16083; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap 390113 tcp procedure 4 attempt"; flow:to_server,established; content:"|00 05 F3 E1|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst"; within:11; distance:12; byte_test:4,>,234,5,relative; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13252; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"PROTOCOL-RPC MIT Kerberos kadmind rpc RPCSEC_GSS buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 00 00 06|"; within:4; distance:16; byte_test:4,>,127,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,25534; reference:cve,2007-3999; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-006.txt; classtype:attempted-admin; sid:12424; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [749,1024:] (msg:"PROTOCOL-RPC portmap 2112 tcp rename_principal attempt"; flow:to_server,established; content:"|00 00 08|@"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,8192,4,relative; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,24653; reference:cve,2007-2798; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt; classtype:rpc-portmap-decode; sid:12187; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 04 93 E1 00 00 00 00|"; within:8; distance:16; metadata:policy max-detect-ips drop; reference:bugtraq,24655; reference:cve,2007-2442; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt; classtype:attempted-admin; sid:12075; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"PROTOCOL-RPC MIT Kerberos kadmind RPC Library unix authentication buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; byte_test:4,>,0,20,relative; content:"|00 00 00 01|"; within:4; distance:16; byte_test:4,>,2147483647,8,relative; metadata:policy max-detect-ips drop; reference:bugtraq,24657; reference:cve,2007-2443; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt; classtype:attempted-admin; sid:12046; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap mountd tcp zero-length payload denial of service attempt"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; pcre:"/^[\x00\x80]\x00\x00\x00/s"; metadata:policy max-detect-ips drop; reference:bugtraq,16838; reference:cve,2006-0900; classtype:rpc-portmap-decode; sid:11289; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap mountd tcp request"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,16838; reference:cve,2006-0900; classtype:rpc-portmap-decode; sid:11288; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap CA BrightStor ARCserve tcp request"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 06 09|~"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,23209; reference:cve,2007-1785; classtype:rpc-portmap-decode; sid:10482; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap BrightStor ARCserve denial of service attempt"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 00 00 00|"; within:4; distance:4; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,22365; reference:cve,2007-0816; classtype:attempted-dos; sid:10133; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap BrightStor ARCserve denial of service attempt"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 00 00 00|"; within:4; distance:4; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,22365; reference:cve,2007-0816; classtype:attempted-dos; sid:10132; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP mount path overflow attempt"; flow:to_server; content:"|00 01 86 A5 00|"; depth:5; offset:12; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,46535; reference:bugtraq,8179; reference:cve,2003-0252; reference:cve,2010-4227; reference:nessus,11800; classtype:misc-attack; sid:2185; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,1749; reference:cve,1999-0208; classtype:misc-attack; sid:2089; rev:15;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,1749; reference:bugtraq,28383; reference:cve,1999-0208; classtype:misc-attack; sid:2088; rev:16;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC snmpXdmi overflow attempt UDP"; flow:to_server; content:"|00 01 87 99|"; depth:4; offset:12; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2045; rev:21;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP mount request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-recon; sid:1952; rev:15;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap snmpXdmi request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1279; rev:28;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypupdated request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,1749; reference:bugtraq,28383; reference:cve,1999-0208; classtype:rpc-portmap-decode; sid:1277; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:598; rev:23;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:593; rev:31;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,1749; reference:cve,1999-0208; classtype:rpc-portmap-decode; sid:591; rev:21;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:25;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC Linux kernel NFSv3 malformed WRITE arbitrary memory read attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 03 00 00 00 07|"; depth:24; offset:4; byte_jump:4,4,relative; byte_jump:4,4,relative; byte_jump:4,0,relative; byte_extract:4,8,count,relative; byte_test:4,!=,count,4,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service sunrpc; reference:cve,2017-7895; classtype:attempted-user; sid:43189; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC Linux kernel NFSv2 malformed WRITE arbitrary memory read attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 02 00 00 00 08|"; depth:24; offset:4; byte_jump:4,4,relative; byte_jump:4,4,relative; byte_extract:4,40,count,relative; byte_test:4,!=,count,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service sunrpc; reference:cve,2017-7895; classtype:attempted-user; sid:43188; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC Linux kernel nfsd nfsd4_layout_verify out of bounds read attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 04 00 00 00 01|"; depth:20; offset:8; byte_jump:4,4,relative; byte_jump:4,4,relative; byte_jump:4,0,relative; content:"|00 00 00 01 00 00 00 01 00 00 00 32|"; within:12; byte_test:4,>,5,4,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,99298; reference:cve,2017-8797; reference:url,access.redhat.com/security/cve/cve-2017-8797; classtype:attempted-dos; sid:44638; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC Linux kernel nfsd nfsd4_layout_verify out of bounds read attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 04 00 00 00 01|"; depth:20; offset:8; byte_jump:4,4,relative; byte_jump:4,4,relative; byte_jump:4,0,relative; content:"|00 00 00 01 00 00 00 01 00 00 00 2F|"; within:12; byte_test:4,>,5,16,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,99298; reference:cve,2017-8797; reference:url,access.redhat.com/security/cve/cve-2017-8797; classtype:attempted-dos; sid:44637; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC XDR string allocation denial of service attempt"; flow:to_server; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 86 A0|"; within:4; distance:4; fast_pattern; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 04 00 00 00 04|"; within:8; distance:24; byte_test:4,>,9000,0,relative; reference:bugtraq,98325; reference:cve,2017-8779; classtype:denial-of-service; sid:45108; rev:1;)
--- a/docker/etc/rules/protocol-scada.rules
+++ b/docker/etc/rules/protocol-scada.rules
@@ -0,0 +1,409 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#----------------------
+# PROTOCOL-SCADA RULES
+#----------------------
+
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1217 (msg:"PROTOCOL-SCADA CoDeSys GatewayService heap overrun attempt"; flow:to_server,established; content:"|FF FF FF|"; depth:3; offset:13; byte_test:1,>,0xCB,-4,relative; content:"|00|"; depth:1; offset:5; content:"|00|"; within:1; distance:1; reference:bugtraq,50849; reference:cve,2011-5008; classtype:attempted-user; sid:44368; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [12397,12399] (msg:"PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt"; flow:to_server,established; content:"|9E 19 00 00 49 A1 00 00 EF 03 00 00 70 4E 42 73 48 4A 53 59 62 70 58 61 6D 73 64 78 73 54 70 62|"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2013-0657; classtype:attempted-user; sid:29504; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Tri PLC Nano 10 PLC denial of service attempt"; flow:to_server,established; content:"|00 06|"; depth:2; offset:4; modbus_func:1; modbus_data; content:"|00 00|"; depth:2; offset:2; reference:cve,2013-2784; classtype:denial-of-service; sid:29965; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 20171 (msg:"PROTOCOL-SCADA Yokogawa CENTUM CS 3000 stack buffer overflow attempt"; flow:to_server,established; content:"|64 A1 18 00 00 00 83 C0 08 8B 20 81 C4 30 F8 FF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2014-0783; reference:url,www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf; classtype:attempted-admin; sid:30562; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20222 (msg:"PROTOCOL-SCADA Multiple Schneider Electric SCADA products buffer overflow attempt"; flow:to_server,established; content:"|02 00 00 00 00|"; depth:9; byte_test:4,>=,225,0,relative; reference:bugtraq,29634; reference:cve,2008-2639; reference:url,citect.schneider-electric.com/scada/citectscada/about-citect-scada-2016; reference:url,igss.schneider-electric.com/products/igss/index.aspx; classtype:attempted-admin; sid:14265; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write multiple coils - too many outputs"; flow:to_server,established; modbus_func:write_multiple_coils; byte_test:2,>,1968,10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:15076; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus user-defined function code - 65 to 72"; flow:to_server,established; byte_test:1,>,64,7; byte_test:1,<,73,7; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:15074; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read multiple coils - too many inputs"; flow:to_server,established; modbus_func:read_coils; byte_test:2,>,2000,10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:15077; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus user-defined function code - 100 to 110"; flow:to_server,established; byte_test:1,>,99,7; byte_test:1,<,111,7; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:15075; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS memory card format attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|22 04|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15411; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS file memory write attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|22 11|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15407; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS memory area fill attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|01 03|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15390; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS memory area write attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|01 02|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15389; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS RESET attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|04 03|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15409; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS program area clear attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|03 08|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15397; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS memory area fill overflow attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|01 03|"; depth:2; offset:10; isdataat:8,relative; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15413; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS access right forced acquire attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|0C 02|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15402; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS program area protect clear attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|03 05|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15395; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS STOP attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|04 02|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15399; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS file delete attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|22 05|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15404; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS parameter area clear attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|02 03|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15393; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS access right acquire attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|0C 01|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15401; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS forced set/reset cancel attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|23 01|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15406; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS RUN attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|04 01|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15398; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS memory area write overflow attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|01 02|"; depth:2; offset:10; isdataat:10,relative; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15412; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS memory area transfer attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|01 05|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15391; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS data link table write attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|02|!"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15408; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS name delete attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"&|02|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15410; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS program area write attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|03 07|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15396; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS program area protect clear brute force attempt"; flow:to_server,no_stream; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|03 05 00 00 00 00 00 00 00 FF FF FF FF|"; depth:13; offset:10; detection_filter:track by_src, count 10, seconds 60; reference:url,attack.mitre.org/techniques/T1110; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15414; rev:7;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS single file write attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|22 03|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15403; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS clock write attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|07 02|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15400; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS parameter area write attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|02 02|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15392; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS forced set/reset attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|23 01|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15405; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9600 (msg:"PROTOCOL-SCADA OMRON-FINS program area protect attempt"; flow:to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|03 04|"; depth:2; offset:10; reference:url,forums.mrplc.com/index.php?download=467; classtype:protocol-command-decode; sid:15394; rev:4;)
+# alert tcp $EXTERNAL_NET 20000 -> $HOME_NET any (msg:"PROTOCOL-SCADA DNP3 parameter error"; flow:established,to_client; dnp3_ind:parameter_error; reference:url,www.dnp.org/About/Default.aspx; classtype:protocol-command-decode; sid:15716; rev:5;)
+# alert tcp $EXTERNAL_NET 20000 -> $HOME_NET any (msg:"PROTOCOL-SCADA DNP3 unsupported function code error"; flow:established,to_client; dnp3_ind:no_func_code_support; reference:url,www.dnp.org/About/Default.aspx; classtype:protocol-command-decode; sid:15718; rev:5;)
+# alert tcp $EXTERNAL_NET 20000 -> $HOME_NET any (msg:"PROTOCOL-SCADA DNP3 corrupt configuration"; flow:established,to_client; dnp3_ind:config_corrupt; reference:url,www.dnp.org/About/Default.aspx; classtype:protocol-command-decode; sid:15714; rev:5;)
+# alert tcp $EXTERNAL_NET 20000 -> $HOME_NET any (msg:"PROTOCOL-SCADA DNP3 link service not supported"; flow:established,to_client; content:"|05|d"; depth:2; byte_test:1,!&,64,1,relative; byte_test:1,&,1,3; byte_test:1,&,2,3; byte_test:1,&,4,3; byte_test:1,&,8,3; reference:url,www.dnp.org/About/Default.aspx; classtype:protocol-command-decode; sid:15719; rev:5;)
+# alert tcp $EXTERNAL_NET 20000 -> $HOME_NET any (msg:"PROTOCOL-SCADA DNP3 unknown object error"; flow:established,to_client; dnp3_ind:object_unknown; reference:url,www.dnp.org/About/Default.aspx; classtype:protocol-command-decode; sid:15717; rev:5;)
+# alert tcp $EXTERNAL_NET 20000 -> $HOME_NET any (msg:"PROTOCOL-SCADA DNP3 event buffer overflow error"; flow:established,to_client; dnp3_ind:event_buffer_overflow; reference:url,www.dnp.org/About/Default.aspx; classtype:protocol-command-decode; sid:15715; rev:5;)
+# alert tcp $EXTERNAL_NET 20000 -> $HOME_NET any (msg:"PROTOCOL-SCADA DNP3 device trouble"; flow:established,to_client; dnp3_ind:device_trouble; reference:url,www.dnp.org/About/Default.aspx; classtype:protocol-command-decode; sid:15713; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read fifo queue from external source"; flow:to_server,established; modbus_func:read_fifo_queue; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17792; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read coils from external source"; flow:to_server,established; modbus_func:read_coils; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17788; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus initiate diagnostic from external source"; flow:to_server,established; modbus_func:diagnostics; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17795; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus mask write register from external source"; flow:to_server,established; modbus_func:mask_write_register; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17800; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record from external source"; flow:to_server,established; modbus_func:write_file_record; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17786; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus report slave id from external source"; flow:to_server,established; modbus_func:report_slave_id; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17798; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read exception status from external source"; flow:to_server,established; modbus_func:read_exception_status; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17794; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write single coil from external source"; flow:to_server,established; modbus_func:write_single_coil; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17784; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus get com event counter from external source"; flow:to_server,established; modbus_func:get_comm_event_counter; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17796; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write multiple registers from external source"; flow:to_server,established; modbus_func:write_multiple_registers; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17782; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write multiple coils from external source"; flow:to_server,established; modbus_func:write_multiple_coils; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17785; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus get com event log from external source"; flow:to_server,established; modbus_func:get_comm_event_log; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17797; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read input register from external source"; flow:to_server,established; modbus_func:read_input_registers; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17789; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read/write multiple registers from external source"; flow:to_server,established; modbus_func:read_write_multiple_registers; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17791; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write single register from external source"; flow:to_server,established; modbus_func:write_single_register; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17783; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read device identification from external source"; flow:to_server,established; modbus_func:report_slave_id; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17799; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read holding registers from external source"; flow:to_server,established; modbus_func:read_holding_registers; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17790; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read file record from external source"; flow:to_server,established; modbus_func:read_file_record; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17793; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read discrete inputs from external source"; flow:to_server,established; modbus_func:read_discrete_inputs; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17787; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 777 (msg:"PROTOCOL-SCADA Kingview HMI heap overflow attempt"; flow:to_server,established; stream_size:client,>,2000; content:"|90 90 90 90 90 90 90 90|"; fast_pattern:only; reference:bugtraq,45727; reference:cve,2011-0406; classtype:attempted-admin; sid:18327; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7579 (msg:"PROTOCOL-SCADA Tecnomatix FactoryLink vrn.exe file access attempt"; flow:to_server,established; content:"|FF 55 08 00|"; depth:4; offset:4; pcre:"/^.{32}[^\x00\x5C]*\x5C/sR"; reference:bugtraq,46934; classtype:attempted-user; sid:18614; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7580 (msg:"PROTOCOL-SCADA Tecnomatix FactoryLink CSService path overflow attempt"; flow:to_server,established; content:"LEN|00|"; depth:6; fast_pattern; nocase; content:"|00 00 00 06|"; distance:0; content:"|06|"; within:1; distance:4; byte_test:4,>,1024,0,relative,big; reference:bugtraq,46934; classtype:attempted-admin; sid:18605; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA RealWin 2.1 FC_CONNECT_FCS_LOGIN overflow attempt"; flow:to_server,established; content:"|10 23 54 67|"; depth:4; content:"|01 00 01 00|"; within:4; distance:6; byte_test:4,>,1024,-10,little,relative; isdataat:1024,relative; content:!"|00|"; within:1024; reference:url,secunia.com/advisories/43848; classtype:attempted-admin; sid:18658; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA IGSS IGSSDataServer.exe report template operation overflow attempt"; flow:to_server,established; content:"|34 12 07 00|"; depth:4; offset:4; content:"|01 00 00 00|"; within:4; distance:6; isdataat:512,relative; pcre:"/^[\x02\x03\x04]\x00\x00\x00.*?\x00[^\x00]{512,}/R"; classtype:attempted-admin; sid:18652; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7580 (msg:"PROTOCOL-SCADA Tecnomatix FactoryLink CSService file information access attempt"; flow:to_server,established; content:"LEN|00|"; depth:4; fast_pattern; nocase; content:"|00 00 00 10|"; distance:0; content:"|06|"; within:1; distance:4; byte_extract:4,0,str_size,relative,big; content:"|5C|"; within:str_size; distance:8; reference:bugtraq,46934; classtype:attempted-user; sid:18607; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7579 (msg:"PROTOCOL-SCADA Tecnomatix FactoryLink vrn.exe opcode 9 or 10 string parsing overflow attempt"; flow:to_server,established; content:"|FF 55|"; depth:2; offset:4; isdataat:933,relative; pcre:"/^[\x0A\x09]\x00.{32}[^\x3B]{900}/sR"; reference:bugtraq,46934; classtype:attempted-user; sid:18610; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7580 (msg:"PROTOCOL-SCADA Tecnomatix FactoryLink CSService file access attempt"; flow:to_server,established; content:"LEN|00|"; depth:4; fast_pattern; nocase; content:"|00 00 00 08|"; distance:0; content:"|06|"; within:1; distance:4; byte_extract:4,0,str_size,relative,big; content:"|5C|"; within:str_size; distance:8; reference:bugtraq,46934; classtype:attempted-user; sid:18606; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B2 integer overflow attempt"; flow:to_server,established; content:"|01 00 00|"; depth:3; content:"|B2 04 00 00|"; depth:4; offset:20; fast_pattern; byte_test:4,>,0x40000000,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18738; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt"; flow:to_server,established; content:"|01 00 00|"; depth:3; content:"|B0 04 00 00|"; depth:4; offset:20; fast_pattern; content:"|FF|"; within:1; byte_jump:2,0,relative,little; content:"|FF|"; within:1; byte_jump:2,0,relative,little; byte_test:4,>,0x40000000,32,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18733; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x1BBC heap overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|BC 1B 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; distance:4; byte_jump:1,4,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x0040,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18729; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt"; flow:to_server,established; content:"|01 00 00|"; depth:3; content:"|B0 04 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x40000000,28,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18734; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x1C84 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|84 1C 00 00|"; depth:4; offset:20; fast_pattern; content:"|FF|"; within:1; byte_jump:2,0,relative,little; content:"|FF|"; within:1; byte_jump:2,0,relative,little; byte_test:4,>,0x10000000,4,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18722; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x089A integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|9A 08 00 00|"; depth:4; offset:20; fast_pattern; content:"|00 20|"; within:2; distance:4; byte_test:4,>,0x20000000,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18730; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x0DAE heap overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|AE 0D 00 00|"; depth:4; offset:20; fast_pattern; byte_test:4,>,0x0040,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18728; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt"; flow:to_server,established; content:"|01 00 00|"; depth:3; content:"|B0 04 00 00|"; depth:4; offset:20; fast_pattern; content:"|FF|"; within:1; byte_jump:2,0,relative,little; content:"|FF|"; within:1; byte_jump:2,0,relative,little; byte_test:4,>,0x40000000,28,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18735; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B5 heap overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|B5 04 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x0040,8,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18727; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x1C84 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|84 1C 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x10000000,4,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18721; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x0453 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|53 04 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x40000000,22,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18731; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt"; flow:to_server,established; content:"|01 00 00|"; depth:3; content:"|B0 04 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x40000000,24,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18736; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B2 heap overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|B2 04 00 00|"; depth:4; offset:20; fast_pattern; byte_test:4,>,0x0040,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18726; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt"; flow:to_server,established; content:"|01 00 00|"; depth:3; content:"|B0 04 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x40000000,32,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18732; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 integer overflow attempt"; flow:to_server,established; content:"|01 00 00|"; depth:3; content:"|B0 04 00 00|"; depth:4; offset:20; fast_pattern; content:"|FF|"; within:1; byte_jump:2,0,relative,little; content:"|FF|"; within:1; byte_jump:2,0,relative,little; byte_test:4,>,0x40000000,24,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18737; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B0 heap overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|B0 04 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x0040,28,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18725; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x1BBC integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|BC 1B 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; distance:4; byte_jump:1,4,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x40000000,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18787; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA RealWin 2.1 FC_CTAGLIST_FCS_XTAG overflow attempt"; flow:to_server,established; content:"|10 23 54 67|"; depth:4; byte_test:4,>,1024,0,little,relative; isdataat:1024,relative; pcre:"/^.{6}\x05\x00[\x01\x02\x05]\x00.*?\x00[^\x00]{1024}/msR"; reference:url,secunia.com/advisories/43848; classtype:attempted-admin; sid:18746; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x0DB0 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|B0 0D 00 00|"; depth:4; offset:20; fast_pattern; byte_test:4,>,0x40000000,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18784; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B5 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|B5 04 00 00|"; depth:4; offset:20; fast_pattern; content:"|FF|"; within:1; byte_jump:2,0,relative,little; content:"|FF|"; within:1; byte_jump:2,0,relative,little; byte_test:4,>,0x40000000,8,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18779; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA RealWin 2.1 FC_INFOTAG_SET_CONTROL overflow attempt"; flow:to_server,established; content:"|10 23 54 67|"; depth:4; content:"|11 00 01 00|"; within:4; distance:6; byte_test:4,>,400,-10,little,relative; isdataat:400,relative; content:!"|00|"; within:400; reference:url,secunia.com/advisories/43848; classtype:attempted-admin; sid:18752; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x1BBD integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|BD 1B 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; distance:4; byte_jump:1,4,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x40000000,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18788; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA RealWin 2.1 FC_CTAGLIST_FCS_XTAG overflow attempt"; flow:to_server,established; content:"|10 23 54 67|"; depth:4; byte_test:4,>,200,0,little,relative; isdataat:200,relative; pcre:"/^.{6}[\x02\x04]\x00[\x0f\x10\x12\x13]\x00[^\x00]{200}/msR"; reference:url,secunia.com/advisories/43848; classtype:attempted-admin; sid:18749; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x0DAE integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|AE 0D 00 00|"; depth:4; offset:20; fast_pattern; byte_test:4,>,0x40000000,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18783; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x0FA4 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|A4 0F 00 00|"; depth:4; offset:20; fast_pattern; byte_test:4,>,0x20000000,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18785; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x04B5 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|B5 04 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x40000000,8,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18778; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x26AC integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|AC 26 00 00|"; depth:4; offset:20; fast_pattern; byte_test:4,>,0x40000000,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18789; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x07D0 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|D0 07 00 00|"; depth:4; offset:20; fast_pattern; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; content:!"|FF|"; within:1; byte_jump:1,0,relative; byte_test:4,>,0x40000000,4,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18780; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA RealWin 2.1 FC_MISC_FCS_MSGx overflow attempt"; flow:to_server,established; content:"|10 23 54 67|"; depth:4; pcre:"/^.{6}\x0f\x00[\x01\x03]\x00/msR"; byte_test:4,>,0xffffffe9,0,relative,little; reference:url,secunia.com/advisories/43848; classtype:attempted-admin; sid:18748; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA RealWin 2.1 FC_BINFILE_FCS_xFILE overflow attempt"; flow:to_server,established; content:"|10 23 54 67|"; depth:4; byte_test:4,>,256,0,little,relative; isdataat:256,relative; pcre:"/^.{6}\x10\x00[\x01\x03\x08\x0A\x0B\x0D]\x00.{12}[^\x00]{256}/msR"; reference:url,secunia.com/advisories/43848; classtype:attempted-admin; sid:18747; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x0FA7 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|A7 0F 00 00|"; depth:4; offset:20; fast_pattern; byte_test:4,>,0x40000000,0,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18786; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 38080 (msg:"PROTOCOL-SCADA Iconics Genesis 32/64 GenBroker opcode 0x07D0 integer overflow attempt"; flow:to_server,established; content:"|01 00 00 01|"; depth:4; content:"|D0 07 00 00|"; depth:4; offset:20; fast_pattern; content:"|FF|"; within:1; byte_jump:2,0,relative,little; content:"|FF|"; within:1; byte_jump:2,0,relative,little; content:"|FF|"; within:1; byte_jump:2,0,relative,little; byte_test:4,>,0x40000000,4,relative,little; reference:url,www.vupen.com/english/advisories/2011/0740; classtype:attempted-admin; sid:18781; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA RealWin 2.1 FC_SCRIPT_FCS_STARTPROG overflow attempt"; flow:to_server,established; content:"|10 23 54 67|"; depth:4; content:"|09 00 12 00|"; within:4; distance:6; byte_test:4,>,4096,-10,little,relative; stream_size:client,>,4096; reference:url,secunia.com/advisories/43848; classtype:attempted-admin; sid:18750; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 3250 (msg:"PROTOCOL-SCADA IntelliCom NetBiter config utility hostname overflow attempt"; flow:stateless; content:"hn"; nocase; isdataat:31,relative; pcre:"/^\s?=\s?[^\x3B]{31}/R"; reference:bugtraq,37325; reference:cve,2009-4462; reference:url,support.intellicom.se/showfile.cfm?FID=45; classtype:attempted-admin; sid:20052; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Cogent DataHub server-side information disclosure"; flow:to_server,established; content:".asp "; nocase; http_uri; pcre:"/\x2easp ($|\?)/iU"; metadata:service http; reference:cve,2011-3502; classtype:web-application-attack; sid:20173; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1330,1331,1332,4241,4242,4445,4446,5241,6543,9111,60093,49281] (msg:"PROTOCOL-SCADA RSLogix rna protocol denial of service attempt"; flow:to_server,established; content:"rna|F2|"; depth:4; content:"aaaaaaaaaa"; within:10; distance:4; reference:cve,2011-3489; reference:url,aluigi.altervista.org/adv/rslogix_1-adv.txt; classtype:attempted-dos; sid:20178; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Cogent DataHub server-side information disclosure"; flow:to_server,established; content:".asp."; nocase; http_uri; pcre:"/\x2easp\x2e($|\?)/iU"; metadata:service http; reference:cve,2011-3502; classtype:web-application-attack; sid:20174; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"PROTOCOL-SCADA DAQFactory NETB protcol stack overflow attempt"; flow:to_server; dsize:>370; content:"NETB"; depth:4; content:"|00|"; within:6; distance:230; reference:cve,2011-3492; reference:url,aluigi.altervista.org/adv/daqfactory_1-adv.txt; classtype:attempted-admin; sid:20176; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4502 (msg:"PROTOCOL-SCADA Cogent unicode buffer overflow attempt"; flow:to_server,established; content:"(register_datahub "; nocase; content:"|22|"; within:3; isdataat:100,relative; content:!"|22|"; within:100; metadata:service http; reference:cve,2011-3493; classtype:attempted-admin; sid:20209; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4502 (msg:"PROTOCOL-SCADA Cogent unicode buffer overflow attempt"; flow:to_server,established; content:"(domain "; nocase; content:"|22|"; within:3; isdataat:100,relative; content:!"|22|"; within:100; metadata:service http; reference:cve,2011-3493; classtype:attempted-admin; sid:20207; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4502 (msg:"PROTOCOL-SCADA Cogent unicode buffer overflow attempt"; flow:to_server,established; content:"(report_domain "; nocase; content:"|22|"; within:3; isdataat:100,relative; content:!"|22|"; within:100; metadata:service http; reference:cve,2011-3493; classtype:attempted-admin; sid:20208; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access"; flow:established,to_client; file_data; content:"5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C"; fast_pattern:only; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29)/siO"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:20582; rev:10;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access"; flow:established,to_client; file_data; content:"5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C"; fast_pattern:only; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar1>\x22|\x27|)(\x25[dlnpsx])+|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.OcxSpool\s*\x28\s*(?P<quoteVar2>\x22|\x27|)(\x25[dlnpsx])+)/siO"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:20581; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Progea Movicon/PowerHMI EIDP over HTTP memory corruption attempt"; flow:to_server,established; content:"EIDP"; depth:4; http_client_body; byte_test:4,>,0x7FFFFFFF,16,little,relative; metadata:service http; reference:bugtraq,49605; reference:cve,2011-3491; reference:cve,2011-3498; reference:cve,2011-3499; classtype:attempted-admin; sid:20638; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PROTOCOL-SCADA Microsys PROMOTIC ActiveX function call access"; flow:established,to_client; file_data; content:"PmTrdvw.TrendsViewCtl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22PmTrdvw\.TrendsViewCtl(\.\d)?\x22|\x27PmTrdvw\.TrendsViewCtl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SaveCfg|AddTrend)\s*|.*(?P=v)\s*\.\s*(SaveCfg|AddTrend)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PmTrdvw\.TrendsViewCtl(\.\d)?\x22|\x27PmTrdvw\.TrendsViewCtl(\.\d)?\x27)\s*\)(\s*\.\s*(SaveCfg|AddTrend)\s*|.*(?P=n)\s*\.\s*(SaveCfg|AddTrend)\s*)/smiO"; metadata:service http; reference:url,aluigi.altervista.org/adv/promotic_1-adv.txt; reference:url,www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-286-01.pdf; classtype:attempted-user; sid:21001; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PROTOCOL-SCADA Microsys PROMOTIC ActiveX clsid access"; flow:established,to_client; file_data; content:"02000002-9DFA-4B37-ABE9-1929F4BCDEA2"; fast_pattern:only; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*02000002-9DFA-4B37-ABE9-1929F4BCDEA2\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(SaveCfg|AddTrend)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*02000002-9DFA-4B37-ABE9-1929F4BCDEA2\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(SaveCfg|AddTrend))/siO"; metadata:service http; reference:url,aluigi.altervista.org/adv/promotic_1-adv.txt; reference:url,www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-286-01.pdf; classtype:attempted-user; sid:21000; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Siemens SIMATIC HMI Administrator cookie detected"; flow:to_server,established; content:"EAAAAPiZE5314QWTlkMUFedwxt0qYWRtaW5pc3RyYXRvcio"; content:"EAAAAPiZE5314QWTlkMUFedwxt0qYWRtaW5pc3RyYXRvcio"; http_cookie; metadata:service http; reference:cve,2011-4508; reference:url,www.us-cert.gov/control_systems/pdf/ICSA-11-356-01.pdf; classtype:policy-violation; sid:21079; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"PROTOCOL-SCADA Sunway ForceControl SNMP NetDBServer integer signedness buffer overflow attempt"; flow:to_server,established; content:"|EB 50 EB 50|"; depth:4; byte_test:2,=,87,4,little; content:"|0D 0A|"; byte_test:1,>,32,1,relative; reference:url,aluigi.altervista.org/adv/forcecontrol_1-adv.txt; classtype:attempted-user; sid:21148; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"PROTOCOL-SCADA Sunway ForceControl SNMP NetDBServer integer signedness buffer overflow attempt"; flow:to_server,established; content:"|EB 50 EB 50|"; depth:4; byte_test:2,=,87,4,little; content:"|0D 0A|"; byte_test:1,<,0,1,relative; reference:url,aluigi.altervista.org/adv/forcecontrol_1-adv.txt; classtype:attempted-user; sid:21149; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"PROTOCOL-SCADA Sunway ForceControl SNMP NetDBServer integer signedness buffer overflow attempt"; flow:to_server,established; content:"|EB 50 EB 50|"; depth:4; byte_test:2,=,87,4,little; content:"|00 00 01 00|"; within:4; distance:4; byte_test:1,>,32,1,relative; reference:url,aluigi.altervista.org/adv/forcecontrol_1-adv.txt; classtype:attempted-user; sid:21146; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"PROTOCOL-SCADA Sunway ForceControl SNMP NetDBServer integer signedness buffer overflow attempt"; flow:to_server,established; content:"|EB 50 EB 50|"; depth:4; byte_test:2,=,87,4,little; content:"|00 00 01 00|"; within:4; distance:4; byte_test:1,<,0,1,relative; reference:url,aluigi.altervista.org/adv/forcecontrol_1-adv.txt; classtype:attempted-user; sid:21147; rev:2;)
+# alert tcp $EXTERNAL_NET 54321 -> $HOME_NET any (msg:"PROTOCOL-SCADA Moxa Device Manager buffer overflow attempt"; flow:to_client,established; dsize:>1080; content:"|28 10 00 29|"; depth:4; content:"|E8 D5 FD FF FF|"; within:5; distance:1076; reference:cve,2010-4741; reference:url,reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=1; classtype:attempted-user; sid:21483; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-SCADA General Electric d20me configuration retrieval attempt"; flow:to_server; content:"|00 01|"; depth:2; content:"D20.zl"; distance:0; nocase; reference:url,www.metasploit.com/modules/auxiliary/gather/d20pass; classtype:attempted-recon; sid:21490; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 46823 (msg:"PROTOCOL-SCADA Sielco Sistemi Winlog Pro stack buffer overflow attempt"; flow:to_server,established; content:"|02 01 01|"; depth:3; isdataat:70,relative; reference:bugtraq,45813; reference:cve,2011-0517; classtype:attempted-admin; sid:21491; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-SCADA General Electric D20ME backdoor attempt"; flow:to_server; content:"|00 02|"; depth:2; content:"MONITOR:command.log"; distance:0; nocase; reference:url,dev.metasploit.com/redmine/projects/framework/repository/revisions/b73f28f29511d154aed9e94dd262195db60c7e3b/entry/unstable-modules/auxiliary/d20tftpbd.rb; classtype:attempted-admin; sid:21494; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime stack buffer overflow attempt"; flow:to_server,established; isdataat:1024; content:"|00 01 03|"; depth:3; byte_test:4,>,0x410,23,little,relative; reference:cve,2011-4875; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:23006; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime stack buffer overflow attempt"; flow:to_server,established; isdataat:1024; content:"|08 00 02|"; depth:3; byte_test:4,>,0x410,23,little,relative; reference:cve,2011-4875; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:23007; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime stack buffer overflow attempt"; flow:to_server,established; isdataat:1024; content:"|00 04 02|"; depth:3; byte_test:4,>,0x410,3,little,relative; reference:cve,2011-4875; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:23004; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime stack buffer overflow attempt"; flow:to_server,established; isdataat:1024; content:"|00 04 03|"; depth:3; byte_test:4,>,0x410,23,little,relative; reference:cve,2011-4875; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:23005; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"PROTOCOL-SCADA ScadaTec Procyon Core server password overflow attempt"; flow:to_server,established; content:"|66 81 CA FF 0F 42 52 6A 02 58 CD 2E 3C 05 5A 74 EF B8 63 30 30 6C 8B FA AF 75 EA AF 75 E7 FF E7|"; fast_pattern:only; metadata:service telnet; reference:bugtraq,49480; reference:cve,2011-3322; classtype:attempted-user; sid:23330; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"PROTOCOL-SCADA BroadWin WebAccess Client format string exploit attempt"; flow:to_server,established; file_data; content:"5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C"; fast_pattern:only; pcre:"/<\s*script\s*\S*\s*>.*?[a-z0-9_-]+\.OcxSpool\s*\x28\s*([\x22\x27])[^\1]*(\x25[dlnpsx])[^\1]*\1/smi"; metadata:policy security-ips drop, service smtp; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:23964; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"PROTOCOL-SCADA BroadWin WebAccess Client arbitrary memory corruption attempt"; flow:to_server,established; file_data; content:"5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C"; fast_pattern:only; pcre:"/<\s*script\s*>.*?[a-z0-9_-]+\.(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29\s*\x3b/smi"; metadata:policy security-ips drop, service smtp; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:23965; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Sinapsi command injection attempt"; flow:to_server,established; content:"/ping.php"; http_uri; content:"ip_dominio"; fast_pattern:only; http_client_body; pcre:"/ip_dominio.*?([\x26\x3b\x7c\x3e\x3c]|\x25(26|3b|7c|3e|3c))/Pi"; metadata:service http; reference:url,www.exploit-db.com/exploits/21273/; classtype:web-application-attack; sid:24425; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA DATAC RealWin System buffer overflow attempt"; flow:to_server,established; content:"|10 23|Tg"; depth:4; byte_test:4,>,700,0,relative,little; content:"|0A 00 05 00|"; within:4; distance:6; reference:cve,2011-1563; classtype:attempted-user; sid:24481; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Sinapsi SQL injection attempt"; flow:to_server,established; content:"/changelanguagesession.php"; fast_pattern:only; http_uri; pcre:"/[?&]lingua=[^&]+?([\x22\x27]|SELECT|UPDATE|INSERT)/Ui"; metadata:service http; reference:url,www.exploit-db.com/exploits/21273/; classtype:web-application-attack; sid:24422; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA DATAC RealWin System buffer overflow attempt"; flow:to_server,established; content:"|10 23|Tg"; depth:4; content:"|05 00 02 00|"; within:4; distance:6; isdataat:400,relative; reference:cve,2011-1563; classtype:attempted-user; sid:24477; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA DATAC RealWin System buffer overflow attempt"; flow:to_server,established; content:"|10 23|Tg"; depth:4; content:"|05 00 05 00|"; within:4; distance:6; isdataat:400,relative; reference:cve,2011-1563; classtype:attempted-user; sid:24478; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Sinapsi SQL hard coded user login attempt"; flow:to_server,established; content:"/login.php"; fast_pattern:only; http_uri; content:"astridservice"; http_client_body; metadata:service http; reference:url,www.exploit-db.com/exploits/21273/; classtype:web-application-attack; sid:24423; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA DATAC RealWin System buffer overflow attempt"; flow:to_server,established; content:"|10 23|Tg"; depth:4; byte_test:4,>,4096,0,relative,little; content:"|09 00 12 00|"; within:4; distance:6; reference:cve,2011-1563; classtype:attempted-user; sid:24479; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Sinapsi SQL hard coded user login attempt"; flow:to_server,established; content:"/login.php"; fast_pattern:only; http_uri; content:"36e44c9b64"; http_client_body; metadata:service http; reference:url,www.exploit-db.com/exploits/21273/; classtype:web-application-attack; sid:24424; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Sinapsi SQL injection attempt"; flow:to_server,established; content:"/dettagliinverter.php"; fast_pattern:only; http_uri; pcre:"/[?&]inverterselect=[^&]+?([\x22\x27]|SELECT|UPDATE|INSERT)/Ui"; metadata:service http; reference:url,www.exploit-db.com/exploits/21273/; classtype:web-application-attack; sid:24421; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"PROTOCOL-SCADA DATAC RealWin System buffer overflow attempt"; flow:to_server,established; content:"|10 23|Tg"; depth:4; content:"|05 00 01 00|"; within:4; distance:6; isdataat:400,relative; reference:cve,2011-1563; classtype:attempted-user; sid:24476; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access"; flow:established,to_server; file_data; content:"BWOCXRUN.BwocxrunCtrl.1"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x22|\x27BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar1>\x22|\x27|)(\x25[dlnpsx])+|.*(?P=v)\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar2>\x22|\x27|)(\x25[dlnpsx])+)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x22|\x27BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x27)\s*\)(\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar3>\x22|\x27|)(\x25[dlnpsx])+|.*(?P=n)\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar4>\x22|\x27|)(\x25[dlnpsx])+)/smiO"; metadata:policy security-ips drop, service smtp; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:24582; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access"; flow:established,to_server; file_data; content:"BWOCXRUN.BwocxrunCtrl.1"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x22|\x27BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29|.*(?P=v)\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x22|\x27BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x27)\s*\)(\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29|.*(?P=n)\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29)/smiO"; metadata:policy security-ips drop, service smtp; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:24585; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access"; flow:established,to_server; file_data; content:"5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C"; fast_pattern:only; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar1>\x22|\x27|)(\x25[dlnpsx])+|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.OcxSpool\s*\x28\s*(?P<quoteVar2>\x22|\x27|)(\x25[dlnpsx])+)/siO"; metadata:policy security-ips drop, service smtp; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:24581; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access"; flow:established,to_server; file_data; content:"5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C"; fast_pattern:only; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29)/siO"; metadata:policy security-ips drop, service smtp; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:24584; rev:7;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access"; flow:established,to_client; file_data; content:"BWOCXRUN.BwocxrunCtrl.1"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x22|\x27BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar1>\x22|\x27|)(\x25[dlnpsx])+|.*(?P=v)\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar2>\x22|\x27|)(\x25[dlnpsx])+)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x22|\x27BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x27)\s*\)(\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar3>\x22|\x27|)(\x25[dlnpsx])+|.*(?P=n)\s*\.\s*OcxSpool\s*\x28\s*(?P<quoteVar4>\x22|\x27|)(\x25[dlnpsx])+)/smiO"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:24580; rev:6;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access"; flow:established,to_client; file_data; content:"BWOCXRUN.BwocxrunCtrl.1"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x22|\x27BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29|.*(?P=v)\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x22|\x27BWOCXRUN\.BwocxrunCtrl\.1(\.\d)?\x27)\s*\)(\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29|.*(?P=n)\s*\.\s*(WriteTextData|CloseFile)\s*\x28[^\x28]*0x[a-f0-9]+[^\x29]*\x29)/smiO"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0242; reference:url,www.exploit-db.com/exploits/17772/; classtype:attempted-user; sid:24583; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Tridium Niagara directory traversal config.bog access attempt"; flow:to_server,established; content:"ord?file|3A 5E|config.bog"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2012-4027; classtype:attempted-admin; sid:25057; rev:3;)
+# alert tcp $EXTERNAL_NET 502 -> $HOME_NET any (msg:"PROTOCOL-SCADA Modbus exception returned"; flow:established,to_client; byte_test:1,&,128,7; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:15071; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Microsys Promotic directory traversal attempt"; flow:to_server,established; content:"/webdir/../../../../../"; metadata:service http; reference:bugtraq,50133; reference:cve,2011-4518; reference:url,ics-cert.us-cert.gov/alerts/ICS-ALERT-11-286-01; classtype:attempted-user; sid:28917; rev:3;)
+# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read write register response - invalid byte count"; flow:to_client,established; modbus_func:read_write_multiple_registers; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,200,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29206; rev:2;)
+# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read input registers response invalid byte count"; flow:to_client,established; modbus_func:read_input_registers; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,125,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29205; rev:2;)
+# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read holding register response - invalid byte count"; flow:to_client,established; modbus_func:read_holding_registers; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,250,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29204; rev:3;)
+# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read fifo response invalid byte count"; flow:to_client,established; modbus_func:read_fifo_queue; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,31,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29203; rev:2;)
+# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read coil status response - too many coils"; flow:to_client,established; modbus_func:read_discrete_inputs; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,250,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29202; rev:2;)
+# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read coil status response - too many coils"; flow:to_client,established; modbus_func:read_coils; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,250,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29201; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write single coil - invalid state"; flow:to_server,established; modbus_func:write_single_coil; content:"|00 00|"; depth:2; offset:2; content:"|00|"; depth:1; offset:11; content:!"|FF|"; depth:1; offset:10; content:!"|00|"; depth:1; offset:10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29200; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write multiple registers - too many registers"; flow:to_server,established; modbus_func:write_multiple_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,100,10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29199; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read write multiple registers - too many writes"; flow:to_server,established; modbus_func:read_write_multiple_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,125,14; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29198; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read write multiple registers - too many writes"; flow:to_server,established; modbus_func:read_write_multiple_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,125,10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29197; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read input status - too many inputs"; flow:to_server,established; modbus_func:read_discrete_inputs; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,2000,10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29196; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read input register - too many inputs"; flow:to_server,established; modbus_func:read_input_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,125,10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29195; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read holding registers - too many inputs"; flow:to_server,established; modbus_func:read_holding_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,125,10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29194; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus invalid encapsulated interface request"; flow:established,to_server; content:"|00 00|"; depth:2; offset:2; content:"|2B|"; depth:1; offset:7; content:!"|0D|"; within:1; content:!"|0E|"; within:1; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29319; rev:1;)
+# alert tcp $EXTERNAL_NET 502 -> $HOME_NET any (msg:"PROTOCOL-SCADA Modbus invalid encapsulated interface response"; flow:established,to_client; content:"|00 00|"; depth:2; offset:2; content:"|2B|"; depth:1; offset:7; content:!"|0D|"; within:1; content:!"|0E|"; within:1; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29318; rev:1;)
+# alert tcp $EXTERNAL_NET 502 -> $HOME_NET any (msg:"PROTOCOL-SCADA Modbus invalid exception message"; flow:established,to_client; content:"|00 00|"; depth:2; offset:2; byte_test:1,&,128,7; isdataat:9; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29317; rev:1;)
+# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus value scan"; flow:established,to_client,no_stream; content:"|00 00|"; depth:2; offset:2; byte_test:1,&,128,7; content:"|03|"; depth:1; offset:8; detection_filter:track by_dst, count 3, seconds 10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29316; rev:2;)
+# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus list scan"; flow:established,to_client,no_stream; content:"|00 00|"; depth:2; offset:2; byte_test:1,&,128,7; content:"|02|"; depth:1; offset:8; detection_filter:track by_dst, count 3, seconds 10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29315; rev:2;)
+# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus function scan"; flow:established,to_client,no_stream; content:"|00 00|"; depth:2; offset:2; byte_test:1,&,128,7; content:"|01|"; depth:1; offset:8; detection_filter:track by_dst, count 3, seconds 10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29314; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA CODESYS Gateway-Server invalid memory access attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"|00 00|"; within:2; distance:18; content:!"|00 00 00 00|"; within:4; pcre:"/^\xDD\xDD.{16}(\x09\x00)|(\x0E\x00)|(\xEE\x03)\x00\x00/"; reference:bugtraq,58032; reference:cve,2012-4704; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:29534; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"PROTOCOL-SCADA ScadaTec Procyon Core server password overflow attempt"; flow:to_server,established; content:"|BF 99 46 77 90 90 90 90 90 90 90 90 90 90|"; depth:14; offset:65; metadata:service telnet; reference:bugtraq,49480; reference:cve,2011-3322; classtype:attempted-user; sid:29515; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt"; flow:to_server,established; content:"|54 4F 46 55 56 75 47 78 7A 44 66 61 68 44 4E 5A 65 6D 42 46|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2011-1567; classtype:attempted-admin; sid:29505; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime directory traversal attempt"; flow:to_server,established; content:"|2E 00 2E 00 2F 00|"; offset:30; reference:cve,2011-4876; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:29964; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime DoS attempt"; flow:to_server,established; content:"|00 04 03|"; depth:3; byte_test:4,>,0x410,23,little; isdataat:1025; reference:cve,2011-4877; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:29963; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime DoS attempt"; flow:to_server,established; isdataat:1024; content:"|00 04 28|"; depth:3; reference:cve,2011-4877; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:29962; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime DoS attempt"; flow:to_server,established; isdataat:1024; content:"|00 04 22|"; depth:3; reference:cve,2011-4877; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:29961; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime DoS attempt"; flow:to_server,established; isdataat:1024; content:"|00 04 21|"; depth:3; reference:cve,2011-4877; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:29960; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [2308,50523] (msg:"PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime stack buffer overflow attempt"; flow:to_server,established; isdataat:1024; content:"|00 08 02|"; depth:3; byte_test:4,>,0x410,3,little,relative; reference:cve,2011-4875; reference:url,www.exploit-db.com/exploits/18166/; classtype:attempted-admin; sid:29959; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA CODESYS Gateway-Server heap buffer overflow attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"|06 00 00 00|"; within:4; distance:16; byte_test:4,>,0x7fffffff,260,relative,little; reference:cve,2012-4706; classtype:attempted-admin; sid:29954; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 52302 (msg:"PROTOCOL-SCADA Yokogawa CENTUM CS 3000 bkclogserv buffer overflow attempt"; flow:to_server,no_stream; dsize:1024; content:"|00 04 00 00|"; depth:4; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:12; content:!"|00|"; within:1000; detection_filter:track by_dst, count 2, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,66130; reference:cve,2014-0781; classtype:attempted-admin; sid:30802; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20111 (msg:"PROTOCOL-SCADA Yokogawa CENTUM CS 3000 PMODE bkbcopyd buffer overflow attempt"; flow:to_server,established; content:"PMODE"; depth:5; fast_pattern; content:"|5D 62 04 64|"; within:4; distance:124; content:"|FF FF FF FF|"; within:4; distance:4; metadata:policy security-ips drop; reference:bugtraq,66114; reference:cve,2014-0784; classtype:attempted-user; sid:30801; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20111 (msg:"PROTOCOL-SCADA Yokogawa CENTUM CS 3000 XATR bkbcopyd buffer overflow attempt"; flow:to_server,established; content:"XATR"; depth:4; fast_pattern; content:"|5D 62 04 64|"; within:4; distance:124; content:"|FF FF FF FF|"; within:4; distance:4; metadata:policy security-ips drop; reference:bugtraq,66114; reference:cve,2014-0784; classtype:attempted-user; sid:30800; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20111 (msg:"PROTOCOL-SCADA Yokogawa CENTUM CS 3000 ATTR bkbcopyd buffer overflow attempt"; flow:to_server,established; content:"ATTR"; depth:4; fast_pattern; content:"|5D 62 04 64|"; within:4; distance:124; content:"|FF FF FF FF|"; within:4; distance:4; metadata:policy security-ips drop; reference:bugtraq,66114; reference:cve,2014-0784; classtype:attempted-user; sid:30799; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20111 (msg:"PROTOCOL-SCADA Yokogawa CENTUM CS 3000 STOR bkbcopyd buffer overflow attempt"; flow:to_server,established; content:"STOR"; depth:4; fast_pattern; content:"|5D 62 04 64|"; within:4; distance:124; content:"|FF FF FF FF|"; within:4; distance:4; metadata:policy security-ips drop; reference:bugtraq,66114; reference:cve,2014-0784; classtype:attempted-user; sid:30798; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20111 (msg:"PROTOCOL-SCADA Yokogawa CENTUM CS 3000 RETR bkbcopyd buffer overflow attempt"; flow:to_server,established; content:"RETR"; depth:4; fast_pattern; content:"|5D 62 04 64|"; within:4; distance:124; content:"|FF FF FF FF|"; within:4; distance:4; metadata:policy security-ips drop; reference:bugtraq,66114; reference:cve,2014-0784; classtype:attempted-user; sid:30797; rev:2;)
+# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus write file record - small byte count"; flow:to_client,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:1,<,9,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30823; rev:1;)
+# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus write file record - large reference value"; flow:to_client,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:4,>,9999,10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30822; rev:1;)
+# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus write file record - large byte count"; flow:to_client,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,251,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30821; rev:1;)
+# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus write file record - invalid reference type"; flow:to_client,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; content:!"|06|"; depth:1; offset:9; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30820; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record - small byte count"; flow:to_server,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:1,<,9,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30819; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record - large reference value"; flow:to_server,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:4,>,9999,10; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30818; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record - large byte count"; flow:to_server,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,251,8; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30817; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record - invalid reference type"; flow:to_server,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; content:!"|06|"; depth:1; offset:9; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30816; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 34205 (msg:"PROTOCOL-SCADA Yokogawa CS3000 BKESimmgr.exe buffer overflow attempt"; flow:to_server,established; content:"|4F 27 D1 61 5C E6 40 00 90 EB 40 00|"; fast_pattern:only; content:"|00 00 00 01|"; depth:4; content:"|81 C4 54 F2 FF FF|"; distance:132; reference:cve,2014-0782; reference:url,www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf; classtype:attempted-user; sid:31037; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt"; flow:to_server,established; content:"|01 00|"; depth:2; offset:2; content:"|0D 00 00 00|"; within:4; distance:2; isdataat:466,relative; metadata:policy max-detect-ips drop; reference:bugtraq,46936; reference:cve,2011-1567; classtype:attempted-admin; sid:31438; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA KingSCADA Alarm Server stack buffer overflow attempt"; flow:to_server,established; content:"|D2 04 00 00 7B 00 00 00|"; depth:8; byte_test:4,>,0x7EF,0,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,66709; reference:cve,2014-0787; classtype:attempted-admin; sid:32059; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12221 (msg:"PROTOCOL-SCADA ABB MicroSCADA wserver.exe EXECUTE remote code execution attempt"; flow:to_server,established; content:"EXECUTE|00|"; depth:12; offset:4; nocase; metadata:policy max-detect-ips drop; reference:url,packetstorm.sigterm.no/1311-exploits/abb_wserver_exec.rb.txt; classtype:attempted-user; sid:33015; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt"; flow:to_server,established; file_data; content:"5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C"; fast_pattern:only; content:"|2E|CreateProcess"; nocase; content:"|2E|exe"; within:200; nocase; content:"|2E|exe"; within:200; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-0773; reference:url,ics-cert.us-cert.gov/advisories/ICSA-14-079-03; classtype:attempted-user; sid:33002; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt"; flow:to_server,established; file_data; content:"BWOCXRUN.BwocxrunCtrl"; fast_pattern:only; content:"|2E|CreateProcess"; nocase; content:"|2E|exe"; within:200; nocase; content:"|2E|exe"; within:200; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-0773; reference:url,ics-cert.us-cert.gov/advisories/ICSA-14-079-03; classtype:attempted-user; sid:33001; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt"; flow:to_client,established; file_data; content:"BWOCXRUN.BwocxrunCtrl"; fast_pattern:only; content:"|2E|CreateProcess"; nocase; content:"|2E|exe"; within:200; nocase; content:"|2E|exe"; within:200; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2014-0773; reference:url,ics-cert.us-cert.gov/advisories/ICSA-14-079-03; classtype:attempted-user; sid:33000; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt"; flow:to_client,established; file_data; content:"5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C"; fast_pattern:only; content:"|2E|CreateProcess"; nocase; content:"|2E|exe"; within:200; nocase; content:"|2E|exe"; within:200; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2014-0773; reference:url,ics-cert.us-cert.gov/advisories/ICSA-14-079-03; classtype:attempted-user; sid:32999; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA 3S CoDeSys Gateway Server stack buffer overflow attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"|F1 03 00 00|"; within:4; distance:16; isdataat:384,relative; content:!"|00|"; within:384; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2012-4708; classtype:attempted-admin; sid:26504; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA 3S CoDeSys Gateway Server stack buffer overflow attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"|04 00 00 00|"; within:4; distance:16; isdataat:464,relative; content:!"|00|"; within:464; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2012-4708; classtype:attempted-admin; sid:26503; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA 3S CoDeSys Gateway Server stack buffer overflow attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"|06 00 00 00|"; within:4; distance:16; isdataat:232,relative; content:!"|00|"; within:232; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2012-4708; classtype:attempted-admin; sid:26502; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA CODESYS Gateway-Server directory traversal attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:".."; within:3; distance:20; content:".."; within:2; distance:1; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4705; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:26488; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA CODESYS Gateway-Server directory traversal attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"..|5C|..|5C|WINDOWS|5C|system32|5C|wbem|5C|mof|5C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4705; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:26415; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA CODESYS Gateway-Server executable file upload attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"..|5C|..|5C|"; distance:0; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,58032; reference:cve,2012-4705; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:26414; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [12397,12399] (msg:"PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt"; flow:to_server,established; content:"|10 60 00 00 66 66 07 00 10 00 00 00 19 00 00 00|"; depth:16; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2013-0657; classtype:attempted-user; sid:26392; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [12397,12399] (msg:"PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:4; byte_jump:4,0,relative,little,post_offset -4; byte_test:4,>,0x800,0,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2013-0657; classtype:attempted-user; sid:25852; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [12397,12399] (msg:"PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:4; byte_jump:4,0,relative,little,post_offset -4; byte_test:4,<,0x20,0,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2013-0657; classtype:attempted-user; sid:25851; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [12397,12399] (msg:"PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt"; flow:to_server,established; byte_test:4,>,0x800,8,little; metadata:policy max-detect-ips drop; reference:cve,2013-0657; classtype:attempted-user; sid:25850; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [12397,12399] (msg:"PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt"; flow:to_server,established; content:"|00 00 00|"; depth:3; offset:9; byte_test:1,<,0x20,8; metadata:policy max-detect-ips drop; reference:cve,2013-0657; classtype:attempted-user; sid:25849; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5159 (msg:"PROTOCOL-SCADA GE Proficy Real-Time Information Portal directory traversal attempt"; flow:to_server,established; content:"|43 00 01 00 00 00 0C|"; depth:7; content:"|00 00 00 00 01 00 00 00 01|"; within:9; distance:4; byte_extract:4,0,filename_len,relative; content:"|00 2E 00 2E|"; within:filename_len; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,52439; reference:cve,2012-0232; reference:url,support.ge-ip.com/support/index?page=kbchannel&id=S:KB14768; classtype:attempted-admin; sid:24803; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 777 (msg:"PROTOCOL-SCADA WellinTech Kingview HMI history server buffer overflow attempt"; flow:to_server,established; content:"|03 00 00|"; depth:3; offset:2; byte_test:2,>,9,0,little; byte_extract:2,4,element_count,relative,little,multiplier 12; byte_test:2,>,element_count,0,little; metadata:policy max-detect-ips drop; reference:cve,2011-4536; classtype:attempted-admin; sid:24480; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 48899 (msg:"PROTOCOL-SCADA Beckhoff TwinCAT DoS"; content:"|03 66 14 71|"; isdataat:23; metadata:policy max-detect-ips drop; reference:cve,2011-3486; classtype:attempted-dos; sid:20216; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 11234 (msg:"PROTOCOL-SCADA Measuresoft ScadaPro directory traversal file operation attempt"; flow:to_server,established; content:"..|5C|..|5C|"; fast_pattern:only; pcre:"/^[xounwR]f\x25[^\n]*(\.\.\x5C){2}/i"; metadata:policy max-detect-ips drop; reference:cve,2011-3490; reference:cve,2011-3495; reference:cve,2011-3496; reference:cve,2011-3497; classtype:attempted-admin; sid:20215; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 11234 (msg:"PROTOCOL-SCADA Measuresoft ScadaPro msvcrt.dll local command execution attempt"; flow:to_server,established; content:"xf%"; depth:3; content:"msvcrt.dll"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2011-3490; reference:cve,2011-3495; reference:cve,2011-3496; reference:cve,2011-3497; classtype:attempted-admin; sid:20214; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4502 (msg:"PROTOCOL-SCADA Cogent unicode buffer overflow attempt"; flow:to_server,established; content:"(slave "; nocase; content:"|22|"; within:3; isdataat:100,relative; content:!"|22|"; within:100; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3493; classtype:attempted-admin; sid:20210; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation directory traversal attempt"; flow:to_server,established; content:"|01 00|"; depth:2; offset:2; content:"|0D|"; within:1; distance:2; content:"|2E 2E|"; fast_pattern:only; pcre:"/.{18}[\x01\x02\x03\x04\x05\x06]\x00\x00\x00.+?(\x2E{2}[\x5C\x2F]){2}/"; metadata:policy max-detect-ips drop; reference:bugtraq,46936; reference:cve,2011-1567; classtype:attempted-admin; sid:20030; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 912 (msg:"PROTOCOL-SCADA RealWin 2.1 SCPC_INITIALIZE overflow attempt"; flow:to_server,established; content:"|64 12 54 6A|"; depth:4; byte_test:4,>,200,8,little; pcre:"/^\x64\x12\x54\x6A[\x02\x20\x10]\x00\x00\x00/"; metadata:policy max-detect-ips drop; reference:bugtraq,44150; reference:cve,2010-4142; classtype:attempted-admin; sid:18659; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12397 (msg:"PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt"; flow:to_server,established; content:"|2E 2E|"; fast_pattern:only; pcre:"/^.{12}[\x17\x0A]\x00\x00\x00.{28}[^\x00]*(\x2E{2}[\x5C\x2F]){2}/"; metadata:policy max-detect-ips drop; reference:bugtraq,46936; reference:cve,2011-1567; classtype:attempted-admin; sid:18657; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA IGSS IGSSDataServer.exe strep overflow attempt"; flow:to_server,established; content:"|04 00 00 00|"; fast_pattern:only; content:"|08|"; depth:1; offset:6; content:"|01 00 00 00|"; within:4; distance:7; isdataat:260,relative; pcre:"/^\x04\x00\x00\x00[^\x00]{256,}/R"; metadata:policy max-detect-ips drop; reference:bugtraq,46936; reference:cve,2011-1567; classtype:attempted-admin; sid:18656; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA IGSS IGSSDataServer.exe format string attempt"; flow:to_server,established; content:"|25 6E|"; fast_pattern:only; content:"|07|"; depth:1; offset:6; content:"|01 00 00 00|"; within:4; distance:7; pcre:"/^\x03\x00\x00\x00[^\x00]*\x25\x6e/R"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,46936; reference:cve,2011-1567; reference:cve,2011-1568; classtype:attempted-admin; sid:18654; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA IGSS IGSSDataServer.exe report template overflow attempt"; flow:to_server,established; content:"|07|"; depth:1; offset:6; content:"|01 00 00 00|"; within:4; distance:7; isdataat:260,relative; pcre:"/^[\x04\x05\x06]\x00\x00\x00[^\x00]{256,}/R"; metadata:policy max-detect-ips drop; reference:bugtraq,46936; reference:cve,2011-1567; classtype:attempted-admin; sid:18651; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation overflow attempt"; flow:to_server,established; content:"|01 00 34 12|"; depth:4; offset:2; isdataat:466,relative; pcre:"/^.{2}\x01\x00\x34\x12.{12}[\x01\x02\x03\x04\x05\x06\x07]\x00\x00\x00[^\x00]{444,}/"; metadata:policy max-detect-ips drop; reference:bugtraq,46936; reference:cve,2011-1567; reference:cve,2011-4050; classtype:attempted-admin; sid:18649; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"PROTOCOL-SCADA IGSS IGSSDataServer.exe file upload/download attempt"; flow:to_server,established; content:"|2E 2E|"; fast_pattern:only; content:"|0D|"; depth:1; offset:6; content:"|01 00 00 00|"; within:4; distance:7; pcre:"/^[\x02\x03]\x00\x00\x00[^\x00]*(\x2E{2}[\x5C\x2F]){2}/R"; metadata:policy max-detect-ips drop; reference:bugtraq,46936; reference:cve,2011-1567; classtype:attempted-user; sid:18648; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA 3S CoDeSys Gateway Server stack buffer overflow attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; byte_test:4,>,400,12,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2012-4708; classtype:attempted-admin; sid:39391; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 44818 (msg:"PROTOCOL-SCADA Rockwell firmware upload attempt"; flow:to_server,established; content:"|6F 00|"; content:"|00 00 00 00|"; within:4; distance:6; content:"|00 00 00 00|"; within:4; distance:8; pcre:"/(\x20\xa1|\x21\x00\xa1\x00)(\x24[\x01-\xff]|\x25\x00[\x01-\xff]\x00)/smi"; reference:cve,2012-6437; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=27868; classtype:policy-violation; sid:40333; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [2222,44818] (msg:"PROTOCOL-SCADA Rockwell Controllogix Stop CPU attempt"; flow:to_server,established; content:"|6F 00|"; depth:2; content:"|00 00 00 00|"; within:4; distance:22; byte_extract:2,10,cipsize,relative; content:"|07 02 20 64 24 01|"; within:cipsize; classtype:policy-violation; sid:40518; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [2222,44818] (msg:"PROTOCOL-SCADA Rockwell Controllogix Network Policy Change attempt"; flow:to_server,established; content:"|6F 00|"; depth:2; content:"|00 00 00 00|"; within:4; distance:22; byte_extract:2,10,cipsize,relative; content:"|10|"; within:cipsize; content:"|20 F5|"; within:2; distance:1; classtype:policy-violation; sid:40517; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 2404 (msg:"PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET"; flow:established; content:"|68|"; depth:1; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41079; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2404 (msg:"PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET"; flow:established; content:"|68|"; depth:1; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41078; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 unknown ASDU type detected"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x16-\x1D\x29-\x2C\x34-\x39\x41-\x45]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41077; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 double command issued"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x2e\x3b]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41076; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 counter interrogation command"; flow:established; content:"|68|"; content:"|65|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41075; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 clock sync command"; flow:established; content:"|68|"; content:"|67|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41074; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 bitstring of 32 bits"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x33\x40\x07\x21]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41073; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Test command with time tag"; flow:established; content:"|68|"; content:"|6B|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41072; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Step point information"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x05\x20]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41071; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Single point information"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x14\x01\x1e]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41070; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Single command"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x2d\x3a]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41069; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Set point command"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x30\x31\x32\x3d\x3e\x3f]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41068; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Rest process command"; flow:established; content:"|68|"; content:"|69|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41067; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Regulating step command"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x2f\x3c]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41066; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Read command"; flow:established; content:"|68|"; content:"|66|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41065; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Query Log"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x7a\x7f]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41064; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Parameter value"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x71\x6e\x6f\x70]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41063; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Packed start events"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x26\x27\x28]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41062; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Measured value"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x09\x0b\x0d\x15\x22\x23\x24]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41061; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 List directory"; flow:established; content:"|68|"; content:"|7E|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41060; rev:4;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Last section"; flow:established; content:"|68|"; content:"|7B|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41059; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Interrogation command"; flow:established; content:"|68|"; content:"|64|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41058; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Integrated totals"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x0f\x25]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41057; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 File ready"; flow:established; content:"|68|"; content:"|78|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41056; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 End of initialization"; flow:established; content:"|68|"; content:"|46|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41055; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Double point information"; flow:established; content:"|68|"; pcre:"/\x68.{5}[\x03\x1f]/"; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41054; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 Ack file"; flow:established; content:"|68|"; content:"|7C|"; within:1; distance:5; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41053; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 TESTFR CON"; flow:established; content:"|68|"; depth:1; content:"|83|"; within:1; distance:1; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41052; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 TESTFR ACT"; flow:established; content:"|68|"; depth:1; content:"|43|"; within:1; distance:1; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41051; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 STOPDT CON"; flow:established; content:"|68|"; depth:1; content:"|23|"; within:1; distance:1; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41050; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 STOPDT ACT"; flow:established; content:"|68|"; depth:1; content:"|13|"; within:1; distance:1; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41049; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 STARTDT CON"; flow:established; content:"|68|"; depth:1; content:"|0B|"; within:1; distance:1; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41048; rev:2;)
+# alert tcp any [1024:] <> any 2404 (msg:"PROTOCOL-SCADA IEC 104 STARTDT ACT"; flow:established; content:"|68|"; depth:1; content:"|07|"; within:1; distance:1; reference:url,blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html; classtype:protocol-command-decode; sid:41047; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [2222,44818] (msg:"PROTOCOL-SCADA Rockwell Controllogix Crash CPU attempt"; flow:to_server,established; content:"|6F 00|"; depth:2; content:"|00 00 00 00|"; within:4; distance:22; content:"|52|"; within:1; distance:12; content:"|0A|"; within:1; distance:9; byte_test:2, >, 25, 6, relative; reference:cve,2012-6436; reference:url,ics-cert.us-cert.gov/advisories/ICSA-13-011-03; classtype:denial-of-service; sid:41044; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [2222,44818] (msg:"PROTOCOL-SCADA Rockwell Controllogix Ethernet Reset attempt"; flow:to_server,established; content:"|6F 00|"; depth:2; content:"|00 00 00 00|"; within:4; distance:22; content:"|05|"; within:1; distance:12; content:"|20 01|"; within:2; distance:1; reference:cve,2012-6442; reference:url,ics-cert.us-cert.gov/advisories/ICSA-13-011-03; classtype:denial-of-service; sid:41043; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [2222,44818] (msg:"PROTOCOL-SCADA Rockwell Controllogix Dump Boot Code attempt"; flow:to_server,established; content:"|6F 00|"; depth:2; content:"|00 00 00 00|"; within:4; distance:22; content:"|97|"; within:1; distance:12; content:"|20 C0|"; within:2; distance:1; reference:cve,2012-6441; reference:url,ics-cert.us-cert.gov/advisories/ICSA-13-011-03; classtype:denial-of-service; sid:41042; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [2222,44818] (msg:"PROTOCOL-SCADA Rockwell Controllogix Crash Ethernet attempt"; flow:to_server,established; content:"|6F 00|"; depth:2; content:"|00 00 00 00|"; within:4; distance:22; byte_extract:2,10,cipsize,relative; content:"|0E|"; within:cipsize; content:"|20 F5|"; within:2; distance:1; reference:cve,2012-6438; reference:url,ics-cert.us-cert.gov/advisories/ICSA-13-011-03; classtype:denial-of-service; sid:41091; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 772 (msg:"PROTOCOL-SCADA SCADA Trace Mode DoS attempt"; flow:to_server,established; content:"|0C 0C 0C 0C 0C 0C 0C 0C|"; isdataat:300,relative; reference:url,www.adastra.ru/products/dev/scada/; classtype:attempted-dos; sid:41648; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 789 (msg:"PROTOCOL-SCADA BB-Elec ethernet gateway DOS attempt"; flow:to_server,established; content:"|00 04 01 2A 03 00|"; depth:6; metadata:policy max-detect-ips drop, policy security-ips drop; reference:url,www.bb-elec.es/ethernet-gateways.htm; classtype:attempted-dos; sid:41646; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 16888 (msg:"PROTOCOL-SCADA Moxa Mass Config Tool DOS attempt"; flow:to_server,established; content:"|0B|AAAAAAAAAAAA"; depth:13; isdataat:2500,relative; reference:url,www.moxa.com/product/Mass_Configuration_Tool.htm; classtype:attempted-dos; sid:41739; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8800 (msg:"PROTOCOL-SCADA Sunway DOS attempt"; flow:to_server,established; content:"|07 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; isdataat:1000; reference:url,www.sunwayland.com/?Nid=3593; classtype:attempted-dos; sid:41738; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8800 (msg:"PROTOCOL-SCADA Sunway DOS attempt"; flow:to_server,established; content:"|06 00 00 00 00 00 00 00 00 04 00 00|"; depth:12; isdataat:1000; reference:url,www.sunwayland.com/?Nid=3593; classtype:attempted-dos; sid:41737; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1804 (msg:"PROTOCOL-SCADA PowerNet Twin Client DOS attempt"; flow:to_server,established; dsize:>99; content:"|11 00|"; depth:2; metadata:policy max-detect-ips drop, policy security-ips drop; reference:url,www.honeywellaidc.com/en-US/Pages/Product.aspx?category=Software&cat=HSM&pid=PowerNet%20Twin%20Client; classtype:attempted-dos; sid:41752; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-SCADA Moxa SoftCMS webserver DOS attempt"; flow:to_server,established; isdataat:!18; content:"GET . HTTP/1.0|0D 0A|"; depth:16; nocase; metadata:service http; classtype:attempted-dos; sid:41747; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 22350 (msg:"PROTOCOL-SCADA TwinCAT PLC DOS attempt"; flow:to_server,established; dsize:>2000; content:"|A2 1D CB AA AA 75 48 B4 91 DB F4 06 B0 B0 2D|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop; reference:url,www.beckhoff.com/english.asp?twincat/overvw.htm; classtype:attempted-dos; sid:41743; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 20010 (msg:"PROTOCOL-SCADA Yokogawa CS3000 BKFSim_vhfd buffer overflow attempt"; flow:to_server; content:"|45 54 56 48 01 01 10 09 00 00 00 01 00 00 00 44|"; fast_pattern:only; isdataat:460; content:"|9C 5C E5 61|"; depth:4; offset:454; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2014-3888; classtype:attempted-admin; sid:41778; rev:1;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 4800 (msg:"PROTOCOL-SCADA Moxa discovery packet information disclosure attempt"; flow:to_server; content:"|01|"; depth:1; content:"|08|"; within:1; distance:2; isdataat:3,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.moxa.com/product/AWK-3121_Series.htm; classtype:attempted-recon; sid:42016; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 4800 (msg:"PROTOCOL-SCADA Moxa unlock function code attempt"; flow:to_server,established; content:"|16|"; depth:1; content:"|00 90 E8|"; depth:3; offset:14; reference:url,www.moxa.com/product/AWK-3121_Series.htm; classtype:attempted-admin; sid:42058; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 4800 (msg:"PROTOCOL-SCADA Moxa unlock function code attempt"; flow:to_server,established; content:"|0A|"; depth:1; content:"|00 90 E8|"; depth:3; offset:14; reference:url,www.moxa.com/product/AWK-3121_Series.htm; classtype:attempted-admin; sid:42057; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 4800 (msg:"PROTOCOL-SCADA Moxa password retrieval attempt"; flow:to_server,established; content:"|2C|"; depth:1; content:"|00 90 E8|"; depth:3; offset:14; reference:url,www.moxa.com/product/AWK-3121_Series.htm; classtype:attempted-admin; sid:42056; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 4800 (msg:"PROTOCOL-SCADA Moxa password retrieval attempt"; flow:to_server,established; content:"|29|"; depth:1; content:"|00 90 E8|"; depth:3; offset:14; reference:url,www.moxa.com/product/AWK-3121_Series.htm; classtype:attempted-admin; sid:42055; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 4800 (msg:"PROTOCOL-SCADA Moxa get SNMP read string attempt"; flow:to_server,established; content:"|28|"; depth:1; content:"|00 90 E8|"; depth:3; offset:14; reference:url,www.moxa.com/product/AWK-3121_Series.htm; classtype:attempted-admin; sid:42054; rev:1;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 260 (msg:"PROTOCOL-SCADA TraceMode Runtime DOS attempt"; flow:to_server; isdataat:1000; content:"|17 17 17 17 17 17 17 17|"; depth:8; metadata:policy connectivity-ips drop; reference:url,www.adastra.ru/products/dev/scada/; classtype:attempted-dos; sid:42075; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 260 (msg:"PROTOCOL-SCADA TraceMode Runtime DOS attempt"; flow:to_server; isdataat:1000; content:"|0C 0C 0C 0C 0C 0C 0C 0C|"; depth:8; metadata:policy balanced-ips drop; reference:url,www.adastra.ru/products/dev/scada/; classtype:attempted-dos; sid:42074; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 260 (msg:"PROTOCOL-SCADA TraceMode Runtime DOS attempt"; flow:to_server; isdataat:1000; content:"|02 00 00 00 FF 00|"; depth:6; metadata:policy max-detect-ips drop; reference:url,www.adastra.ru/products/dev/scada/; classtype:attempted-dos; sid:42073; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA invalid modbus protocol identifier"; flow:to_server, established; content:"|00 00|"; depth:2; content:!"|00 00|"; within:2; reference:url,modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; reference:url,modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf; classtype:misc-activity; sid:42109; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4679 (msg:"PROTOCOL-SCADA Eaton Network Pi3Web DOS attempt"; flow:to_server,established; content:"//////////"; fast_pattern:only; metadata:service http; reference:cve,2003-0276; classtype:attempted-dos; sid:42127; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA 3S CoDeSys Gateway Server DOS attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; isdataat:1000,relative; reference:url,www.3s-software.com; classtype:attempted-dos; sid:42284; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4322 (msg:"PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt"; flow:to_server,established; content:"|02 15|"; depth:2; isdataat:104; content:"|00|"; distance:0; isdataat:2; content:!"|10 03|"; within:2; reference:cve,2011-4052; reference:url,aluigi.altervista.org/adv/indusoft_5-adv.txt; classtype:misc-activity; sid:42351; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4322 (msg:"PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt"; flow:to_server,established; content:"|02 16|"; depth:2; isdataat:104; content:"|00|"; distance:0; isdataat:2; content:!"|10 03|"; within:2; reference:url,aluigi.altervista.org/adv/indusoft_5-adv.txt; classtype:misc-activity; sid:42350; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4322 (msg:"PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt"; flow:to_server,established; content:"|16|"; depth:1; isdataat:104; content:!"|00|"; within:104; reference:url,aluigi.altervista.org/adv/indusoft_5-adv.txt; classtype:misc-activity; sid:42349; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 4800 (msg:"PROTOCOL-SCADA Moxa unlock function code attempt"; flow:to_server,established; content:"|1E|"; depth:1; content:"|00 90 E8|"; depth:3; offset:14; reference:url,www.moxa.com/product/AWK-3121_Series.htm; classtype:attempted-admin; sid:42786; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Schneider Modicon TM221CE16R password retrieval attempt"; flow:to_server, established; modbus_func:90; modbus_data; content:"|00 03 00|"; fast_pattern:only; reference:cve,2017-7575; reference:url,download.schneider-electric.com/files?&p_File_Name=SEVD-2017-097-01-SoMachine+Basic.pdf; classtype:attempted-admin; sid:42861; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"PROTOCOL-SCADA GE Proficy Historian buffer overflow attempt"; flow:to_server,established; isdataat:250; content:"|90 02 32 00 00 01 00 00 00 00 00 00 00 3C|"; fast_pattern:only; reference:cve,2011-1918; classtype:attempted-admin; sid:42934; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1234 (msg:"PROTOCOL-SCADA Advantech Studio DOS attempt"; flow:to_server,established; content:"|06|oC3|00 09 00|"; fast_pattern; isdataat:35,relative; content:!"|00 0A 00 03|"; within:35; reference:url,www2.advantech.com/eAutomation/automation_controllers/news.aspx; classtype:attempted-dos; sid:43348; rev:1;)
+# alert tcp $EXTERNAL_NET 102 -> $HOME_NET any (msg:"PROTOCOL-SCADA IEC 61850 virtual manufacturing device domain variable enumeration attempt"; flow:to_client,established,no_stream; content:"|61|"; content:"|03|"; within:1; distance:5; content:"|A0 03 80 01 00 A1|"; distance:0; content:"|81|"; within:1; distance:1; detection_filter:track by_src,count 10,seconds 15; reference:url,dragos.com/blog/crashoverride/CrashOverride-01.pdf; reference:url,us-cert.gov/ncas/alerts/TA17-163A; reference:url,welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf; classtype:attempted-recon; sid:43253; rev:2;)
+# alert tcp $EXTERNAL_NET 102 -> $HOME_NET any (msg:"PROTOCOL-SCADA IEC 61850 device connection enumeration attempt"; flow:to_client,established,no_stream; content:"|E0 00 00|"; depth:3; offset:5; content:"|00|"; within:1; distance:2; content:"|C1|"; depth:9; offset:11; content:"|C2|"; depth:9; offset:11; content:"|C0|"; depth:9; offset:11; detection_filter:track by_src,count 10,seconds 15; reference:url,dragos.com/blog/crashoverride/CrashOverride-01.pdf; reference:url,us-cert.gov/ncas/alerts/TA17-163A; reference:url,welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf; classtype:attempted-recon; sid:43252; rev:2;)
+# alert tcp $EXTERNAL_NET 2404 -> $HOME_NET any (msg:"PROTOCOL-SCADA IEC 104 force on denial of service attempt"; flow:to_client,established,no_stream; content:"|68|"; depth:1; content:"|2D|"; within:1; distance:5; content:"|01|"; within:1; distance:8; detection_filter:track by_src,count 50,seconds 5; reference:url,dragos.com/blog/crashoverride/CrashOverride-01.pdf; reference:url,us-cert.gov/ncas/alerts/TA17-163A; reference:url,welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf; classtype:attempted-dos; sid:43228; rev:2;)
+# alert tcp $EXTERNAL_NET 2404 -> $HOME_NET any (msg:"PROTOCOL-SCADA IEC 104 force off denial of service attempt"; flow:to_client,established,no_stream; content:"|68|"; depth:1; content:"|2D|"; within:1; distance:5; content:"|00|"; within:1; distance:8; detection_filter:track by_src,count 50,seconds 5; reference:url,dragos.com/blog/crashoverride/CrashOverride-01.pdf; reference:url,us-cert.gov/ncas/alerts/TA17-163A; reference:url,welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf; classtype:attempted-dos; sid:43227; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"PROTOCOL-SCADA Siemens SIPROTEC V4.24 crafted packet denial of service attempt"; flow:to_server; content:"|11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E|"; depth:18; reference:cve,2015-5374; reference:url,siemens.com/cert/pool/cert/siemens_security_advisory_ssa-732541.pdf; classtype:attempted-dos; sid:43177; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [8000,8001] (msg:"PROTOCOL-SCADA Pro-Face Pro-ServerEX arbitrary memory disclosure attempt"; flow:to_server,established; content:"|62 00 00 00|"; depth:4; content:"|07|"; within:1; distance:4; content:"|14|"; within:1; distance:3; byte_test:4,<,100,4; byte_test:4,>,1000,32; reference:cve,2012-3795; classtype:denial-of-service; sid:43144; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [8000,8001] (msg:"PROTOCOL-SCADA Pro-Face Pro-ServerEX arbitrary memory disclosure attempt"; flow:to_server; content:"|62 00 00 00|"; depth:4; content:"|07|"; within:1; distance:4; content:"|14|"; within:1; distance:3; byte_test:4,<,100,4; byte_test:4,>,1000,32; reference:cve,2012-3795; classtype:denial-of-service; sid:43143; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [8000,8001] (msg:"PROTOCOL-SCADA Pro-Face Pro-ServerEX large size value denial of service attempt"; flow:to_server,established; content:"|62 00 00 00|"; depth:4; content:"|07|"; within:1; distance:4; byte_test:4,>,2000,4; pcre:"/\x62\x00\x00\x00.{4}\x07.{3}[\x05\x06\x07\x14]/"; reference:cve,2012-3795; reference:cve,2012-3796; classtype:denial-of-service; sid:43142; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [8000,8001] (msg:"PROTOCOL-SCADA Pro-Face Pro-ServerEX large data allocation denial of service attempt"; flow:to_server,established; content:"|62 00 00 00|"; depth:4; isdataat:1004,relative; content:"|07|"; within:1; distance:4; pcre:"/\x62\x00\x00\x00.{4}\x07.{3}[\x05\x06\x07]/i"; reference:cve,2012-3794; classtype:denial-of-service; sid:43141; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [8000,8001] (msg:"PROTOCOL-SCADA Pro-Face Pro-ServerEX large size value denial of service attempt"; flow:to_server; content:"|62 00 00 00|"; depth:4; content:"|07|"; within:1; distance:4; byte_test:4,>,2000,4; pcre:"/\x62\x00\x00\x00.{4}\x07.{3}[\x05\x06\x07\x14]/"; reference:cve,2012-3795; reference:cve,2012-3796; classtype:denial-of-service; sid:43140; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [8000,8001] (msg:"PROTOCOL-SCADA Pro-Face Pro-ServerEX large data allocation denial of service attempt"; flow:to_server; content:"|62 00 00 00|"; depth:4; isdataat:1004,relative; content:"|07|"; within:1; distance:4; pcre:"/\x62\x00\x00\x00.{4}\x07.{3}[\x05\x06\x07]/i"; reference:cve,2012-3794; classtype:denial-of-service; sid:43139; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"PROTOCOL-SCADA Advantech WebAccess webvrpcs denial of service attempt"; flow:to_server,established; content:"|05 00 0D 03 10 00 00 00 18 B4|"; fast_pattern:only; reference:url,advantech.com/industrial-automation/webaccess; classtype:attempted-dos; sid:43122; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 10260 (msg:"PROTOCOL-SCADA Optima PLC APIFTP denial of service attempt"; flow:to_server,established; content:"|E8 03 04 00|"; fast_pattern:only; reference:cve,2012-5049; classtype:attempted-dos; sid:43106; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 58723 (msg:"PROTOCOL-SCADA OPC Systems denial of service attempt"; flow:to_server,established; isdataat:125; content:".NET"; depth:4; content:"/OPC Systems Interface"; fast_pattern:only; reference:url,ics-cert.us-cert.gov/advisories/ICSA-12-012-01A; classtype:attempted-dos; sid:43104; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Weintek EasyBuilder Pro denial of service attempt"; flow:to_server,established; content:"|A6 12 AE 54 A4 64 9F 08 53 02 BD CD 39 A7 6B 55 AD|"; fast_pattern:only; reference:url,weintek.com/globalw/Software/EasyBuilderPro.aspx; classtype:attempted-dos; sid:43103; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"PROTOCOL-SCADA Weintek EB Pro denial of service attempt"; flow:to_server,established; content:"|21 06 0A 00 41 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; reference:url,www.weintek.com; classtype:attempted-dos; sid:42995; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 27700 (msg:"PROTOCOL-SCADA Schneider Electroc ModbusDrv.exe buffer overflow attempt"; flow:to_server,established; content:"|FF FF 00 00|"; depth:4; byte_test:2,>,1048,4; metadata:policy security-ips drop; reference:cve,2013-0662; classtype:attempted-admin; sid:43986; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [1210,1211] (msg:"PROTOCOL-SCADA CODESYS Gateway-Server invalid memory access attempt"; flow:to_server,established; content:"|DD DD|AaBbCcDdEeFf"; depth:14; reference:bugtraq,58032; reference:cve,2012-4704; reference:url,ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf; classtype:attempted-admin; sid:44151; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 25922 (msg:"PROTOCOL-SCADA Kaskad SCADA arbitrary command execution attempt"; flow:to_server,established; content:"SDDRemoteControl"; nocase; content:"Cmd="; within:100; nocase; metadata:ruleset limited; classtype:policy-violation; sid:35889; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8089 (msg:"PROTOCOL-SCADA SCADA Engine OPC Server arbitrary file upload attempt"; flow:to_server,established; content:"nsopc:fileUpload"; fast_pattern:only; content:"nsopc:fileName"; content:"..|5C|"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset limited, service http; classtype:attempted-admin; sid:35888; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-SCADA vxworks rpc credential flavor integer overflow device crash attempt"; flow:to_server,established; content:"|80 00 00 30|"; depth:4; fast_pattern; content:"|00 00 00 02|"; within:4; distance:8; byte_test:1,>,127,12,relative; reference:cve,2015-7599; classtype:denial-of-service; sid:45101; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 777 (msg:"PROTOCOL-SCADA WelinTech Kingview History Server denial of service attempt"; flow:to_server, established; isdataat:650; content:"|01 00 09 E0|"; depth:4; reference:url,www.wellintech.com; classtype:attempted-dos; sid:45207; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Schneider Modicon Quantum modbus start command attempt"; flow:to_server,established; content:"|5A|"; depth:1; offset:7; content:"|40 FF 00|"; distance:0; reference:url,schneider-electric.com; classtype:misc-activity; sid:45234; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Schneider Modicon Quantum modbus stop command attempt"; flow:to_server,established; content:"|5A|"; depth:1; offset:7; content:"|41 FF 00|"; distance:0; reference:url,schneider-electric.com; classtype:misc-activity; sid:45233; rev:1;)
+# alert tcp any any -> any 102 (msg:"PROTOCOL-SCADA MMS Conclude-ErrorPDU"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|01 03 A0|"; distance:0; content:"|AD|"; within:1; distance:1; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45436; rev:2;)
+# alert tcp any 102 -> any any (msg:"PROTOCOL-SCADA MMS Conclude-ResponsePDU"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|01 03 A0|"; distance:0; content:"|8C 00|"; within:5; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45435; rev:2;)
+# alert tcp any any -> any 102 (msg:"PROTOCOL-SCADA MMS Conclude-RequestPDU"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|01 03 A0|"; distance:0; content:"|8B 00|"; within:5; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45434; rev:2;)
+# alert tcp any any -> any 102 (msg:"PROTOCOL-SCADA MMS Initiate-ErrorPDU"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|01 03 A0|"; distance:0; content:"|AA|"; within:1; distance:1; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45433; rev:2;)
+# alert tcp any 102 -> any any (msg:"PROTOCOL-SCADA MMS Initiate-ResponsePDU"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|A9|"; distance:0; content:"|81|"; within:16; content:"|82|"; within:10; content:"|A4|"; within:20; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45432; rev:2;)
+# alert tcp any any -> any 102 (msg:"PROTOCOL-SCADA MMS Initiate-RequestPDU"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|A8|"; distance:0; content:"|81|"; within:16; content:"|82|"; within:10; content:"|A4|"; within:20; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45431; rev:2;)
+# alert tcp any any -> any 102 (msg:"PROTOCOL-SCADA MMS Cancel-ErrorPDU"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|01 03 A0|"; distance:0; content:"|A7|"; within:5; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45430; rev:2;)
+# alert tcp any any -> any 102 (msg:"PROTOCOL-SCADA MMS Cancel-ResponsePDU"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 F0 80 86|"; within:4; distance:2; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45429; rev:2;)
+# alert tcp any any -> any 102 (msg:"PROTOCOL-SCADA MMS Cancel-RequestPDU"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 F0 80 85|"; within:4; distance:2; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45428; rev:2;)
+# alert tcp any any -> any 102 (msg:"PROTOCOL-SCADA MMS RejectPDU"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 F0 80 A4|"; within:4; distance:2; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45427; rev:2;)
+# alert tcp any 102 -> any any (msg:"PROTOCOL-SCADA MMS UnconfirmedPDU"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|01 03 A0|"; distance:0; content:"|A3|"; within:5; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45426; rev:2;)
+# alert tcp any 102 -> any any (msg:"PROTOCOL-SCADA MMS Confirmed-ErrorPDU"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|01 03 A0|"; distance:0; content:"|A2|"; within:5; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45425; rev:2;)
+# alert tcp any 102 -> any any (msg:"PROTOCOL-SCADA MMS Confirmed-ResponsePDU"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|01 03 A0|"; distance:0; content:"|A1|"; within:5; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45424; rev:2;)
+# alert tcp any any -> any 102 (msg:"PROTOCOL-SCADA MMS Confirmed-RequestPDU"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 F0 80|"; within:3; distance:2; content:"|01 03 A0|"; distance:0; content:"|A0|"; within:5; reference:url,iso.org/standard/37080.html; classtype:protocol-command-decode; sid:45423; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7135 (msg:"PROTOCOL-SCADA IntegraXor 6x denial of service attempt"; flow:to_server,established; content:"BBBBBBBBBBBBBBBBBBBBB|00|AAAAAAAAAAAAAAAAAAAAA"; fast_pattern:only; reference:url,integraxor.com; classtype:attempted-dos; sid:45871; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Rockwell Automation Allen-Bradley MicroLogix controller buffer overflow attempt"; flow:to_server,established; content:"|00 AD 00 00 00 FF 01 05 00 43 FF 00 07 1B 00 00 00 06 01|"; depth:24; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,102474; reference:cve,2017-16740; reference:url,ics-cert.us-cert.gov/advisories/ICSA-18-009-01; classtype:attempted-dos; sid:47604; rev:1;)
+# alert tcp any any -> any any (msg:"PROTOCOL-SCADA PNIO-CM Connect Operation"; flow:to_server,established; dce_iface:dea00001-6c97-11d1-8271-00a02442df7d, any_frag; dce_opnum:0; metadata:service dcerpc; reference:url,wiki.wireshark.org/PROFINET/IO; classtype:protocol-command-decode; sid:48577; rev:1;)
+# alert udp any any -> any any (msg:"PROTOCOL-SCADA PNIO-CM Connect Operation"; dce_iface:dea00001-6c97-11d1-8271-00a02442df7d, any_frag; dce_opnum:0; metadata:service dcerpc; reference:url,wiki.wireshark.org/PROFINET/IO; classtype:protocol-command-decode; sid:48576; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Data Table binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|84|"; depth:1; offset:18; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49033; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Data Table binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|C4|"; depth:1; offset:18; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49032; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Get PLC Name binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|8C|"; depth:1; offset:18; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49031; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Operands binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|CD|"; depth:1; offset:18; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49030; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Longs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SN"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49029; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Memory Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SW"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49028; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Ouputs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SA"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49027; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write System Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SS"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49026; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write System Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SF"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49025; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Memory Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SB"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49024; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Memory Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RW"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49023; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Memory Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RB"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49022; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Ouputs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RA"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49021; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read System Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"GF"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49020; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Longs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RN"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49019; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read System Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"GS"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49018; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Inputs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RE"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49017; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Set RTC ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SC"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49016; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Get PLC Name binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|0C|"; depth:1; offset:18; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49015; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Data Table binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|04|"; depth:1; offset:18; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49014; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Get UnitID ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"UG"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49013; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Data Table binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|44|"; depth:1; offset:18; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49012; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Identification ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"ID"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49011; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Get RTC ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RC"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49010; rev:1;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Set UnitID ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"US"; depth:2; offset:10; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49009; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Operands binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|4D|"; depth:1; offset:18; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49008; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Memory Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SW"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49007; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Memory Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SNL"; depth:3; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49006; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Reset Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCE"; depth:3; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:49005; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Memory Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SB"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49004; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Get RTC ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RC"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49003; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write System Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SNH"; depth:3; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49002; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Start Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCR"; depth:3; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:49001; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Stop Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCS"; depth:3; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:49000; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Ouputs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SA"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48999; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Memory Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RB"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48998; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read System Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"GF"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48997; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read System Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RNH"; depth:3; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48996; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write System Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SS"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48995; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write System Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SF"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48994; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Memory Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RNL"; depth:3; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48993; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Memory Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RW"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48992; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read System Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"GS"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48991; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Ouputs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RA"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48990; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Set RTC ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SC"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48989; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Inputs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RE"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48988; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Get UnitID ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"UG"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48987; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Set UnitID ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"US"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48986; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Init Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCI"; depth:3; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:48985; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Identification ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"ID"; depth:2; offset:9; metadata:ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48984; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 102 (msg:"PROTOCOL-SCADA Siemens SIMATIC S7-1500 remote denial of service attempt"; flow:to_server,established; isdataat:!18; content:"|11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E|"; fast_pattern:only; reference:cve,2016-3963; reference:url,cert-portal.siemens.com/productcert/pdf/ssa-751155.pdf; classtype:attempted-dos; sid:49050; rev:1;)
--- a/docker/etc/rules/protocol-services.rules
+++ b/docker/etc/rules/protocol-services.rules
@@ -0,0 +1,39 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-------------------------
+# PROTOCOL-SERVICES RULES
+#-------------------------
+
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin guest"; flow:to_server,established; content:"guest|00|guest|00|"; fast_pattern:only; classtype:attempted-user; sid:20602; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin nobody"; flow:to_server,established; content:"nobody|00|nobody|00|"; fast_pattern:only; classtype:attempted-user; sid:20601; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"PROTOCOL-SERVICES rexec password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; metadata:ruleset community; classtype:attempted-admin; sid:2114; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"PROTOCOL-SERVICES rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; metadata:ruleset community; classtype:attempted-admin; sid:2113; rev:6;)
+# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"|01|rlogind|3A| Permission denied."; fast_pattern:only; metadata:ruleset community; classtype:unsuccessful-user; sid:611; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-admin; sid:609; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:608; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:607; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin root"; flow:to_server,established; content:"root|00|root|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-admin; sid:606; rev:10;)
+# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"login incorrect"; fast_pattern:only; metadata:ruleset community; classtype:unsuccessful-user; sid:605; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,458; reference:cve,1999-0113; classtype:attempted-admin; sid:604; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:603; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:602; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:601; rev:10;)
+# alert tcp any any -> $HOME_NET [3260,860] (msg:"PROTOCOL-SERVICES  Linux iscsi_add_notunderstood_response request buffer overflow attempt"; flow:to_server,established; content:"TargetName="; fast_pattern:only; isdataat:94; content:!"="; depth:64; offset:30; pcre:"/[\w\x2e\x2b\x3a\x2d@_]{64,}\x3d[\w\x2e\x2b\x3a\x2d@_]+\x00/"; reference:cve,2013-2850; reference:url,seclists.org/oss-sec/2013/q2/448; classtype:attempted-user; sid:31590; rev:1;)
+# alert tcp any any -> $HOME_NET [3260,860] (msg:"PROTOCOL-SERVICES  Linux iscsi_add_notunderstood_response request buffer overflow attempt"; flow:to_server,established; content:"TargetName="; fast_pattern:only; content:"|00|"; offset:30; isdataat:64,relative; content:!"="; within:64; pcre:"/[\w\x2e\x2b\x3a\x2d@_]{64,}\x3d[\w\x2e\x2b\x3a\x2d@_]+?\x00/R"; reference:cve,2013-2850; reference:url,seclists.org/oss-sec/2013/q2/448; classtype:attempted-user; sid:31589; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES Cisco Prime Lan Management rsh command execution attempt"; flow:to_server,established; content:"|00|casuser|00|"; fast_pattern:only; pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00casuser\x00/i"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,57221; reference:cve,2012-6392; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-lms; classtype:attempted-admin; sid:25535; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh root"; flow:to_server,established; content:"|00|root|00|"; fast_pattern:only; pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00root\x00/i"; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-admin; sid:610; rev:15;)
--- a/docker/etc/rules/protocol-snmp.rules
+++ b/docker/etc/rules/protocol-snmp.rules
@@ -0,0 +1,64 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#---------------------
+# PROTOCOL-SNMP RULES
+#---------------------
+
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP NT UserList"; flow:to_server; content:"+|06 10|@|14 D1 02 19|"; fast_pattern:only; metadata:ruleset community, service snmp; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP missing community string attempt"; content:"0"; depth:1; content:"|02|"; within:6; content:"|04 00|"; within:8; pcre:"/^\x30(\x84....|\x82..|[^\x80-\xFF])\x02(\x84\x00\x00\x00\x01.|\x82\x00\x01.|\x01.)\x04\x00/"; metadata:ruleset community, service snmp; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP community string buffer overflow attempt"; flow:to_server; content:"|02 01 00 04 82 01 00|"; offset:4; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1409; rev:19;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP community string buffer overflow attempt with evasion"; flow:to_server; content:" |04 82 01 00|"; depth:5; offset:7; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1422; rev:19;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public access udp"; flow:to_server; content:"|06|public"; metadata:ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public access tcp"; flow:to_server,established; content:"public"; metadata:ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:20;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP private access udp"; flow:to_server; content:"private"; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1413; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP private access tcp"; flow:to_server,established; content:"private"; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1414; rev:18;)
+# alert udp any any -> 255.255.255.255 161 (msg:"PROTOCOL-SNMP Broadcast request"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:17;)
+# alert udp any any -> 255.255.255.255 162 (msg:"PROTOCOL-SNMP broadcast trap"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP request udp"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP request tcp"; flow:stateless; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:18;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP trap udp"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP trap tcp"; flow:stateless; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"PROTOCOL-SNMP AgentX/tcp request"; flow:stateless; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1421; rev:18;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP PROTOS test-suite-req-app attempt"; content:"0&|02 01 00 04 06|public|A0 19 02 01 00 02 01 00 02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|"; fast_pattern:only; metadata:ruleset community, service snmp; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1426; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; fast_pattern:only; metadata:ruleset community, service snmp; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP oversized sysName set request"; content:"+|06 01 02 01 01 05 00|"; byte_test:1,>,99,1,relative; metadata:service snmp; reference:bugtraq,26001; reference:cve,2007-5381; classtype:attempted-admin; sid:12712; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [161,1118] (msg:"PROTOCOL-SNMP Samsung printer default community string"; content:"|04 0B|s|21|a|40|m|23|n|24|p|25|c"; depth:14; offset:5; metadata:service snmp; reference:url,attack.mitre.org/techniques/T1078; reference:url,l8security.com/post/36715280176/vu-281284-samsung-printer-snmp-backdoor; reference:url,www.kb.cert.org/vuls/id/281284; classtype:attempted-admin; sid:24814; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; metadata:ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:1892; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Brocade snAgentUserAccntPassword enumeration attempt"; flow:to_server; content:"|30 12 06 0E 2B 06 01 04 01 8F 47 01 01 02 09 02 01 02 05 00|"; fast_pattern:only; metadata:service snmp; reference:url,www.kb.cert.org/vuls/id/139516; classtype:attempted-recon; sid:31059; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Brocade snAgentUserAccntName enumeration attempt"; flow:to_server; content:"|30 12 06 0E 2B 06 01 04 01 8F 47 01 01 02 09 02 01 01 05 00|"; fast_pattern:only; metadata:service snmp; reference:url,www.kb.cert.org/vuls/id/139516; classtype:attempted-recon; sid:31058; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Motorola Netopia 3347 series WPA key enumeration attempt"; flow:to_server; content:"|30 14 06 10 2B 06 01 04 01 82 30 01 03 01 1A 01 09 01 05 01 05 00|"; fast_pattern:only; metadata:service snmp; reference:url,www.kb.cert.org/vuls/id/779628; classtype:attempted-recon; sid:31057; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Motorola Netopia 3347 series WEP key enumeration attempt"; flow:to_server; content:"|30 14 06 10 2B 06 01 04 01 82 30 01 03 01 1A 01 0F 01 03 01 05 00|"; fast_pattern:only; metadata:service snmp; reference:url,www.kb.cert.org/vuls/id/779628; classtype:attempted-recon; sid:31056; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Ubee U10C019 series password enumeration attempt"; flow:to_server; content:"|30 16 06 12 2B 06 01 04 01 A4 4C 02 11 01 01 01 02 61 64 6D 69 6E 05 00|"; fast_pattern:only; metadata:service snmp; classtype:attempted-recon; sid:31100; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Ubee U10C019 series WPA key enumeration attempt"; flow:to_server; content:"|30 15 06 11 2B 06 01 04 01 A3 0B 02 04 01 01 06 02 02 01 05 06 05 00|"; fast_pattern:only; metadata:service snmp; classtype:attempted-recon; sid:31099; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Ubee U10C019 series WEP key enumeration attempt"; flow:to_server; content:"|30 12 06 0E 2B 06 01 04 01 A4 4C 02 0E 02 05 01 02 01 05 00|"; fast_pattern:only; metadata:service snmp; classtype:attempted-recon; sid:31098; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP CableHome Devices cabhPsDevUIPassword enumeration attempt"; flow:to_server; content:"|30 13 06 0F 2B 06 01 04 01 A3 0B 02 04 01 01 06 01 02 00 05 00|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69630; reference:bugtraq,69631; reference:cve,2014-4862; reference:cve,2014-4863; reference:url,oid-info.com/get/1.3.6.1.4.1.4491.2.4.1.1.6.1.2; classtype:attempted-recon; sid:31097; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Ubee DDW3611 series WPA key enumeration attempt"; flow:to_server; content:"|30 15 06 11 2B 06 01 04 01 A3 0B 02 04 01 01 06 02 02 01 05 0C 05 00|"; fast_pattern:only; metadata:service snmp; classtype:attempted-recon; sid:31096; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Ubee DDW3611 series WEP key enumeration attempt"; flow:to_server; content:"|30 18 06 14 2B 06 01 04 01 A4 4C 26 02 02 02 01 05 04 02 03 01 02 0C 01 05 00|"; fast_pattern:only; metadata:service snmp; classtype:attempted-recon; sid:31095; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP HP Huawei password disclosure attempt"; flow:to_server; content:"|2B 06 01 04 01 8F 5B 0A|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,56183; reference:cve,2012-3268; classtype:attempted-recon; sid:31578; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP HP Huawei password disclosure attempt"; flow:to_server; content:"|2B 06 01 04 01 81 C7 22|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,56183; reference:cve,2012-3268; classtype:attempted-recon; sid:31577; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Multiple Products WPA key enumeration attempt"; flow:to_server; content:"|30 16 06 12 2B 06 01 04 01 A2 3D 02 02 02 01 05 04 02 04 01 02 20|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69630; reference:cve,2014-4862; classtype:attempted-recon; sid:31856; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Multiple Products 64 bit WEP key enumeration attempt"; flow:to_server; content:"|2B 06 01 04 01 A2 3D 02 02 02 01 05 04 02 02 01 02 20|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69630; reference:cve,2014-4862; classtype:attempted-recon; sid:31855; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Multiple Products 128 bit WEP key enumeration attempt"; flow:to_server; content:"|2B 06 01 04 01 A2 3D 02 02 02 01 05 04 02 03 01 02 20|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69630; reference:cve,2014-4862; classtype:attempted-recon; sid:31854; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Arris DG950A WPA key enumeration attempt"; flow:to_server; content:"|30 14 06 10 2B 06 01 04 01 A0 13 01 14 01 01 03 1A 01 02 0C 05 00|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69631; reference:cve,2014-4863; classtype:attempted-recon; sid:31853; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Arris DG950A 64 bit WEP key enumeration attempt"; flow:to_server; content:"|30 14 06 10 2B 06 01 04 01 A0 13 01 14 01 01 03 18 01 02 0C 05 00|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69631; reference:cve,2014-4863; classtype:attempted-recon; sid:31852; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Arris DG950A 128 bit WEP key enumeration attempt"; flow:to_server; content:"|30 14 06 10 2B 06 01 04 01 A0 13 01 14 01 01 03 19 01 02 0C 05 00|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69631; reference:cve,2014-4863; classtype:attempted-recon; sid:31851; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"PROTOCOL-SNMP Multiple vendors AgentX receive_agentx integer overflow attempt"; flow:established,to_server; content:"|FF FF FF FF|"; depth:4; offset:16; metadata:policy max-detect-ips drop, service snmp; reference:bugtraq,39561; reference:cve,2010-1319; classtype:attempted-admin; sid:18926; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Allen-Bradley MicroLogix PLC firmware update detected"; flow:to_server; content:"|2B 06 01 04 01 5F 02 03 01 01 01 01 00|"; fast_pattern:only; metadata:service snmp; reference:cve,2016-5645; reference:url,www.talosintelligence.com/reports/TALOS-2016-0184; classtype:policy-violation; sid:39877; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Allen-Bradley MicroLogix PLC SNMP request via undocumented community string attempt"; flow:to_server; content:"wheel"; content:"|2B 06 01 04 01 5F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service snmp; reference:cve,2016-5645; reference:url,www.talosintelligence.com/reports/TALOS-2016-0184; classtype:attempted-recon; sid:39876; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Cambium cnPilot SNMP request with read-only community string attempt"; flow:to_server; content:"|2B 06 01 04 01 82 C0 32|"; fast_pattern:only; content:"public"; metadata:service snmp; reference:cve,2017-5262; reference:url,blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities; classtype:attempted-recon; sid:45611; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Cambium ePMP SNMP request with read-only community string attempt"; flow:to_server; content:"|2B 06 01 04 01 81 8A 31|"; fast_pattern:only; content:"public"; metadata:service snmp; reference:bugtraq,99083; reference:cve,2017-7918; reference:cve,2017-7922; reference:url,ipositivesecurity.com/2017/04/07/cambium-snmp-security-vulnerabilities/; classtype:attempted-recon; sid:45618; rev:1;)
--- a/docker/etc/rules/protocol-telnet.rules
+++ b/docker/etc/rules/protocol-telnet.rules
@@ -0,0 +1,51 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------------------
+# PROTOCOL-TELNET RULES
+#-----------------------
+
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET RuggedCom default backdoor login attempt"; flow:to_server,established; flowbits:isset,telnet.ruggedcom; content:"factory"; metadata:policy security-ips drop, service telnet; reference:cve,2012-1803; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.securityfocus.com/archive/1/522467; classtype:attempted-admin; sid:21938; rev:5;)
+# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET login failed"; flow:to_client,established; content:"Login failed"; nocase; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:492; rev:15;)
+# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET login incorrect"; flow:to_client,established; content:"Login incorrect"; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:718; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET ld_library_path"; flow:to_server,established; content:"ld_library_path"; fast_pattern:only; metadata:ruleset community, service telnet; reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET livingston DOS"; flow:to_server,established; content:"|FF F3 FF F3 FF F3 FF F3 FF F3|"; fast_pattern:only; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,2225; reference:cve,1999-0218; classtype:attempted-dos; sid:713; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf"; fast_pattern:only; metadata:ruleset community, service telnet; reference:bugtraq,2181; reference:cve,2001-0170; classtype:attempted-admin; sid:714; rev:15;)
+# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET Attempted SU from wrong group"; flow:to_client,established; content:"to su root"; fast_pattern:only; metadata:ruleset community, service telnet; classtype:attempted-admin; sid:715; rev:14;)
+# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET not on console"; flow:to_client,established; content:"not on system console"; fast_pattern:only; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:717; rev:15;)
+# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET root login"; flow:to_client,established; content:"login|3A| root"; fast_pattern:only; metadata:ruleset community, service telnet; classtype:suspicious-login; sid:719; rev:15;)
+# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET bsd telnet exploit response"; flow:to_client,established; content:"|0D 0A|[Yes]|0D 0A FF FE 08 FF FD|&"; fast_pattern:only; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:attempted-admin; sid:1252; rev:25;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET bsd exploit client finishing"; flow:to_server,established; dsize:>200; content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:23;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET 4Dgifts SGI account attempt"; flow:to_server,established; content:"4Dgifts"; metadata:ruleset community, service telnet; reference:cve,1999-0501; reference:nessus,11243; classtype:suspicious-login; sid:709; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET EZsetup account attempt"; flow:to_server,established; content:"OutOfBox"; metadata:ruleset community, service telnet; reference:cve,1999-0501; reference:nessus,11244; classtype:suspicious-login; sid:710; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET APC SmartSlot default admin account attempt"; flow:to_server,established; content:"TENmanUFactOryPOWER"; fast_pattern:only; metadata:ruleset community, service telnet; reference:bugtraq,9681; reference:cve,2004-0311; reference:nessus,12066; reference:url,attack.mitre.org/techniques/T1078; classtype:suspicious-login; sid:2406; rev:14;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET login buffer non-evasive overflow attempt"; flow:to_server,established; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; metadata:ruleset community, service telnet; reference:bugtraq,3681; reference:cve,2001-0797; reference:nessus,10827; classtype:attempted-admin; sid:3274; rev:13;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET login buffer overflow attempt"; flow:to_server,established; content:"|FF FA|'|00 00|TTYPROMPT|01|"; fast_pattern:only; rawbytes; flowbits:set,ttyprompt; metadata:ruleset community, service telnet; reference:bugtraq,3681; reference:cve,2001-0797; reference:nessus,10827; classtype:attempted-admin; sid:3147; rev:14;)
+# alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"PROTOCOL-TELNET client ENV OPT USERVAR information disclosure"; flow:to_client,established; content:"|FF FA|'|01 03|"; fast_pattern:only; rawbytes; metadata:service telnet; reference:bugtraq,13940; reference:cve,2005-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-033; classtype:attempted-recon; sid:3687; rev:10;)
+# alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"PROTOCOL-TELNET client ENV OPT VAR information disclosure"; flow:to_client,established; content:"|FF FA|'|01 00|"; fast_pattern:only; rawbytes; metadata:service telnet; reference:bugtraq,13940; reference:cve,2005-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-033; classtype:attempted-recon; sid:3688; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET kerberos login environment variable authentication bypass attempt"; flow:to_server,established; content:"|FF FA|"; rawbytes; content:"USER|01|-e"; distance:0; rawbytes; metadata:service telnet; reference:cve,2007-0956; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt; classtype:attempted-admin; sid:10464; rev:7;)
+# alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"PROTOCOL-TELNET Client env_opt_add Buffer Overflow attempt"; flow:to_client,established; content:"|FF FA 27 01|"; rawbytes; isdataat:128,relative,rawbytes; content:!"|FF F0|"; within:128; rawbytes; metadata:policy max-detect-ips drop, service telnet; reference:bugtraq,12919; reference:cve,2005-0468; classtype:attempted-dos; sid:17269; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET FreeBSD telnetd enc_keyid overflow attempt"; flow:established,to_server; content:"|FF FA 26 07|"; fast_pattern; rawbytes; isdataat:66,relative,rawbytes; content:!"|FF F0|"; within:66; rawbytes; metadata:service telnet; reference:bugtraq,51182; reference:cve,2011-4862; reference:url,security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc; classtype:attempted-admin; sid:20812; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET FreeBSD telnetd dec_keyid overflow attempt"; flow:established,to_server; content:"|FF FA 26 08|"; fast_pattern; rawbytes; isdataat:66,relative,rawbytes; content:!"|FF F0|"; within:66; rawbytes; metadata:service telnet; reference:bugtraq,51182; reference:cve,2011-4862; reference:url,security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc; classtype:attempted-admin; sid:20813; rev:8;)
+# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET RuggedCom telnet initial banner"; flow:to_client,established; content:"RuggedCom"; fast_pattern:only; flowbits:set,telnet.ruggedcom; flowbits:noalert; metadata:service telnet; classtype:misc-activity; sid:21939; rev:4;)
+# alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"PROTOCOL-TELNET Client env_opt_add Buffer Overflow attempt"; flow:to_client,established; content:"|FF FA 22 03|"; rawbytes; isdataat:128,relative,rawbytes; content:!"|FF F0|"; within:128; rawbytes; metadata:policy max-detect-ips drop, service telnet; reference:bugtraq,12919; reference:cve,2005-0468; classtype:attempted-dos; sid:25856; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET SGI telnetd format bug"; flow:to_server,established; content:"_RLD"; fast_pattern:only; content:"bin/sh"; metadata:ruleset community, service telnet; reference:bugtraq,1572; reference:cve,2000-0733; classtype:attempted-admin; sid:711; rev:18;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"PROTOCOL-TELNET Microsoft Telnet Server buffer overflow attempt"; flow:to_server,established; content:"|FF F6 FF F6 FF F6 FF F6 FF F6 FF F6 FF F6 FF F6 FF F6 FF F6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service telnet; reference:cve,2015-0014; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-002; classtype:attempted-user; sid:33050; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"PROTOCOL-TELNET Microsoft Telnet Server buffer overflow attempt"; flow:to_server,established; content:"|FF F6|"; fast_pattern:only; content:"|FF F6|"; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service telnet; reference:cve,2015-0014; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-002; classtype:attempted-user; sid:33451; rev:2;)
+# alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"PROTOCOL-TELNET client ENV OPT escape overflow attempt"; flow:to_client,established; content:"|FF FA|'|01|"; rawbytes; pcre:"/(\x02([\x01\x02\x03]|\xFF\xFF)){100,}/RBsm"; content:"|FF F0|"; distance:0; rawbytes; metadata:policy max-detect-ips drop, service telnet; reference:bugtraq,12918; reference:cve,2005-0469; classtype:attempted-user; sid:3537; rev:11;)
+# alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"PROTOCOL-TELNET client LINEMODE SLC overflow attempt"; flow:to_client,established; content:"|FF FA 22 03|"; rawbytes; isdataat:123,relative,rawbytes; content:!"|FF|"; within:124; rawbytes; metadata:policy max-detect-ips drop, service telnet; reference:bugtraq,12918; reference:cve,2005-0469; classtype:attempted-user; sid:3533; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"PROTOCOL-TELNET TippingPoint IPS telnet login failure xss attempt"; flow:to_server,established; content:"<script>alert(123)</script>"; fast_pattern:only; metadata:policy max-detect-ips drop, service telnet; classtype:misc-attack; sid:45191; rev:1;)
--- a/docker/etc/rules/protocol-tftp.rules
+++ b/docker/etc/rules/protocol-tftp.rules
@@ -0,0 +1,46 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#---------------------
+# PROTOCOL-TFTP RULES
+#---------------------
+
+# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP PUT filename overflow attempt"; flow:to_server; content:"|00|"; depth:1; byte_test:1,<,3,0,relative; isdataat:101,relative; content:!"|00|"; within:100; distance:2; metadata:ruleset community; reference:bugtraq,20131; reference:bugtraq,22923; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; reference:cve,2003-0729; reference:cve,2006-4948; reference:cve,2006-6184; reference:cve,2008-1611; reference:cve,2009-2957; reference:cve,2009-2958; reference:nessus,18264; classtype:attempted-admin; sid:2337; rev:22;)
+# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET Admin.dll"; flow:to_server; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; metadata:ruleset community; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:10;)
+# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET nc.exe"; flow:to_server; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; metadata:ruleset community; classtype:successful-admin; sid:1441; rev:10;)
+# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET shadow"; flow:to_server; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; metadata:ruleset community; classtype:successful-admin; sid:1442; rev:10;)
+# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET passwd"; flow:to_server; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; metadata:ruleset community; classtype:successful-admin; sid:1443; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP parent directory"; flow:to_server; content:".."; offset:2; metadata:ruleset community; reference:cve,1999-0183; reference:cve,2002-1209; reference:cve,2011-4722; classtype:bad-unknown; sid:519; rev:14;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP root directory"; flow:to_server; content:"|00 01|/"; depth:3; metadata:ruleset community; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Put"; flow:to_server; content:"|00 02|"; depth:2; metadata:ruleset community; reference:cve,1999-0183; reference:url,github.com/rapid7/metasploit-framework/blob/unstable/unstable-modules/auxiliary/d20tftpbd.rb; classtype:bad-unknown; sid:518; rev:15;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Get"; flow:to_server; content:"|00 01|"; depth:2; metadata:ruleset community; classtype:bad-unknown; sid:1444; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP NULL command attempt"; flow:to_server; content:"|00 00|"; depth:2; metadata:ruleset community; reference:bugtraq,7575; classtype:bad-unknown; sid:2339; rev:8;)
+# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET transfer mode overflow attempt"; flow:to_server; content:"|00 01|"; content:"|00|"; distance:1; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,13821; reference:cve,2005-1812; classtype:attempted-admin; sid:3817; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP 3COM server transport mode buffer overflow attempt"; flow:to_server; content:"|00|"; depth:1; pcre:"/^(\x01|\x02)[^\x00]+\x00[^\x00]{473}/Rs"; metadata:policy max-detect-ips drop; reference:bugtraq,21301; reference:cve,2006-6183; classtype:attempted-admin; sid:9621; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - RRQ"; flow:to_server; content:"|00 01|"; depth:2; content:"|00|"; distance:0; content:!"|00|"; within:16; reference:bugtraq,47789; reference:cve,2008-1610; reference:cve,2011-1851; classtype:attempted-admin; sid:19014; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP UDP large packet use after free attempt"; flow:stateless; content:"|00 01|"; depth:2; content:"blksize|00|"; byte_test:5,>=,1500,0,relative,string,dec; metadata:service tftp; reference:cve,2013-4563; reference:cve,2018-8476; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8476; classtype:attempted-user; sid:32637; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - WRQ"; flow:to_server; content:"|00 02|"; depth:2; content:"|00|"; distance:0; content:!"|00|"; within:16; metadata:policy max-detect-ips drop; reference:bugtraq,47789; reference:cve,2008-1610; reference:cve,2011-1851; classtype:attempted-admin; sid:19013; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Multiple TFTP product buffer overflow attempt"; flow:to_server; dsize:>515; metadata:policy max-detect-ips drop, service tftp; reference:bugtraq,20131; reference:bugtraq,45378; reference:bugtraq,46434; reference:bugtraq,47789; reference:bugtraq,8505; reference:cve,2003-0729; reference:cve,2006-4948; reference:cve,2008-1610; reference:cve,2010-4323; reference:cve,2011-1852; reference:url,secunia.com/advisories/43819; classtype:attempted-admin; sid:18767; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Open TFTP Server log generation buffer overflow attempt"; flow:to_server; content:"|00 05|"; depth:2; isdataat:482,relative; content:!"|00|"; within:480; distance:2; metadata:policy max-detect-ips drop, service tftp; reference:bugtraq,29111; reference:cve,2008-2161; classtype:attempted-admin; sid:13927; rev:9;)
+# alert udp any any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP PUT Microsoft RIS filename overwrite attempt"; flow:to_server; content:"|00 02|"; depth:2; content:"images"; distance:0; nocase; content:"windows"; distance:0; nocase; content:"|00|"; distance:0; metadata:policy max-detect-ips drop; reference:cve,2006-5584; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-077; classtype:policy-violation; sid:9638; rev:11;)
+# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP PUT transfer mode overflow attempt"; flow:to_server; content:"|00 02|"; content:"|00|"; distance:1; isdataat:100,relative; content:!"|00|"; within:100; metadata:policy max-detect-ips drop; reference:bugtraq,13821; reference:bugtraq,21301; reference:cve,2005-1812; reference:cve,2006-6183; classtype:attempted-admin; sid:3818; rev:11;)
+# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET filename overflow attempt"; flow:to_server; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; metadata:policy max-detect-ips drop, ruleset community, service tftp; reference:bugtraq,20131; reference:bugtraq,22923; reference:bugtraq,36121; reference:bugtraq,5328; reference:cve,2002-0813; reference:cve,2006-4948; reference:cve,2007-1435; reference:cve,2009-2957; reference:cve,2009-2958; reference:nessus,18264; classtype:attempted-admin; sid:1941; rev:24;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 5010 (msg:"PROTOCOL-TFTP Comtrol RocketLinx factory reset request"; flow:to_server; content:"|00 00 00 2D 00 00 00 01 01 00 00 00 03 00 00 00 06 00 C0 4E 30 01 93|"; depth:23; classtype:bad-unknown; sid:39452; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 5010 (msg:"PROTOCOL-TFTP Comtrol RocketLinx switch reboot request"; flow:to_server; content:"|00 00 00 2C 00 00 00 01 01 00 00 00 03 00 00 00 06 00 C0 4E 30 01 93|"; depth:23; classtype:bad-unknown; sid:39451; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 5010 (msg:"PROTOCOL-TFTP Firmware upgrade request"; flow:to_server; dsize:9; content:"|00 00 00 1F 00 00 00 01 01|"; depth:9; classtype:bad-unknown; sid:39450; rev:1;)
+# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP WRITE long filename attempt"; flow:to_server; content:"|00 02|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; metadata:service tftp; classtype:misc-activity; sid:45612; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP NetGain Systems Enterprise Manager TFTP directory traversal attempt"; flow:to_server; content:"|00 02|"; depth:2; content:"../"; distance:0; content:"|00|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-16597; classtype:attempted-admin; sid:47564; rev:1;)
--- a/docker/etc/rules/protocol-voip.rules
+++ b/docker/etc/rules/protocol-voip.rules
@@ -0,0 +1,343 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#---------------------
+# PROTOCOL-VOIP RULES
+#---------------------
+
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk Management Interface HTTP digest authentication stack buffer overflow attempt"; flow:to_server,established; content:"Authorization: Digest"; http_header; content:!"|0A|"; within:500; http_header; pcre:"/^Authorization\x3a\sDigest[^\n]*?[\s=][\x22\x27][^\x22\x27\n]{500}/mH"; metadata:service http; reference:url,downloads.asterisk.org/pub/security/AST-2012-003.html; classtype:attempted-admin; sid:26594; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk SIP SDP header parsing stack buffer overflow attempt"; flow:to_server; sip_method:invite; sip_body; content:"sprop-parameter-sets"; nocase; pcre:"/^=[^,\r\n\x3b\s]{17}/iR"; metadata:service sip; reference:cve,2013-2685; classtype:attempted-admin; sid:26426; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk SIP SDP header parsing stack buffer overflow attempt"; flow:to_server; sip_method:invite; sip_body; content:"sprop-parameter-sets"; nocase; pcre:"/^=[^,\r\n\x3b\s]{1,16},[^\r\n\x3b\s]{17}/iR"; metadata:service sip; reference:cve,2013-2685; classtype:attempted-admin; sid:26425; rev:3;)
+# alert udp $EXTERNAL_NET 8000 -> $HOME_NET any (msg:"PROTOCOL-VOIP Digium Asterisk RTP comfort noise denial of service attempt"; content:"|80 0D|"; depth:2; isdataat:37; metadata:service rtp; reference:bugtraq,37153; reference:cve,2009-4055; classtype:denial-of-service; sid:24270; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"PROTOCOL-VOIP Digium Asterisk invite malformed SDP denial of service attempt"; flow:to_server; sip_method:invite; sip_header; content:"INVITE"; depth:6; nocase; content:"INVITE"; distance:0; nocase; sip_body; content:"c=IN IP"; nocase; content:"c=IN IP"; distance:0; nocase; byte_test:10,>,255,1,relative,string,dec; metadata:service sip; reference:bugtraq,23031; reference:cve,2007-1561; classtype:attempted-dos; sid:23966; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 3217 (msg:"PROTOCOL-VOIP Avaya WinPDM header buffer overflow attempt"; flow:to_server; content:"UTP/1"; depth:5; fast_pattern; content:"To|3A|"; distance:0; nocase; isdataat:256,relative; content:!"|0D|"; within:256; content:!"|0A|"; within:256; reference:bugtraq,47947; classtype:attempted-admin; sid:22948; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"PROTOCOL-VOIP Digium Asterisk IAX2 Channel Driver DoS attempt"; flow:to_server; content:"|80 01 00 01|"; depth:4; content:"|06 0B|"; within:2; distance:6; isdataat:1,relative; reference:cve,2007-3763; classtype:denial-of-service; sid:21768; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"PROTOCOL-VOIP Digium Asterisk IAX2 Channel Driver DoS attempt"; flow:to_server; content:"|80 01 00 01|"; depth:4; content:"|06 0C|"; within:2; distance:6; isdataat:1,relative; reference:cve,2007-3763; classtype:denial-of-service; sid:21767; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2000 (msg:"PROTOCOL-VOIP Digium Asterisk SCCP overly large mem copy attempt"; flow:to_server,established; content:"|00 00 00|"; depth:3; offset:1; byte_test:1,<=,3,0; isdataat:8,relative; reference:bugtraq,24950; reference:cve,2007-3764; classtype:attempted-user; sid:21673; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2000 (msg:"PROTOCOL-VOIP Digium Asterisk SCCP capabilities response message capabilities count overflow attempt"; flow:to_server,established; content:"|00 00 00 00 10 00 00 00|"; depth:8; offset:4; byte_test:4,>,50,0,relative,little; reference:cve,2007-4280; classtype:attempted-dos; sid:21672; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk missing SIP version denial of service attempt"; flow:to_server; content:"Contact:"; fast_pattern:only; pcre:"/^((?!(SIP\/\d\.\d)).)+?\x0A/"; metadata:service sip; reference:bugtraq,20835; reference:cve,2006-5445; reference:cve,2014-2154; classtype:attempted-dos; sid:21669; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"PROTOCOL-VOIP Digium Asterisk IAX2 call number denial of service"; flow:to_server,no_stream; content:"|80 00|"; depth:2; content:"|06|"; within:1; distance:8; byte_test:1,&,1,0,relative; byte_test:1,!&,126,0,relative; detection_filter:track by_src, count 8000, seconds 60; reference:cve,2009-2346; classtype:attempted-dos; sid:21608; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Grandstream networks denial of service"; flow:to_server; content:"183 Session Progress"; fast_pattern; nocase; content:"s=BreakingPoint"; nocase; metadata:service sip; reference:bugtraq,25399; reference:cve,2007-4498; classtype:attempted-dos; sid:21150; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt"; flow:to_server; sip_method:register; sip_header; content:"Contact:"; nocase; pcre:"/Contact\x3A\x0D\x0A/miH"; reference:bugtraq,50117; reference:cve,2011-4063; classtype:attempted-dos; sid:21103; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt"; flow:to_server; sip_method:register; sip_header; content:"Contact"; nocase; pcre:"/Contact\x3A\s*\x3C\s*\x3E/miH"; reference:bugtraq,50117; reference:cve,2011-4063; classtype:attempted-dos; sid:21102; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS 2000 (msg:"PROTOCOL-VOIP Digium Asterisk data length field overflow attempt"; flow:to_server,established; content:"|FF FF FF|"; depth:3; offset:1; reference:bugtraq,20617; reference:cve,2006-5444; reference:url,www.exploit-db.com/exploits/2597; classtype:attempted-user; sid:20670; rev:6;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP OpenSBC VIA header denial of service attempt"; flow:to_server; content:"Via|3A 3A|"; fast_pattern:only; sip_method:invite; reference:url,ims-bisf.nexginrc.org/OpenSBC-vul.html; classtype:denial-of-service; sid:20427; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP MultiTech INVITE message buffer overflow attempt"; flow:to_server,established; sip_method:invite; pcre:"/^INVITE\s[^\s\r\n]{60}/smi"; reference:bugtraq,15711; reference:cve,2005-4050; classtype:attempted-user; sid:20426; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Sivus scanner detected"; flow:to_server,established; content:"sivus_voip_scanner"; fast_pattern:only; pcre:"/^From\x3A\s*sivus_voip_scanner/Hsmi"; reference:url,www.vopsecurity.org/; classtype:network-scan; sid:20424; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP OPTIONS message Call-ID header request misplaced - after terminating newline"; flow:to_server,established; sip_method:options; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Call-ID\x3A/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20423; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP OPTIONS message Via field request misplaced - after terminating newline"; flow:to_server,established; sip_method:options; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Via\x3A/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20422; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP INVITE message Content-Length header size of zero"; flow:to_server,established,only_stream; sip_method:invite; pcre:"/^Content-Length\x3A\s+0[\r\n]/Hsmi"; detection_filter:track by_src, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20421; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP INVITE message invalid IP address"; flow:to_server,established; sip_method:invite; pcre:"/^INVITE\s+sip\x3A[^\r\n\x40]+\x40((192\.0\.[02]\.\d{1,3})|(127\.\d{1,3}\.\d{1,3}\.\d{1,3})|(128\.0\.\d{1,3}\.\d{1,3})|(191\.255\.\d{1,3}\.\d{1,3})|(223\.255\.255\.\d{1,3})|(2(2[4-9]|[34][0-9]|5[0-5])\.\d{1,3}\.\d{1,3}\.\d{1,3}))/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20420; rev:3;)
+# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 401 Unauthorized message"; flow:to_client,established; content:"SIP/2.0 401 Unauthorized"; fast_pattern:only; sip_stat_code:401; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20419; rev:3;)
+# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 481 Call/Leg Transaction Does Not Exist"; flow:to_client,established; content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; fast_pattern:only; sip_stat_code:481; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20418; rev:3;)
+# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 415 Unsupported Media Type message"; flow:to_client,established; content:"SIP/2.0 415 Unsupported Media Type"; fast_pattern:only; sip_stat_code:415; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20417; rev:3;)
+# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 604 Does Not Exist Anywhere message"; flow:to_client,established; content:"SIP/2.0 604 Does Not Exist Anywhere"; fast_pattern:only; sip_stat_code:604; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20416; rev:3;)
+# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 501 Not Implemented message"; flow:to_client,established; content:"SIP/2.0 501 Not Implemented"; fast_pattern:only; sip_stat_code:501; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20415; rev:3;)
+# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 408 Request Timeout message"; flow:to_client,established; content:"SIP/2.0 408 Request Timeout"; fast_pattern:only; sip_stat_code:408; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20414; rev:3;)
+# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 100 Trying message"; flow:to_client,established; content:"SIP/2.0 100 Trying"; fast_pattern:only; sip_stat_code:100; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20413; rev:3;)
+# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 404 Not Found"; flow:to_client,established; content:"SIP/2.0 404 Not Found"; fast_pattern:only; sip_stat_code:404; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20412; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 404 Not Found"; flow:to_server,established; content:"SIP/2.0 404 Not Found"; fast_pattern:only; sip_stat_code:404; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20411; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 401 unauthorized message"; flow:to_server,established; content:"SIP/2.0 401 Unauthorized"; fast_pattern:only; sip_stat_code:401; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20410; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 481 Call/Leg Transaction Does Not Exist"; flow:to_server,established; content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; fast_pattern:only; sip_stat_code:481; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20409; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 415 Unsupported Media Type message"; flow:to_server,established; content:"SIP/2.0 415 Unsupported Media Type"; fast_pattern:only; sip_stat_code:415; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20408; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 604 Does Not Exist Anywhere message"; flow:to_server,established; content:"SIP/2.0 604 Does Not Exist Anywhere"; fast_pattern:only; sip_stat_code:604; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20407; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 501 Not Implemented message"; flow:to_server,established; content:"SIP/2.0 501 Not Implemented"; fast_pattern:only; sip_stat_code:501; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20406; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 408 Request Timeout message"; flow:to_server,established; content:"SIP/2.0 408 Request Timeout"; fast_pattern:only; sip_stat_code:408; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20405; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 100 Trying message"; flow:to_server,established; content:"SIP/2.0 100 Trying"; fast_pattern:only; sip_stat_code:100; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20404; rev:3;)
+# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 405 Method Not Allowed response flood"; flow:to_client,established,only_stream; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:405; detection_filter:track by_dst, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20403; rev:4;)
+# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 405 Method Not Allowed response flood"; flow:to_client; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:405; detection_filter:track by_dst, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20402; rev:5;)
+# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 415 Unsupported Media Type response flood"; flow:to_client,established,only_stream; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:415; detection_filter:track by_dst, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20401; rev:4;)
+# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 415 Unsupported Media Type response flood"; flow:to_client; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:415; detection_filter:track by_dst, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20400; rev:5;)
+# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 420 Bad Extension response flood"; flow:to_client,established,only_stream; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:420; detection_filter:track by_dst, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20399; rev:4;)
+# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 420 Bad Extension response flood"; flow:to_client; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:420; detection_filter:track by_dst, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20398; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP INVITE flood"; flow:to_server,established,only_stream; sip_method:invite; detection_filter:track by_src, count 100, seconds 25; reference:cve,2008-5180; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20397; rev:4;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP INVITE flood attempt"; flow:to_server; sip_method:invite; detection_filter:track by_src, count 100, seconds 25; metadata:service sip; reference:cve,2008-5180; reference:cve,2017-6648; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-tele; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20396; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server,established,only_stream; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20395; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CANCEL flood"; flow:to_server,established,only_stream; sip_method:cancel; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20394; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP BYE flood"; flow:to_server,established,only_stream; sip_method:bye; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20393; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Attribute header buffer overflow attempt"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^a=[^\r\n]{256}/Psmi"; reference:bugtraq,16213; reference:cve,2006-0189; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:20389; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP T.38 fax EC attribute buffer overflow attempt"; flow:to_server,established; content:"a=T38FaxUdpEC|3A|"; fast_pattern:only; pcre:"/^a=T38FaxUdpEC\x3A[^\r\n]{256}/smi"; metadata:service sip; reference:bugtraq,23648; reference:cve,2007-2293; classtype:attempted-admin; sid:20388; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP T.38 fax rate management attribute buffer overflow attempt"; flow:to_server,established; content:"a=T38FaxRateManagement|3A|"; fast_pattern:only; pcre:"/^a=T38FaxRateManagement\x3A[^\r\n]{256}/smi"; metadata:service sip; reference:bugtraq,23648; reference:cve,2007-2293; classtype:attempted-admin; sid:20387; rev:4;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Connection header invalid value"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^c=([^I]|I[^N]|IN[^\s]|IN\s+[^I]|IN\s+I[^P]|IN\s+IP[^46])/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-dos; sid:20386; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Version header overflow attempt"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^v=(-|(\d{6,}|[7-9]\d{5,}|6[6-9]\d{3,}|65[6-9]\d{2,}|655[4-9]\d+|6553[6-9]))/Psmi"; reference:url,tools.ietf.org/html/rfc4566; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; classtype:attempted-dos; sid:20385; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Time header contains long value"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^t=(\d{7,}|\d{1,6}\s\d{7,})/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:20384; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Time header contains negative value"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^t=(-|\d{1,6}\s-)/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:20383; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Media header port field invalid value"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^m=[A-Z]{1,20}\s(\d{6,}|[7-9]\d{5,}|6[6-9]\d{3,}|65[6-9]\d{2,}|655[4-9]\d+|6553[6-9])/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:20382; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Authorization header invalid characters in response parameter"; flow:to_server,established; content:"Authorization|3A|"; fast_pattern:only; pcre:"/^Authorization\x3A[^\r\n]+?response=[\x00-\x09\x0B\x0C\x0E-\x7F]*[\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:20380; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Date header invalid characters detected"; flow:to_server,established; content:"Date|3A|"; fast_pattern:only; pcre:"/^Date\x3A[^\r\n]*[\x2D\x2B]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:misc-activity; sid:20379; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Date header invalid characters detected"; flow:to_server; content:"Date|3A|"; fast_pattern:only; pcre:"/^Date\x3A[^\r\n]*[\x2D\x2B]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:misc-activity; sid:20378; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Content-Type header invalid characters detected"; flow:to_server,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20377; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Content-Type header format string attempt"; flow:to_server,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20376; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header missing terminating quote"; flow:to_server,established; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3a\s+\x22[^\x22]*\x3c/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20375; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header missing terminating quote"; flow:to_server; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3a\s+\x22[^\x22]*\x3c/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20374; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header unquoted tokens in field attempt"; flow:to_server,established; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3A\s+[^\r\n\x22\x3C]*[\x3B\x27\x2C]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20373; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header unquoted tokens in field attempt"; flow:to_server; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3A\s+[^\r\n\x22\x3C]*[\x3B\x27\x2C]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20372; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header whitespace in field attempt"; flow:to_server,established; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3A\s+[^\r\n\x3C]*\x3C[^\r\n\x3E]*?[\x20\x09]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20371; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header whitespace in field attempt"; flow:to_server; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3A\s+[^\r\n\x3C]*\x3C[^\r\n\x3E]*?[\x20\x09]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20370; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header XSS injection attempt"; flow:to_server,established; content:"<script"; fast_pattern:only; pcre:"/^Contact\x3A\s+(\x22)?\x3Cscript/Hsmi"; classtype:misc-attack; sid:20367; rev:4;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header XSS injection attempt"; flow:to_server; content:"<script"; fast_pattern:only; pcre:"/^Contact\x3A\s+(\x22)?\x3Cscript/Hsmi"; classtype:misc-attack; sid:20366; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header invalid characters detected"; flow:to_server,established; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20365; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header format string attempt"; flow:to_server,established; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20364; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header multiple Call-ID headers"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_header; content:"Call-ID|3A|"; nocase; content:"Call-ID|3A|"; distance:0; nocase; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20363; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header multiple Call-ID headers"; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_header; content:"Call-ID|3A|"; nocase; content:"Call-ID|3A|"; distance:0; nocase; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20362; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header invalid seperators"; flow:to_server,established; content:"|3B 2C|"; fast_pattern:only; pcre:"/^Call-ID\x3a\s+[^\r\n]*\x3B\x2C/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20361; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header invalid seperators"; flow:to_server; content:"|3B 2C|"; fast_pattern:only; pcre:"/^Call-ID\x3a\s+[^\r\n]*\x3B\x2C/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20360; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header format string attempt"; flow:to_server,established; content:"Call-ID|3A|"; fast_pattern:only; pcre:"/^Call-ID\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20359; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header format string attempt"; flow:to_server; content:"Call-ID|3A|"; fast_pattern:only; pcre:"/^Call-ID\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20358; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header XSS injection attempt"; flow:to_server,established; content:"<script"; fast_pattern:only; pcre:"/^Call-ID\x3A\s+(\x22)?\x3Cscript/Hsmi"; classtype:misc-attack; sid:20357; rev:4;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header XSS injection attempt"; flow:to_server; content:"<script"; fast_pattern:only; pcre:"/^Call-ID\x3A\s+(\x22)?\x3Cscript/Hsmi"; classtype:misc-attack; sid:20356; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header invalid characters detected"; flow:to_server,established; content:"Call-ID|3A|"; fast_pattern:only; pcre:"/^Call-ID\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20355; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header format string attempt"; flow:to_server,established; content:"Call-ID|3A|"; fast_pattern:only; pcre:"/^Call-ID\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20354; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Expires header invalid characters detected"; flow:to_server,established; content:"Expires|3A|"; fast_pattern:only; pcre:"/^Expires\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x2D\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20353; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Expires header overflow attempt"; flow:to_server,established; content:"Expires|3A|"; fast_pattern:only; pcre:"/^Expires\x3A\s+\d{11}/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:20352; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Subject header format string attempt"; flow:to_server,established; content:"Subject|3A|"; fast_pattern:only; pcre:"/^Subject\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20351; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Subject header format string attempt"; flow:to_server; content:"Subject|3A|"; fast_pattern:only; pcre:"/^Subject\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20350; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Subject header XSS injection attempt"; flow:to_server,established; content:"<script"; fast_pattern:only; pcre:"/^Subject\x3A\s+(\x22)?\x3Cscript/Hsmi"; classtype:misc-attack; sid:20349; rev:4;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Subject header XSS injection attempt"; flow:to_server; content:"<script"; fast_pattern:only; pcre:"/^Subject\x3A\s+(\x22)?\x3Cscript/Hsmi"; classtype:misc-attack; sid:20348; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header multiple To headers"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_header; content:"To|3A|"; nocase; content:"To|3A|"; distance:0; nocase; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20347; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header multiple To headers"; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_header; content:"To|3A|"; nocase; content:"To|3A|"; distance:0; nocase; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20346; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header missing terminating quote"; flow:to_server,established; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3a\s+\x22[^\x22]*\x3c/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20345; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header missing terminating quote"; flow:to_server; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3a\s+\x22[^\x22]*\x3c/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20344; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header invalid seperators"; flow:to_server,established; content:"|3B 2C|"; fast_pattern:only; pcre:"/^To\x3a\s+[^\r\n]*\x3B\x2C/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20343; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header invalid seperators"; flow:to_server; content:"|3B 2C|"; fast_pattern:only; pcre:"/^To\x3a\s+[^\r\n]*\x3B\x2C/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20342; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header unquoted tokens in field attempt"; flow:to_server,established; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A\s+[^\r\n\x22\x3C]*[\x3B\x27\x2C]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20341; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header unquoted tokens in field attempt"; flow:to_server; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A\s+[^\r\n\x22\x3C]*[\x3B\x27\x2C]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20340; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header whitespace in field attempt"; flow:to_server,established; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A\s+[^\r\n\x3C]*\x3C[^\r\n\x3E]*?[\x20\x09]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20339; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header whitespace in field attempt"; flow:to_server; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A\s+[^\r\n\x3C]*\x3C[^\r\n\x3E]*?[\x20\x09]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20338; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header format string attempt"; flow:to_server,established; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20337; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header format string attempt"; flow:to_server; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20336; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header XSS injection attempt"; flow:to_server,established; content:"<script"; fast_pattern:only; pcre:"/^To\x3A\s+(\x22)?\x3Cscript/smiH"; classtype:misc-attack; sid:20335; rev:4;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header XSS injection attempt"; flow:to_server; content:"<script"; fast_pattern:only; pcre:"/^To\x3A\s+(\x22)?\x3Cscript/smiH"; classtype:misc-attack; sid:20334; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header invalid characters detected"; flow:to_server,established; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20333; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header contains recursive URL-encoded data"; flow:to_server,established; content:"%25%32%35%25%33%32%25%33%35%25%32%35%25%33%33"; fast_pattern:only; pcre:"/^To\x3A\s+%25%32%35%25%33%32%25%33%35%25%32%35%25%33%33/Hsmi"; reference:url,www.ietf.org/rfc/rfc2396.txt; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20332; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header multiple From headers"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_header; content:"From|3A|"; nocase; content:"From|3A|"; distance:0; nocase; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20331; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header multiple From headers"; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_header; content:"From|3A|"; nocase; content:"From|3A|"; distance:0; nocase; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20330; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header missing terminating quote"; flow:to_server,established; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3a\s+\x22[^\x22]*\x3c/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20329; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header missing terminating quote"; flow:to_server; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3a\s+\x22[^\x22]*\x3c/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20328; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header unquoted tokens in field attempt"; flow:to_server,established; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A\s+[^\r\n\x22\x3C]*[\x3B\x27\x2C]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20327; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header unquoted tokens in field attempt"; flow:to_server; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A\s+[^\r\n\x22\x3C]*[\x3B\x27\x2C]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20326; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header whitespace in field attempt"; flow:to_server,established; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A\s+[^\r\n\x3C]*\x3C[^\r\n\x3E]*?[\x20\x09]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20325; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header whitespace in field attempt"; flow:to_server; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A\s+[^\r\n\x3C]*\x3C[^\r\n\x3E]*?[\x20\x09]/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20324; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header format string attempt"; flow:to_server,established; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20323; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header XSS injection attempt"; flow:to_server,established; content:"<script"; fast_pattern:only; pcre:"/^From\x3A\s+(\x22)?\x3Cscript/Hsmi"; classtype:misc-attack; sid:20321; rev:4;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header XSS injection attempt"; flow:to_server; content:"<script"; fast_pattern:only; pcre:"/^From\x3A\s+(\x22)?\x3Cscript/Hsmi"; classtype:misc-attack; sid:20320; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header invalid characters detected"; flow:to_server,established; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20319; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header format string attempt"; flow:to_server,established; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20318; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header invalid seperators"; flow:to_server,established; content:"|3B 2C|"; fast_pattern:only; pcre:"/^Via\x3a\s+[^\r\n]*\x3B\x2C/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20317; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header invalid seperators"; flow:to_server; content:"|3B 2C|"; fast_pattern:only; pcre:"/^Via\x3a\s+[^\r\n]*\x3B\x2C/Hsmi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20316; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header invalid characters detected"; flow:to_server,established; content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20315; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header format string attempt"; flow:to_server,established; content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A\s*SIP\x2F2\x2E0\x2F(TC|UD)P\s+[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20314; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header missing SIP field"; flow:to_server,established; content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A\s+(?!SIP\x2F2\x2E0)/Hsmi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:20313; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Max-Forwards header invalid characters detected"; flow:to_server,established; content:"Max-Forwards|3A|"; fast_pattern:only; pcre:"/^Max-Forwards\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x2D\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20312; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Max-Forwards value over 70"; flow:to_server,established; content:"Max-Forwards|3A|"; fast_pattern:only; pcre:"/^Max-Forwards\x3A\s+(\d{3,}|[89]\d|7[1-9])/Hsmi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:20311; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq header multiple CSeq headers"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_header; content:"CSeq|3A|"; nocase; content:"CSeq|3A|"; distance:0; nocase; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20310; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq header multiple CSeq headers "; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_header; content:"CSeq|3A|"; nocase; content:"CSeq|3A|"; distance:0; nocase; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20309; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq header method mismatch attempt"; flow:to_server,established; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^(?P<a>[A-Z]+)\s+sip\x3a.*?CSeq\x3a\s+\d+\s+(?!(?P=a))/smi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20308; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq header method mismatch attempt"; flow:to_server; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^(?P<a>[A-Z]+)\s+sip\x3a.*?CSeq\x3a\s+\d+\s+(?!(?P=a))/smi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20307; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq header invalid characters detected"; flow:to_server,established; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^CSeq\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20306; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq header format string attempt"; flow:to_server,established; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^CSeq\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20305; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP URI possible format string attempt"; flow:to_server,established; sip_method:invite,bye,cancel,options; content:"%"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n]*%/smi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:misc-activity; sid:20304; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP URI possible format string attempt"; flow:to_server; sip_method:invite,bye,cancel,options; content:"%"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n]*%/smi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:misc-activity; sid:20303; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP URI multiple at signs in message"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n\x40]+\x40{2}/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:20302; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP TEL URI type overflow attempt"; flow:to_server,established; content:"<tel"; fast_pattern:only; pcre:"/<tel[^\x3A]{6}/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:20301; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP URI type overflow attempt"; flow:to_server,established; content:"<sip"; fast_pattern:only; pcre:"/<sips?[^\x3A]{6}/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:20300; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Invalid request spaces at end of request line attempt"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_method:invite,bye,cancel; pcre:"/^(INVITE|BYE|CANCEL)\s+sip\x3A[^\r\n\s]+\x40[^\r\n\s]+\s+SIP\x2F2\x2E0[^\r\n]\s[\r\n]/smi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20299; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Invalid request spaces at end of request line attempt"; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_method:invite,bye,cancel; pcre:"/^(INVITE|BYE|CANCEL)\s+sip\x3A[^\r\n\s]+\x40[^\r\n\s]+\s+SIP\x2F2\x2E0[^\r\n]\s[\r\n]/smi"; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20298; rev:3;)
+# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound INVITE message"; flow:to_server,established; content:"INVITE"; fast_pattern:only; sip_method:invite; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20297; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound INVITE message"; flow:to_server,established; content:"INVITE"; fast_pattern:only; sip_method:invite; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20296; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP INVITE message URI contains global broadcast address"; flow:to_server,established; sip_method:invite; content:"@255.255.255."; fast_pattern:only; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19410; rev:4;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP INVITE message URI contains global broadcast address"; flow:to_server; sip_method:invite; content:"@255.255.255."; fast_pattern:only; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19409; rev:4;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19389; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Media header description field format string attempt"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^m=[^\r\n]*%/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19388; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Media header description field format string attempt"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^m=[^\r\n]*%/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19387; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Media header description field overflow attempt"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^m=\s+[^\r\n]{256}/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19386; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Media header description field overflow attempt"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^m=\s+[^\r\n]{256}/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19385; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Session Name invalid header attempt"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^s=[^\r\n\x20-\x2B\x2D-\x7E]*[\x00-\x1F\x2C\x7F-\xFF]/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19384; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Session Name invalid header attempt"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^s=[^\r\n\x20-\x2B\x2D-\x7E]*[\x00-\x1F\x2C\x7F-\xFF]/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19383; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Session Name header format string attempt"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^s=[^\r\n]*%/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19382; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Session Name header format string attempt"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^s=[^\r\n]*%/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19381; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Session Name header overflow attempt"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^s=\s+[^\r\n]{256}/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19380; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Session Name header overflow attempt"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^s=\s+[^\r\n]{256}/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19379; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Origin invalid header"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^o=(\d+|\w+|\x2D)\s+\d+\s+\d+\s+IN\s+IP[46]\s+[^\r\n]*[\x2D\x5C\x80-\xFF\x00-\x08\x0B\x0C\x0E-\x19]/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19378; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Origin invalid header"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^o=(\d+|\w+|\x2D)\s+\d+\s+\d+\s+IN\s+IP[46]\s+[^\r\n]*[\x2D\x5C\x80-\xFF\x00-\x08\x0B\x0C\x0E-\x19]/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19377; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Origin header format string attempt"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^o=[^\r\n]*%/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19376; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Origin header format string attempt"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^o=[^\r\n]*%/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19375; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Origin header overflow attempt"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^o=\s+[^\r\n]{256}/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19374; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Origin header overflow attempt"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^o=\s+[^\r\n]{256}/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19373; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Time Stop Header invalid value"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:!"/^t=\d+\s+\d+[\r\n]/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19365; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Time Stop header invalid value"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:!"/^t=\d+\s+\d+[\r\n]/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19364; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP invalid SIP-Version field"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n\s]+\sSIP\x2F/smi"; pcre:!"/^[A-Z]+\s+sip\x3A[^\r\n\s]+\sSIP\x2F(2\x2e0|1\x2e[01])/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:19338; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP invalid SIP-Version field"; flow:to_server; content:" sip|3A|"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n\s]+\sSIP\x2F/smi"; pcre:!"/^[A-Z]+\s+sip\x3A[^\r\n\s]+\sSIP\x2F(2\x2e0|1\x2e[01])/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:19337; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Content-Type header invalid format missing slash"; flow:to_server,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type\x3a[^\r\n\x3B]\s*[^\x2F][\r\n]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19336; rev:4;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Content-Type header invalid format missing slash"; flow:to_server; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type\x3a[^\r\n\x3B]\s*[^\x2F][\r\n]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19335; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Content-Type header invalid format too many slashes"; flow:to_server,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type\x3A[^\r\n\x3B]+\x2F\x2F/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19334; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Content-Type header invalid format too many slashes"; flow:to_server; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type\x3A[^\r\n\x3B]+\x2F\x2F/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19333; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Max-Forwards header invalid characters detected"; flow:to_server; content:"Max-Forwards|3A|"; fast_pattern:only; pcre:"/^Max-Forwards\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x2D\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19302; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Expires header invalid characters detected"; flow:to_server; content:"Expires|3A|"; fast_pattern:only; pcre:"/^Expires\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x2D\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19301; rev:4;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP T.38 fax EC attribute buffer overflow attempt"; flow:to_server; content:"a=T38FaxUdpEC|3A|"; fast_pattern:only; pcre:"/^a=T38FaxUdpEC\x3A[^\r\n]{256}/smi"; metadata:service sip; reference:bugtraq,23648; reference:cve,2007-2293; classtype:attempted-admin; sid:14609; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP T.38 fax rate management attribute buffer overflow attempt"; flow:to_server; content:"a=T38FaxRateManagement|3A|"; fast_pattern:only; pcre:"/^a=T38FaxRateManagement\x3A[^\r\n]{256}/smi"; metadata:service sip; reference:bugtraq,23648; reference:cve,2007-2293; classtype:attempted-admin; sid:14608; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP OPTIONS message Call-ID header request misplaced - after terminating newline"; flow:to_server; sip_method:options; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Call-ID\x3A/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:13590; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP OPTIONS message Via header request misplaced - after terminating newline"; flow:to_server; sip_method:options; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Via\x3A/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:13589; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header field buffer overflow attempt"; flow:to_server; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A\s+[^\r\n]{256}/Hsmi"; reference:bugtraq,6904; reference:cve,2003-1108; reference:cve,2003-1109; reference:cve,2003-1115; reference:url,www.cert.org/advisories/CA-2003-06.html; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:12683; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header field buffer overflow attempt"; flow:to_server,established; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A\s+[^\r\n]{256}/Hsmi"; reference:bugtraq,6904; reference:cve,2003-1108; reference:cve,2003-1109; reference:cve,2003-1115; reference:url,www.cert.org/advisories/CA-2003-06.html; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:12682; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP URI overflow attempt"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n\x40]{256}/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:12681; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header hostname buffer overflow attempt"; flow:to_server,established; content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A\s+SIP\x2F2\x2E0\x2F(TCP|UDP)\s+[^\x3B\r\n]{63}/Hsmi"; reference:bugtraq,24542; reference:cve,2007-3369; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:12680; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS 2000 (msg:"PROTOCOL-VOIP Digium Asterisk data length field overflow attempt"; flow:established,to_server; dsize:>992; byte_test:4,>,992,0,little; reference:bugtraq,20617; reference:cve,2006-5444; reference:url,www.exploit-db.com/exploits/2597; classtype:attempted-user; sid:12359; rev:9;)
+# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 404 Not Found"; flow:to_client; content:"SIP/2.0 404 Not Found"; fast_pattern:only; sip_stat_code:404; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12181; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 404 Not Found"; flow:to_server; content:"SIP/2.0 404 Not Found"; fast_pattern:only; sip_stat_code:404; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12180; rev:5;)
+# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 481 Call/Leg Transaction Does Not Exist"; flow:to_client; content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; fast_pattern:only; sip_stat_code:481; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12179; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 481 Call/Leg Transaction Does Not Exist"; flow:to_server; content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; fast_pattern:only; sip_stat_code:481; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12178; rev:5;)
+# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 415 Unsupported Media Type message"; flow:to_client; content:"SIP/2.0 415 Unsupported Media Type"; fast_pattern:only; sip_stat_code:415; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12177; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 415 Unsupported Media Type message"; flow:to_server; content:"SIP/2.0 415 Unsupported Media Type"; fast_pattern:only; sip_stat_code:415; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12176; rev:5;)
+# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 604 Does Not Exist Anywhere message"; flow:to_client; content:"SIP/2.0 604 Does Not Exist Anywhere"; fast_pattern:only; sip_stat_code:604; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12175; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 604 Does Not Exist Anywhere message"; flow:to_server; content:"SIP/2.0 604 Does Not Exist Anywhere"; fast_pattern:only; sip_stat_code:604; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12174; rev:5;)
+# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 501 Not Implemented message"; flow:to_client; content:"SIP/2.0 501 Not Implemented"; fast_pattern:only; sip_stat_code:501; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12173; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 501 Not Implemented message"; flow:to_server; content:"SIP/2.0 501 Not Implemented"; fast_pattern:only; sip_stat_code:501; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12172; rev:6;)
+# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 408 Request Timeout message"; flow:to_client; content:"SIP/2.0 408 Request Timeout"; fast_pattern:only; sip_stat_code:408; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12171; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 408 Request Timeout message"; flow:to_server; content:"SIP/2.0 408 Request Timeout"; fast_pattern:only; sip_stat_code:408; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12170; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP URI multiple at signs in message"; flow:to_server; content:" sip|3A|"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n\x40]+\x40{2}/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:12167; rev:7;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP URI overflow attempt"; flow:to_server; content:" sip|3A|"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n\x40]{256}/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:12113; rev:7;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Sivus scanner detected"; flow:to_server; content:"sivus_voip_scanner"; fast_pattern:only; pcre:"/^From\x3A\s*sivus_voip_scanner/Hsmi"; reference:url,www.vopsecurity.org/; classtype:network-scan; sid:12112; rev:5;)
+# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 100 Trying message"; flow:to_client; content:"SIP/2.0 100 Trying"; fast_pattern:only; sip_stat_code:100; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12074; rev:6;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 100 Trying message"; flow:to_server; content:"SIP/2.0 100 Trying"; fast_pattern:only; sip_stat_code:100; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12073; rev:6;)
+# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 401 Unauthorized message"; flow:to_client; content:"SIP/2.0 401 Unauthorized"; fast_pattern:only; sip_stat_code:401; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12007; rev:6;)
+# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound INVITE message"; flow:to_server; content:"INVITE"; fast_pattern:only; sip_method:invite; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12006; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Connection header invalid value"; flow:to_server,established; content:"application/sdp"; fast_pattern:only; pcre:"/^c=([^I]|I[^N]|IN[^\s]|IN\s+[^I]|IN\s+I[^P]|IN\s+IP[^46])/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-dos; sid:12005; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP INVITE message Content-Length header size of zero"; flow:to_server; sip_method:invite; pcre:"/^Content-Length\x3A\s+0[\r\n]/Hsmi"; detection_filter:track by_src, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12004; rev:9;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CANCEL flood"; flow:to_server; sip_method:cancel; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12003; rev:9;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP BYE flood"; flow:to_server; sip_method:bye; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12002; rev:9;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Version header overflow attempt"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^v=(-|(\d{6,}|[7-9]\d{5,}|6[6-9]\d{3,}|65[6-9]\d{2,}|655[4-9]\d+|6553[6-9]))/Psmi"; reference:url,tools.ietf.org/html/rfc4566; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; classtype:attempted-dos; sid:12001; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP INVITE message invalid IP address"; flow:to_server; sip_method:invite; pcre:"/^INVITE\s+sip\x3A[^\r\n\x40]+\x40((192\.0\.[02]\.\d{1,3})|(127\.\d{1,3}\.\d{1,3}\.\d{1,3})|(128\.0\.\d{1,3}\.\d{1,3})|(191\.255\.\d{1,3}\.\d{1,3})|(223\.255\.255\.\d{1,3})|(2(2[4-9]|[34][0-9]|5[0-5])\.\d{1,3}\.\d{1,3}\.\d{1,3}))/smi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12000; rev:6;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header invalid characters detected"; flow:to_server; content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11999; rev:8;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header invalid characters detected"; flow:to_server; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11998; rev:8;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header invalid characters detected"; flow:to_server; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11997; rev:8;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq header invalid characters detected"; flow:to_server; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^CSeq\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11996; rev:8;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Content-Type header invalid characters detected"; flow:to_server; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11995; rev:8;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header invalid characters detected"; flow:to_server; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11994; rev:8;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header invalid characters detected"; flow:to_server; content:"Call-ID|3A|"; fast_pattern:only; pcre:"/^Call-ID\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11993; rev:8;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Content-Type header format string attempt"; flow:to_server; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11992; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq header format string attempt"; flow:to_server; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^CSeq\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11991; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Contact header format string attempt"; flow:to_server; content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11990; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Call-ID header format string attempt"; flow:to_server; content:"Call-ID|3A|"; fast_pattern:only; pcre:"/^Call-ID\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11989; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP From header format string attempt"; flow:to_server; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11988; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header format string attempt"; flow:to_server; content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A\s*SIP\x2F2\x2E0\x2F(TC|UD)P\s+[^\r\n%]*%/Hsmi"; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171018-sip1; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11987; rev:6;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Authorization header invalid characters in response parameter"; flow:to_server; content:"Authorization|3A|"; fast_pattern:only; pcre:"/^Authorization\x3A[^\r\n]+?response=[\x00-\x09\x0B\x0C\x0E-\x7F]*[\x80-\xFF]/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:11986; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Expires header overflow attempt"; flow:to_server; content:"Expires|3A|"; fast_pattern:only; pcre:"/^Expires\x3A\s+\d{11}/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:11985; rev:7;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Time header contains long value"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^t=(\d{7,}|\d{1,6}\s\d{7,})/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:11984; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Time header contains negative value"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^t=(-|\d{1,6}\s-)/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:11983; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP To header contains recursive URL-encoded data"; flow:to_server; content:"%25%32%35%25%33%32%25%33%35%25%32%35%25%33%33"; fast_pattern:only; pcre:"/^To\x3A\s+%25%32%35%25%33%32%25%33%35%25%32%35%25%33%33/Hsmi"; reference:url,www.ietf.org/rfc/rfc2396.txt; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11982; rev:6;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP MultiTech INVITE message buffer overflow attempt"; flow:to_server; sip_method:invite; pcre:"/^INVITE\s[^\s\r\n]{60}/smi"; reference:bugtraq,15711; reference:cve,2005-4050; classtype:attempted-user; sid:11981; rev:8;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Attribute header buffer overflow attempt"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^a=[^\r\n]{256}/Psmi"; reference:bugtraq,16213; reference:cve,2006-0189; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:11980; rev:7;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Media header port field invalid value"; flow:to_server; content:"application/sdp"; fast_pattern:only; pcre:"/^m=[A-Z]{1,20}\s(\d{6,}|[7-9]\d{5,}|6[6-9]\d{3,}|65[6-9]\d{2,}|655[4-9]\d+|6553[6-9])/Psmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4566.txt; classtype:attempted-user; sid:11979; rev:5;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP TEL URI type overflow attempt"; flow:to_server; content:"<tel"; fast_pattern:only; pcre:"/<tel[^\x3A]{6}/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:11977; rev:7;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP URI type overflow attempt"; flow:to_server; content:"<sip"; fast_pattern:only; pcre:"/<sips?[^\x3A]{6}/smi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:11976; rev:7;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header missing SIP field"; flow:to_server; content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A\s+(?!SIP\x2F2\x2E0)/Hsmi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:11975; rev:6;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Via header hostname buffer overflow attempt"; flow:to_server; content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A\s+SIP\x2F2\x2E0\x2F(TCP|UDP)\s+[^\x3B\r\n]{63}/Hsmi"; reference:bugtraq,24542; reference:cve,2007-3369; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:11973; rev:9;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Max-Forwards value over 70"; flow:to_server; content:"Max-Forwards|3A|"; fast_pattern:only; pcre:"/^Max-Forwards\x3A\s+(\d{3,}|[89]\d|7[1-9])/Hsmi"; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:11972; rev:6;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq buffer overflow attempt"; flow:to_server; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^CSeq\x3a\s+[^\r\n]{25}/Hsmi"; metadata:policy max-detect-ips drop; reference:bugtraq,13504; reference:bugtraq,15711; reference:bugtraq,18906; reference:bugtraq,36015; reference:cve,2005-1461; reference:cve,2005-4050; reference:cve,2006-3524; reference:cve,2009-2726; reference:nessus,18986; reference:url,www.ethereal.com/news/item_20050504_01.html; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11971; rev:7;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound 401 unauthorized message"; flow:to_server; content:"SIP/2.0 401 Unauthorized"; fast_pattern:only; sip_stat_code:401; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:11969; rev:6;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound INVITE message"; flow:to_server; content:"INVITE"; fast_pattern:only; sip_method:invite; metadata:ruleset community, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:11968; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-VOIP PA168 chipset based IP phone authentication bypass"; flow:to_server,established; content:"POST /g"; depth:7; nocase; content:"back=++Back++|0D 0A 0D 0A|"; distance:0; nocase; metadata:service http; reference:bugtraq,22191; reference:cve,2007-0528; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr06-14; classtype:attempted-admin; sid:10124; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-VOIP PA168 chipset based IP phone default password attempt"; flow:to_server,established; content:"auth=12345678&login=+++Login+++"; nocase; metadata:service http; reference:bugtraq,22191; reference:cve,2007-0528; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr06-14; classtype:attempted-admin; sid:10123; rev:14;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"PROTOCOL-VOIP Digium Asterisk IAX2 truncated mini-frame packet overflow attempt"; flow:to_server; dsize:<4; byte_test:2,<,32768,0; reference:bugtraq,18307; reference:cve,2006-2923; classtype:attempted-admin; sid:6515; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"PROTOCOL-VOIP Digium Asterisk IAX2 truncated full-frame packet overflow attempt"; flow:to_server; dsize:<12; byte_test:2,&,32768,0; reference:bugtraq,18307; reference:cve,2006-2923; classtype:attempted-admin; sid:6514; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"PROTOCOL-VOIP Digium Asterisk IAX2 truncated video mini-frame packet overflow attempt"; flow:to_server; dsize:<6; content:"|00 00|"; depth:2; byte_test:2,&,32768,0,relative; reference:bugtraq,18295; reference:cve,2006-2898; classtype:attempted-admin; sid:6513; rev:5;)
+# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client,established,only_stream; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27904; rev:2;)
+# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client,established,only_stream; sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27903; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server,established,only_stream; sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27902; rev:2;)
+# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client; sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27901; rev:3;)
+# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27900; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server; sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27899; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP attempted DOS detected"; flow:to_server; sip_body; content:"m="; content:"c="; distance:0; metadata:service sip; reference:cve,2013-5641; reference:cve,2013-5642; reference:url,downloads.asterisk.org/pub/security/AST-2013-005.html; classtype:denial-of-service; sid:28165; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Sipvicious User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: friendly-scanner"; fast_pattern:only; metadata:service sip; reference:url,advantia.ca/weblog/less-than-friendly-scanner--sipvicious; classtype:attempted-recon; sid:28993; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk SIP channel driver denial of service attempt"; flow:to_server; sip_method:bye; sip_header; content:"Also|3A|"; fast_pattern:only; metadata:service sip; reference:cve,2008-0095; reference:url,downloads.asterisk.org/pub/security/AST-2008-001.html; classtype:denial-of-service; sid:33445; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2000 (msg:"PROTOCOL-VOIP Digium Asterisk SCCP keypad button message denial of service attempt"; flow:to_server,established,no_stream; flowbits:isset,sccp.callstate; dsize:>600; content:"|10 00 00 00 00 00 00 00 03 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2012-2415; classtype:attempted-dos; sid:24720; rev:7;)
+alert tcp $EXTERNAL_NET 2000 -> $HOME_NET any (msg:"PROTOCOL-VOIP Digium Asterisk SCCP call state message offhook"; flow:to_client,established; content:"|00 00 00 00 11 01 00 00 01 00 00 00|"; fast_pattern:only; flowbits:set,sccp.callstate; flowbits:noalert; metadata:policy max-detect-ips drop; reference:cve,2012-2415; classtype:attempted-dos; sid:24719; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5038 (msg:"PROTOCOL-VOIP Digium Asterisk Manager command shell execution attempt"; flow:to_server,established; flowbits:isset,asteriskmi; content:"EVAL("; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,53206; reference:cve,2012-2414; reference:url,downloads.asterisk.org/pub/security/AST-2012-004.html; classtype:policy-violation; sid:23210; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5038 (msg:"PROTOCOL-VOIP Digium Asterisk Manager command shell execution attempt"; flow:to_server,established; flowbits:isset,asteriskmi; content:"SHELL("; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,53206; reference:cve,2012-2414; reference:url,downloads.asterisk.org/pub/security/AST-2012-004.html; classtype:policy-violation; sid:23209; rev:9;)
+alert tcp $HOME_NET 5038 -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Digium Asterisk Manager Interface initial banner"; flow:to_client,established; content:"Asterisk Call Manager"; fast_pattern:only; flowbits:set,asteriskmi; flowbits:noalert; classtype:misc-activity; sid:23208; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk Management Interface HTTP digest authentication stack buffer overflow attempt"; flow:to_server,established; content:"Authorization: Digest"; http_header; content:!"|0A|"; within:500; http_header; pcre:"/^Authorization\x3a\sDigest[^\n]*?(=[^,\s\n\x22\x27]{500}|\s[^=\n\x22\x27]{500})/mH"; metadata:policy max-detect-ips drop, service http; reference:url,downloads.asterisk.org/pub/security/AST-2012-003.html; classtype:attempted-admin; sid:21753; rev:12;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt"; flow:to_server; sip_method:register; sip_header; content:"|0D 0A 0D 0A|"; content:!"Contact"; nocase; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,50117; reference:cve,2011-4063; classtype:attempted-dos; sid:21101; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt"; flow:to_server,established; sip_method:invite; content:"Remote-Party-Id|3A|scsip|3A|"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\scsip\x3A[^@]+@\d{1,3}\x2E\d{1,3}\x2E\xD1/Hsmi"; metadata:policy max-detect-ips drop; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/warp/public/707/cisco-sr-20070320-sip.shtml; classtype:attempted-dos; sid:20425; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk Attribute header rtpmap field buffer overflow attempt"; flow:to_server,established; content:"a|3D|rtpmap|3A|"; fast_pattern:only; sip_method:invite,bye; pcre:"/(^a\x3Drtpmap\x3A[^\n]*\r\n){31}/Psmi"; metadata:policy max-detect-ips drop; reference:cve,2008-1289; classtype:misc-attack; sid:20392; rev:9;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk Attribute header rtpmap field buffer overflow attempt"; flow:to_server; content:"a|3D|rtpmap|3A|"; fast_pattern:only; sip_method:invite,bye; pcre:"/(^a\x3Drtpmap\x3A[^\n]*\r\n){31}/Psmi"; metadata:policy max-detect-ips drop; reference:cve,2008-1289; classtype:misc-attack; sid:20391; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Attribute header rtpmap field invalid payload type"; flow:to_server,established; content:"a=rtpmap|3A|"; nocase; byte_test:9,>,256,0,relative,string; metadata:policy max-detect-ips drop; reference:bugtraq,28308; reference:cve,2008-1289; reference:url,www.asterisk.org/node/48466; classtype:attempted-user; sid:20390; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Remote-Party-ID header hexadecimal characters in IP address field"; flow:to_server,established; content:"Remote-Party-ID|3A|"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\s+[^\r\n]+\x40[^\r\n]*?[\x80-\xFF]/Hsmi"; metadata:policy max-detect-ips drop; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/en/US/products/products_security_response09186a00808075ad.html; classtype:attempted-admin; sid:20381; rev:7;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-VOIP Digium Asterisk UDPTL processing overflow attempt"; flow:to_server; content:"|08 C0 01 80 00 02 FF C0 02|"; depth:12; offset:2; content:"|80|"; within:2; byte_test:1,>,9,1,relative; metadata:policy max-detect-ips drop; reference:bugtraq,46474; reference:cve,2011-1147; classtype:attempted-admin; sid:19167; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"PROTOCOL-VOIP Digium Asterisk IAX2 ack response denial of service attempt"; flow:to_server; content:"|80 EB 00 00 00 00 00 0A 00 00 06 04|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,28901; reference:cve,2008-1897; reference:url,downloads.digium.com/pub/security/AST-2008-006.html; classtype:attempted-dos; sid:16445; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq buffer overflow attempt"; flow:to_server,established; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^CSeq\x3a\s+[^\r\n]{25}/smi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,13504; reference:bugtraq,15711; reference:bugtraq,18906; reference:bugtraq,36015; reference:cve,2005-1461; reference:cve,2005-4050; reference:cve,2006-3524; reference:cve,2009-2726; reference:nessus,18986; reference:url,www.ethereal.com/news/item_20050504_01.html; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:16351; rev:11;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Attribute header rtpmap field invalid payload type"; flow:to_server; content:"a=rtpmap|3A|"; nocase; byte_test:9,>,256,0,relative,string; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,28308; reference:cve,2008-1289; reference:url,www.asterisk.org/node/48466; classtype:attempted-user; sid:13693; rev:12;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Remote-Party-ID header hexadecimal characters in IP address field"; flow:to_server; content:"Remote-Party-ID|3A|"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\s+[^\r\n]+\x40[^\r\n]*?[\x80-\xFF]/Hsmi"; metadata:policy max-detect-ips drop; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/en/US/products/products_security_response09186a00808075ad.html; classtype:attempted-admin; sid:13664; rev:9;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt"; flow:to_server; sip_method:invite; content:"Remote-Party-Id"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\scsip\x3A[^@]+@\d{1,3}\x2E\d{1,3}\x2E\xD1/Hsmi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/warp/public/707/cisco-sr-20070320-sip.shtml; classtype:attempted-dos; sid:11970; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP javascript found in SIP headers attempt"; flow:to_server,established; sip_method:invite,message; content:"xzY3JpcHQ+"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6061; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-123; classtype:attempted-user; sid:36735; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP javascript found in SIP headers attempt"; flow:to_server,established; sip_method:invite,message; content:"PHNjcmlwdD"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6061; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-123; classtype:attempted-user; sid:36734; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP javascript found in SIP headers attempt"; flow:to_server,established; sip_method:invite,message; content:"8c2NyaXB0P"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-6061; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-123; classtype:attempted-user; sid:36733; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Mr.SIP SIP servers discovery attempt"; flow:to_server,established; sip_method:options; content:"branch=z9hG4bK-"; fast_pattern:only; content:"To:"; content:"sip:@"; within:15; metadata:service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-recon; sid:45584; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Mr.SIP SIP servers discovery attempt"; flow:to_server; sip_method:options; content:"branch=z9hG4bK-"; fast_pattern:only; content:"To:"; content:"sip:@"; within:15; metadata:service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-recon; sid:45583; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Mr.SIP subscribe request denial of service attempt"; flow:to_server,established,only_stream; sip_method:subscribe; content:"branch=z9hg4bk-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:service sip; reference:url,github.com/meliht/mr.sip; classtype:attempted-dos; sid:45582; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Mr.SIP options request denial of service attempt"; flow:to_server,established,only_stream; sip_method:options; content:"branch=z9hG4bK-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-dos; sid:45581; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Mr.SIP invite request denial of service attempt"; flow:to_server,established,only_stream; sip_method:invite; content:"branch=z9hG4bK-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-dos; sid:45580; rev:3;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Mr.SIP subscribe request denial of service attempt"; flow:to_server; content:"branch=z9hg4bk-"; fast_pattern:only; sip_method:subscribe; detection_filter:track by_src, count 50, seconds 15; metadata:service sip; reference:url,github.com/meliht/mr.sip; classtype:attempted-dos; sid:45579; rev:4;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Mr.SIP options request denial of service attempt"; flow:to_server; sip_method:options; content:"branch=z9hG4bK-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-dos; sid:45578; rev:4;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Mr.SIP invite request denial of service attempt"; flow:to_server; sip_method:invite; content:"branch=z9hG4bK-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-dos; sid:45577; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server,established,only_stream; sip_header; content:"SIP/2.0/TCP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48265; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server; sip_header; content:"SIP/2.0/UDP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48264; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: siparmyknife"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48352; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: VaxSIPUserAgent"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48351; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: CSipSimple"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48350; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: smap"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48349; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sundayddr"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48348; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Gulp"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48347; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: iWar"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48346; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: SIVuS"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48345; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: VaxIPUserAgent"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48344; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipv"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48343; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: friendly-request"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48342; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipsak"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48341; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipvicious"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48340; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipcli"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48339; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sip-scan"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48338; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: SIPScan"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48337; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Test Agent"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48336; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Ozeki"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48335; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Ozeki"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48334; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: eyeBeam"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48333; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: hamdan"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48332; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: eyeBeam"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48331; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: pplsip"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48330; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: hamdan"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48329; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Conaito"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48328; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Conaito"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48327; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: pplsip"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48326; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: SIPScan"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48325; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Test Agent"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48324; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipcli"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48323; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: siparmyknife"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48322; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: VaxSIPUserAgent"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48321; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: VaxIPUserAgent"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48320; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: friendly-request"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48319; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: smap"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48318; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipv"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48317; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Gulp"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48316; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: SIVuS"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48315; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: iWar"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48314; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sundayddr"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48313; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipsak"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48312; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: CSipSimple"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48311; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipvicious"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48310; rev:1;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sip-scan"; fast_pattern:only; metadata:service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48309; rev:1;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-VOIP SIP over SCTP wildcard VIA address attempt"; ip_proto:132; content:"SIP/2.0/SCTP 0.0.0.0"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48593; rev:1;)
--- a/docker/etc/rules/pua-adware.rules
+++ b/docker/etc/rules/pua-adware.rules
@@ -0,0 +1,773 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#------------------
+# PUA-ADWARE RULES
+#------------------
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Trojan.InstantAccess variant outbound connection"; flow:to_server,established; content:"/?dn="; fast_pattern:only; http_uri; content:"pid="; nocase; http_uri; metadata:service http; reference:url,virustotal.com/en/file/c6828c8bcce6786b39427fc5ad9df2f8163d3b8a7b3b5f8a5c5790c4488039f7/analysis/; classtype:misc-activity; sid:40357; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Trojan.InstantAccess variant outbound connection"; flow:to_server,established; content:"/sk-logabpstatus.php"; fast_pattern:only; http_uri; content:"a="; nocase; http_uri; content:"b="; nocase; http_uri; metadata:service http; reference:url,virustotal.com/en/file/c6828c8bcce6786b39427fc5ad9df2f8163d3b8a7b3b5f8a5c5790c4488039f7/analysis/; classtype:misc-activity; sid:40356; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Lucky Leap Adware outbound connection"; flow:to_server,established; content:"/gdi?alpha="; fast_pattern:only; http_uri; content:"|0D 0A|Cache-Control: no-store,no-cache|0D 0A|Pragma: no-cache|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"Accept"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30261; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Lucky Leap Adware outbound connection"; flow:to_server,established; content:"/gcs?alpha="; fast_pattern:only; http_uri; content:"|0D 0A|Cache-Control: no-store,no-cache|0D 0A|Pragma: no-cache|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"Accept"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30260; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Boaxxe suspicious advert traffic related to click fraud"; flow:to_server,established; urilen:8; content:"/scrstat"; fast_pattern; http_uri; content:"urls=%255b%2522"; nocase; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30496; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Boaxxe suspicious advert traffic related to click fraud"; flow:to_server,established; content:"/rlast?uri="; depth:11; http_uri; content:"?query="; distance:0; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30493; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Boaxxe suspicious advert traffic related to click fraud"; flow:to_server,established; content:"/?query=FpWk/DD16pc73UdTJiml/"; depth:29; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30492; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE IP address disclosure to advertisement sites attempt"; flow:to_server,established; content:"test?extip="; http_uri; content:"exip="; distance:0; http_uri; content:"pid="; distance:0; http_uri; content:"gid="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3d6fa5440c80185d24d007e5836ed4613cca7e552b516c8aca8bce749af14c13/analysis/; classtype:policy-violation; sid:19998; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Win.Adware.BProtector browser hijacker dll list download attempt"; flow:to_server,established; content:"GET"; http_method; content:"/builds/"; nocase; http_uri; content:"fflists.txt"; nocase; http_uri; metadata:ruleset community, service http; classtype:misc-activity; sid:26553; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware.AdultAds outbound connection"; flow:to_server,established; content:"/AdPuller/adult_mature/adult_mature.xmls"; http_uri; content:"User-Agent|3A 20|Mozilla/2.0"; http_header; content:"AdTools"; within:7; distance:14; http_header; metadata:service http; reference:url,www.virustotal.com/file/E37DAAB60FE414E8EBFA83A80BBE11877072EC09663DD5F3651FE4DDEB187A82/analysis/; classtype:trojan-activity; sid:24086; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE LiveSecurityPlatinum.A outbound connection - initial connection"; flow:to_server,established; content:"/api/urls/?ts="; fast_pattern:only; http_uri; content:"User-Agent|3A 20 20 0D 0A|"; nocase; http_header; pcre:"/\/api\/urls\/\?ts=[a-z0-9]+&affid=\d{5}/iU"; metadata:impact_flag red, service http; reference:url,siri-urz.blogspot.ca/2012/06/live-security-platinum.html; classtype:trojan-activity; sid:23863; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE FakeAV landing page request"; flow:to_server,established; content:"/payform/?k="; fast_pattern:only; http_uri; metadata:service http; reference:url,urlquery.net/report.php?id=91654; classtype:trojan-activity; sid:23472; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware.Phono post infection download attempt"; flow:to_server,established; content:"/playerUpdate2.exe"; nocase; http_uri; content:"User-Agent|3A 20|phonostar|20|Radio|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/file/6515C764C78F1F1C1067D8C23D4F400004A292E7C3C06175D8D2DDD77A16438C/analysis/; classtype:trojan-activity; sid:23369; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Wajam Monitizer outbound connection - post install"; flow:to_server,established; content:"/download/Wajam_5402.exe"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/file/AFE8CA9124F6CC84B8FEC64723531297653A419AE39710A64BCB4143F66215AB/analysis/; classtype:trojan-activity; sid:23247; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Wajam Monitizer url outbound connection - post install"; flow:to_server,established; content:"php?v="; http_uri; content:"&unique_id="; distance:0; http_uri; content:"&aid="; distance:0; http_uri; content:"&r="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/file/AFE8CA9124F6CC84B8FEC64723531297653A419AE39710A64BCB4143F66215AB/analysis/; classtype:trojan-activity; sid:23246; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE 888Poker install outbound connection attempt"; flow:to_server,established; content:"/setups/888poker/"; nocase; http_uri; content:"/SetupFiles/GIB/SDL/"; distance:0; nocase; http_uri; metadata:service http; classtype:trojan-activity; sid:21934; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware.Downware variant outbound connection attempt"; flow:to_server,established; content:"/action.php?channel="; nocase; http_uri; content:"&detected_products="; distance:0; nocase; http_uri; content:"&offered="; distance:0; nocase; http_uri; content:"&funnel"; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/file/ae97f53b9f7dcbfa450b391d33b63eb21e4eada1325bea4083894b62d1bb15fe/analysis/; classtype:trojan-activity; sid:21924; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware.MediaGetInstaller outbound connection - source ip infected"; flow:to_server,established; content:"MediagetDownloaderInfo"; fast_pattern:only; content:"MediagetDownloaderInfo"; http_cookie; metadata:service http; reference:url,www.virustotal.com/file/72e86852d56b35cf19ae86c9fb37f8b65b8e3038a9a1e2c77532f254fe4f662a/analysis/; classtype:misc-activity; sid:21645; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-ADWARE Adware.MediaGetInstaller inbound connection - destination ip infected"; flow:to_client,established; content:"MediagetDownloaderInfo"; fast_pattern:only; content:"MediagetDownloaderInfo"; http_cookie; metadata:service http; reference:url,www.virustotal.com/file/72e86852d56b35cf19ae86c9fb37f8b65b8e3038a9a1e2c77532f254fe4f662a/analysis/; classtype:misc-activity; sid:21644; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Internet Security 2010 outbound connection"; flow:to_server,established; content:"/buy/?code="; nocase; http_uri; pcre:"/buy\x2f\?code\=\d/U"; metadata:service http; reference:url,www.virustotal.com/en/file/af40310749172d3b59f1639122f3eb833adfb1d06802f40b2c47cbf0101b1ec8/analysis/; classtype:trojan-activity; sid:21184; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win32.WindowsOptimizationAndSecurity outbound connection"; flow:to_server,established; content:"/soft-usage/favicon.ico?0="; fast_pattern:only; http_uri; pcre:"/\&5=\d+\&6=\d+\&7=\d+\.\d+\&8=\d+/Ui"; metadata:service http; reference:url,www.virustotal.com/en/file/6c52f680af940a15f896a777ff92950d512fac8ee19ba4b7bb3bcfca75e5dc4e/analysis/; classtype:trojan-activity; sid:21176; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Apperhand SDK advertising data request - Counterclank"; flow:to_server,established; content:"/ProtocolGW/protocol/command"; nocase; http_uri; content:"Host|3A| www.apperhand.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/3d8e1108999dc35c5b5202985547a25f/detection; classtype:misc-activity; sid:21169; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win32.GamePlayLabs outbound connection"; flow:to_server,established; content:"/installer-run"; http_uri; content:"cc-silent-nozugo/"; distance:0; http_uri; content:"pid="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/93bf1dc265d39f119982fc5f39bce7e192c466d63c6d23b0b0b587386fd2ef06/analysis/; classtype:trojan-activity; sid:20753; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win32.GameVance outbound connection"; flow:to_server,established; content:"clientv="; http_uri; content:"cltzone="; distance:0; http_uri; content:"method="; distance:0; http_uri; content:"mstime="; distance:0; http_uri; content:"os="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/dfe9aecbfe4158be354f4c60886efe72202f861882b780d1fab14ce60ea75c09/analysis/; classtype:trojan-activity; sid:20752; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE XP Guardian 2010 proantivirus21 host runtime traffic detection"; flow:to_server,established; content:"Host|3A| proantivirus21|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/07099d0b0af9e29910e31af8166c5d8d/detection; classtype:trojan-activity; sid:20434; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE XP Guardian 2010 anutayadokalug host outbound connection"; flow:to_server,established; content:"Host|3A| anutayadokalug|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/07099d0b0af9e29910e31af8166c5d8d/detection; classtype:trojan-activity; sid:20433; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware.Wizpop outbound connection"; flow:to_server,established; content:"count.asp?exe="; http_uri; content:"act="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/5acce2b732ff1058586ab0a3c8c85b74afe62c0cb0ac07763cc2b99738b25ca4/analysis/; classtype:trojan-activity; sid:20220; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware mightymagoo/playpickle/livingplay - User-Agent"; flow:to_server,established; content:"User-Agent|3A 20|tl_v"; fast_pattern:only; http_header; pcre:"/^User\x2DAgent\x3A\x20tl_v([0-9]{1,2}\x2E){2}[0-9]{1,4}/Hmi"; metadata:service http; classtype:misc-activity; sid:20143; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware playsushi - User-Agent"; flow:to_server,established; content:"User-Agent|3A 20|ps|20|"; fast_pattern:only; http_header; pcre:"/^User\x2DAgent\x3A\x20ps\x20[0-9]{1,4}/Hmi"; metadata:service http; reference:url,www.arcadeweb.com; classtype:misc-activity; sid:20103; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware Arcade Web - X-Arcadeweb header"; flow:to_server,established; content:"X-Arcadeweb"; nocase; http_header; metadata:service http; reference:url,www.arcadeweb.com; classtype:misc-activity; sid:20102; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware Arcade Web - User-Agent"; flow:to_server,established; content:"User-Agent|3A 20|aw|20|v"; fast_pattern:only; http_header; pcre:"/^User\x2DAgent\x3A\x20aw\x20v([0-9]{1,2}\x2E){2}[0-9]{1,4}/Hmi"; metadata:service http; reference:url,www.arcadeweb.com; classtype:misc-activity; sid:20101; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware Arcade Web - installation/update"; flow:to_server,established; content:"/update/aw_update_v"; fast_pattern:only; http_uri; metadata:service http; classtype:misc-activity; sid:20100; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SecurityTool outbound connection"; flow:to_server,established; content:"php?affid="; http_uri; content:"url="; distance:0; http_uri; content:"win="; distance:0; http_uri; content:"sts="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/63990a154bc13ab456dcc525c632a6f191d20ff7aa3e6b80fd34403f8f3be35d/analysis/; classtype:trojan-activity; sid:20063; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware.BB outbound connection"; flow:to_server,established; content:"install.php?pid=popuptest&cid=e1popguide_update3"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/023ed105431b8970a8f852d6c133cfd0d61cda6be56b6e154b988e17bb69747c/analysis/; classtype:trojan-activity; sid:20041; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE VirusBye outbound connection"; flow:to_server,established; content:"/app/ip.php"; http_uri; content:"Host|3A 20|virusbye|2E|net"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/1c29d15a9bb6c930040775cad1a695399ecc06bff39724494e38d8bbe05acbf4/analysis/; classtype:trojan-activity; sid:20025; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Cinmus.asaq outbound connection"; flow:to_server,established; content:"/smb/nsi_install.php"; nocase; http_uri; content:"Host|3A| ads2.adservefast.biz"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/9083c85707fb33ff950d761d1c5b9acb/detection; classtype:trojan-activity; sid:20007; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE ThreatNuker outbound connection"; flow:to_server,established; content:"/build_info.php"; http_uri; content:"Host|3A 20|db|2E|threatnuker|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/2b0654d9ba5b03d511bc03a48230c941b129a81de38976e5d15241a741283983/analysis/; classtype:trojan-activity; sid:19999; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Antivirus 360 outbound connection"; flow:to_server,established; content:"/firstrun.php?product=A36&aff="; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/546150dfa94f45b6471b0e9932536741626a6c0fb7e38137cc091d8b43b6c2d9/analysis/; classtype:trojan-activity; sid:19994; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Total Protect 2009 outbound connection"; flow:to_server,established; content:"/install.php?aid="; http_uri; content:"Host|3A 20|totalprotect2009|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/28fc02ff822de3d046218ea31df2d34e85ef4fec91ada4ebf333aa01b7fb26c7/analysis/; classtype:trojan-activity; sid:19990; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Total Protect 2009 outbound connection"; flow:to_server,established; content:"/buy.php?aid="; http_uri; content:"Host|3A 20|totalprotect2009|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/28fc02ff822de3d046218ea31df2d34e85ef4fec91ada4ebf333aa01b7fb26c7/analysis/; classtype:trojan-activity; sid:19989; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE PCLiveGuard outbound connection"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"Host|3A| update2.pcliveguard.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/ed8c7de355473c70703c07f7ea965dc7/detection; classtype:trojan-activity; sid:19987; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE AntivirusPC2009 install-time traffic detected"; flow:to_server,established; content:"/install.php?id"; nocase; http_uri; content:"Host|3A| antiviruspc-stat.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/latestreport.html?resource=f1a48d8d1536b7bbabc09a7129c6ed8d; classtype:trojan-activity; sid:19986; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE AntivirusPC2009 runtime traffic detected"; flow:to_server,established; content:"/dailystat.php?uid"; nocase; http_uri; content:"Host|3A| antiviruspc-stat.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/latestreport.html?resource=f1a48d8d1536b7bbabc09a7129c6ed8d; classtype:trojan-activity; sid:19985; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Antivirus 2010 outbound connection"; flow:to_server,established; content:"/av2010/version.php"; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/75bc6fa2acad3fb9ca1afe36429d20fa8964cc77e2379261d1f414e5d5cfb102/analysis/; classtype:trojan-activity; sid:19984; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE WeatherStudio outbound connection"; flow:to_server,established; content:"/dp/"; depth:4; nocase; http_uri; content:"Host|3A| as.weatherstudio.com"; nocase; http_header; pcre:"/\x2fdp\x2f(newsreader|search|weather)/Ui"; metadata:service http; reference:url,www.virustotal.com/en/file/e31e227570824971f06f433d01e464aa54e015383c4188d17f033086685f1ab8/analysis/; classtype:misc-activity; sid:19939; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE WinReanimator outbound connection"; flow:to_server, established; content:"/buy.html"; nocase; http_uri; content:"Host|3A| www.winreanimator.com|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/d7a42269fb89a01c5dfb7bb56ce488664efd7e10970f473c4238b049de210d95/analysis/; classtype:misc-activity; sid:19904; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win32.Agent.vvm outbound connection"; flow:to_server, established; content:"/?mode=gen&gd="; depth:14; nocase; http_uri; content:"&affid="; nocase; http_uri; content:"Referer|3A| http|3A 2F 2F|www.zabeedly.com/search.php?q="; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/d2d13249a8c17047a717c43ba595a00f7f47c5fb6de5ce98c0675173f07ea5bc/analysis/; classtype:misc-activity; sid:19903; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Targetedbanner.biz Adrotator outbound connection"; flow:to_server, established; content:"/bc/123kah.php"; depth:14; nocase; http_uri; content:"showed="; depth:7; nocase; http_client_body; content:"clicked="; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/efe9f61a85076750d6d1f28e663de583234d05850a6ce19295a0f260eab4299d/analysis/; classtype:misc-activity; sid:19902; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware.Win32.Frosty Goes Skiing Screen Saver 2.2 Install Detection"; flow:to_server,established; content:"/AppInstall?app=VVSN"; http_uri; content:"Host|3A 20|app|2E|whenu|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/ccc3258541762de91147d8c4d51321f7a36a17162bfb9caae986417a1e13a1fb/analysis/; classtype:misc-activity; sid:19896; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trust Warrior outbound connection"; flow:to_server,established; content:"|2F|report|3F|current_version"; nocase; http_uri; content:"www|2E|trustwarrior|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/a7ed7b1b9b92c3a19d8f3525501adc82/detection; classtype:trojan-activity; sid:19860; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE XP Deluxe Protector outbound connection"; flow:to_server,established; content:"/pp/?id"; http_uri; content:"Host|3A 20|xp-deluxeprotector|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/61c381e1701a1a441d13b1b8891c552f44be3ba2bd3412b55930df6f00f9c9f0/analysis/; classtype:trojan-activity; sid:19859; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Wowpa KI outbound connection"; flow:to_server,established; content:"/wowupdate.htm"; http_uri; content:"Host|3A 20|update|2E|cn911|2E|org"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/a83fd44bf4aa4bf7ae010dd9cf707961d5964320129832cf2c233721fd028be5/analysis/; classtype:trojan-activity; sid:19853; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Adware.Virtumonde runtime detection"; flow:to_server,established; content:"/cn?sid="; nocase; http_uri; content:"Host|3A| 85.17.166.172"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/7fad6a99ecf25b14cb7aa98c825da27f81de2d4a8e3b15bc37f2e30faa9e3531/analysis/; classtype:trojan-activity; sid:19849; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Adware.Virtumonde runtime detection"; flow:to_server,established; content:"/d/5.0.1/Setup"; nocase; http_uri; content:"Host|3A| www.registrydefender.com"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/7fad6a99ecf25b14cb7aa98c825da27f81de2d4a8e3b15bc37f2e30faa9e3531/analysis/; classtype:trojan-activity; sid:19848; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Windows Antivirus 2008"; flow:to_server, established; content:"secure2|2E|softpaydirect|2E|com"; fast_pattern:only; http_header; content:"|2F|purchase|2F|secure|2E|php"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/940deb3a47fd625af7d503dc1dc2a6b281608e6baa25aa73c66e959a70a1017c/analysis/; classtype:trojan-activity; sid:19843; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Windows Antivirus 2008"; flow:to_server, established; content:"winavsentry|2E|com"; fast_pattern:only; http_header; content:"|2F|buy|2E|php"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/940deb3a47fd625af7d503dc1dc2a6b281608e6baa25aa73c66e959a70a1017c/analysis/; classtype:trojan-activity; sid:19842; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE 0desa MSN password stealer"; flow:to_server, established; content:"Host|3A 20|www.odesa.net84.net"; fast_pattern:only; http_header; content:"sendmail.php|3F|mail|3D|"; http_uri; content:"password"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/35d8c61a75735d7f9d6901955f7130221bb4cf90b5ce40b46bc6561c6ff4ec29/analysis/; classtype:misc-activity; sid:19841; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE XP Antispyware 2009 outbound connection"; flow:to_server,established; content:"/buy.html?wmid="; nocase; http_uri; content:"&skey="; nocase; http_uri; content:"Host|3A| www.xpas2009.com"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/be302edbb7f36b090805eb18bbc001c14f2889c8c1c3e9476b870c203e4e7821/analysis/; classtype:trojan-activity; sid:19840; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Antivirus XP 2008 runtime detection"; flow:to_server, established; content:"/buy2/"; nocase; http_uri; content:"Host|3A| www.anti-virusxp2008.net"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/4e38904150ce5595d2187a6a647d8ac501d0d41975785dfefe7ecb654dd60f07/analysis/; classtype:misc-activity; sid:19839; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Spyware Guard 2008 outbound connection"; flow:to_server,established; content:"/buy.html?"; nocase; http_uri; content:"track_id="; content:"Host|3A| gosg2008.com"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/23825c22c0955e7a82a5ed700121cb415308ce7e4eae916a4059ba41020bac1e/analysis/; classtype:misc-activity; sid:19838; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Spyware Guard 2008 outbound connection"; flow:to_server,established; content:"/api.php?data="; nocase; http_uri; content:"Host|3A| cmserv.org"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/23825c22c0955e7a82a5ed700121cb415308ce7e4eae916a4059ba41020bac1e/analysis/; classtype:misc-activity; sid:19837; rev:4;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PUA-ADWARE Delphi-Piette Windows"; itype:8; content:"Pinging from Delphi code written by F. Piette"; isdataat:2000,relative; reference:url,www.virustotal.com/en/file/3df563ec64f798ebec06abe85dec33d292def4259d6d404bcaf62ea0e0475c7e/analysis/; classtype:misc-activity; sid:19835; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE PWS-QQGame outbound connection"; flow:to_server,established; content:"/html.txt"; nocase; http_uri; content:"Host|3A| 866muma.3322.org"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/f1d6d37696bf581ef31325e23d07327dec5bdb10e546ed450716d7cc19f668ea/analysis/; classtype:trojan-activity; sid:19827; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Downloader.Banload.AKBB outbound connection"; flow:to_server,established; content:"/deca/?act="; nocase; http_uri; content:"nickname="; nocase; http_uri; content:"Host|3A| nguoidep.1sthoster.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/b0840f1ae5a0df0e85142e2c83afc5eeafc240a10c71636d1d2c8b0755a26d60/analysis/; classtype:trojan-activity; sid:19823; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Fast Antivirus 2009 outbound connection"; flow:to_server,established; content:"/reports/minstalls.php"; nocase; http_uri; content:"Host|3A| updvmfnow.cn"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/23825c22c0955e7a82a5ed700121cb415308ce7e4eae916a4059ba41020bac1e/analysis/; classtype:trojan-activity; sid:19777; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE PWS.Win32.Ldpinch.gen outbound connection"; flow:to_server,established; content:"/filter/admin.php"; nocase; http_uri; content:"a=&b=&d=&c="; depth:11; fast_pattern; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/9688faf1374b0796de296719b54a57073d2304893c8320ce8ebb93e8f1d600db/analysis/; classtype:trojan-activity; sid:19775; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Virus.Win32.Virut.ce outbound connection"; flow:to_server,established; content:"|2F|licen|2F|part|2E|txt"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/49d2b211a20fd2fa353da3f2fb2b7bfe/detection; classtype:trojan-activity; sid:19717; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Infostealer.Gampass outbound connection"; flow:to_server,established; content:"/workzx.dll"; nocase; http_uri; content:"Host|3A| www.wm5d.cn"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/44a95d5de7197ad916be6392bcc63e496e0d31559b3acabd50f058dfb97d645c/analysis/; classtype:misc-activity; sid:19598; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win32.Fruspam outbound connection"; flow:to_server,established; content:"g_Version|3A|"; nocase; http_header; content:"g_UID|3A|"; nocase; http_header; content:"g_MorphID|3A|"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/bd1cfd7b15f70d131d8f3f013a4e6afb0807791b898d96d3cc2b57de576acf1f/analysis/; classtype:misc-activity; sid:19594; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Personal Guard 2009 outbound connection"; flow:to_server,established; content:"/buy.html"; http_uri; content:"Host|3A|"; nocase; http_header; content:"personalguard2009|2E|com"; distance:0; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/9636820ae780568f1627c2d596cdd0214ef7d5f4e03444de4996f1807161a37b/analysis/; classtype:trojan-activity; sid:19578; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Antivirus Pro 2010 outbound connection"; flow:to_server,established; content:"/files/avp21_d_/_1_._d_"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/4bf5ec55c48454ac1b5eb4ec9c4486bdf5a6868960b8cee77e02d34a0a84afc5/analysis/; classtype:trojan-activity; sid:19576; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Antivirus Agent Pro outbound connection"; flow:to_server,established; content:"/stat.php"; nocase; http_uri; content:"s="; distance:0; nocase; http_uri; content:"Indy Library"; nocase; http_header; content:"Host|3A 20|actupdate|2E|net"; nocase; http_header; pcre:"/User-Agent\x3A\s+[^\r\n]*Indy\s+Library/iH"; metadata:service http; reference:url,www.virustotal.com/#/file/d6868aba37c67fd3f5f526bdd1467317/detection; classtype:trojan-activity; sid:19571; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"PUA-ADWARE W32.Ackantta.C.mm mass-mailer outbound connection"; flow:to_server, established; content:"From|3A| invitations@twitter.com|0D 0A|"; depth:31; fast_pattern; nocase; content:"Subject|3A| Your friend invited you to twitter!"; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1102; reference:url,www.virustotal.com/en/file/33e9c017cd020176e99adb8243cb0028f00b49754d50e669885a831557b04659/analysis/; classtype:trojan-activity; sid:19567; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"PUA-ADWARE W32.Ackantta.C.mm mass-mailer outbound connection"; flow:to_server, established; content:"From|3A| invitations@hi5.com|0D 0A|"; depth:27; fast_pattern; nocase; content:"Subject|3A| Jessica would like to be your friend on hi5!"; nocase; metadata:service smtp; reference:url,www.virustotal.com/en/file/33e9c017cd020176e99adb8243cb0028f00b49754d50e669885a831557b04659/analysis/; classtype:trojan-activity; sid:19566; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE W32.Fiala.A outbound connection"; flow:to_server,established; content:"|2F|v|2E|txt"; nocase; http_uri; content:"Host|3A 20|x|2E|moneyinfom|2E|com"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/2c1578df8113424be3b3d9e390529615/detection; classtype:trojan-activity; sid:19486; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Sus.BancDI-B trojan outbound connection"; flow:to_server, established; content:"/historicmarietta/.vll/es.php"; nocase; http_uri; content:"Host|3A| www.mariettapa.com"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/f32f1b51145f96c3659bb3709b9da4a363858f7c71c11deb32ca1fa8bc54c834/analysis/; classtype:trojan-activity; sid:19453; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Lost Door v3.0"; flow:to_server,established; content:"v1ct1m|5B 5C|AS|2F 5D|"; depth:12; nocase; reference:url,www.virustotal.com/en/file/733aeabddc3a28eb61041d529b853cb41319ca700c73e5022aa7fd5eeab52919/analysis/; classtype:trojan-activity; sid:19391; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Classroom Spy Professional outbound connection - initial connection"; flow:to_client,established; flowbits:isset,Malware_ClassroomSpyPro_detection3; content:"|78 01 33 AD 72 AF 34 2E 77 F6 A8 34|"; depth:12; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453101935; classtype:trojan-activity; sid:19327; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Classroom Spy Professional outbound connection - initial connection"; flow:to_client,established; content:"|00 00 00 34|"; depth:4; flowbits:set,Malware_ClassroomSpyPro_detection3; flowbits:noalert; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453101935; classtype:trojan-activity; sid:19326; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"PUA-ADWARE Keylogger aspy v2.12 runtime detection"; flow:to_server,established; content:"This is report of the program |60|ASpy|60 2E|"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name aSpy&threatid=48392; reference:url,www.emsisoft.es/en/malware/?Adware.Win32.aSpy+Keylogger; classtype:successful-recon-limited; sid:19311; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE hijacker starware videos outbound connection"; flow:to_server,established; content:"/dp/weather?f="; nocase; http_uri; content:"loc="; distance:0; nocase; http_uri; content:"client_id="; distance:0; nocase; http_uri; content:"version="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/514180c942af19fdc7c7ab4de3b81100a300bf651f36ca6d736ce8526a375237/analysis/; classtype:trojan-activity; sid:19309; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware.Win32.Cashtitan contact to server attempt"; flow:to_server,established; content:"|2F|nsi_install|2E|php|3F|"; nocase; http_uri; content:"aff_id|3D|cashtitan"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/aa43ca4f5a532043d1b673cbaa64c7fd/detection; classtype:trojan-activity; sid:19061; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE RogueSoftware.Win32.SystemDefragmenter outbound connection"; flow:to_server,established; content:"|2F|readdatagateway|2E|php|3F|"; nocase; http_uri; content:"type|3D|stats|26|"; nocase; http_uri; content:"affid|3D|"; nocase; http_uri; content:"subid|3D|"; nocase; http_uri; content:"|26|installok"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/21d64143e87758aedddb1aa99fd3857a/detection; classtype:trojan-activity; sid:19059; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE RogueSoftware.Win32.Winwebsec outbound connection"; flow:to_server,established; content:"|2F|buy|2E|php|3F|q|3D|"; nocase; http_uri; content:"screen_info|3D|"; nocase; http_client_body; content:"cc_number|3D|"; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/#/file/c0f2d72894e2c6d96cb26483d4f6b4a2/detection; classtype:trojan-activity; sid:19046; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE RogueSoftware.Win32.ThinkPoint outbound connection"; flow:to_server,established; content:"|2F|tpn|2F|index_new|2E|php|3F|id|3D|"; nocase; http_uri; content:"|26|cache|3D|"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/a1e3337142847dc4d14c96e586f166f6/detection; classtype:trojan-activity; sid:19044; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE RogueSoftware.Win32.BestBoan outbound connection"; flow:to_server,established; content:"|2F|pay|2F|payment|2E|php|3F|sncode|3D|"; nocase; http_uri; pcre:"/\x2Fpay\x2Fpayment\x2Ephp\x3Fsncode\x3D[0-9a-f]{12}\x26pid\x3D/Ui"; metadata:service http; reference:url,www.virustotal.com/#/file/126ef04604ffc2dfb703604e6cc2e03c/detection; classtype:trojan-activity; sid:19043; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Smart Protector outbound connection"; flow:to_server,established; content:"/buy.html"; http_uri; content:"smartprotectorpro|2E|com"; nocase; pcre:"/^Host\x3a[^\r\n]*smartprotectorpro\x2ecom/mi"; metadata:service http; reference:url,www.2-spyware.com/remove-smart-protector.html; classtype:successful-recon-limited; sid:19026; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE PC Antispyware 2010 FakeAV download/update attempt"; flow:to_server,established; content:"/files"; nocase; http_uri; content:"|29|.|28|t|29|"; fast_pattern; nocase; http_uri; metadata:service http; classtype:trojan-activity; sid:16498; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Cutwail spambot server communication attempt"; flow:to_server,established; content:"spm/page.php?"; http_uri; content:"id="; nocase; http_uri; content:"tick="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"smtp="; nocase; http_uri; content:"task="; nocase; http_uri; metadata:service http; classtype:trojan-activity; sid:16494; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Rogue-Software ang antivirus 09 runtime detection"; flow:to_server,established; content:"/angantivirus-2009.com/"; http_uri; content:"Host|3A| setup.angantivirus2009.info"; fast_pattern:only; metadata:service http; reference:url,en.wikipedia.org/wiki/ANG_Antivirus; classtype:trojan-activity; sid:16456; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE OnlineGames download attempt"; flow:to_server,established; content:"/nbok01/"; fast_pattern:only; http_uri; metadata:service http; classtype:trojan-activity; sid:16365; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue-software windows antivirus 2008 runtime detection - registration and payment page"; flow:to_server,established; content:"/purchase/secure.php?"; http_uri; content:"frame="; distance:0; nocase; http_uri; content:"orderid="; distance:0; nocase; http_uri; content:"orderid1="; distance:0; nocase; http_uri; content:"orderid2="; distance:0; nocase; http_uri; content:"disc="; distance:0; nocase; http_uri; content:"product_name=Windows+Antivirus+2008"; distance:0; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=288214; reference:url,www.spywareremove.com/removeWindowsAntivirus2008.html; classtype:trojan-activity; sid:16280; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue-software windows antivirus 2008 runtime detection - pre-sale page"; flow:to_server,established; content:"/buy.php?"; http_uri; content:"frame="; distance:0; http_uri; content:"advid="; distance:0; http_uri; content:"winavsentry.com"; fast_pattern:only; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=288214; reference:url,www.spywareremove.com/removeWindowsAntivirus2008.html; classtype:trojan-activity; sid:16279; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler win32-fakealert.kl installime detection - updates remote server"; flow:to_server,established; content:"/update_inst.php?"; http_uri; content:"wmid="; http_uri; content:"subid="; http_uri; content:"pid="; http_uri; content:"lid="; http_uri; content:"hs="; http_uri; content:"Host|3A| do-monster-scan.com"; fast_pattern:only; metadata:service http; reference:url,www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=75472; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99&tabid=2; classtype:misc-activity; sid:16278; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler win32-fakealert.kl outbound connection - downloads malicious files"; flow:to_server,established; content:"/binary/AntivirusPro2009/Binaries1.cab"; http_uri; content:"Host|3A| down-soft-index.com"; nocase; metadata:service http; reference:url,www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=75472; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99&tabid=2; classtype:misc-activity; sid:16277; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler win32-fakealert.kl outbound connection"; flow:to_server,established; content:"/buy.html?"; http_uri; content:"wmid="; http_uri; content:"l="; http_uri; content:"s="; http_uri; content:"skey="; http_uri; content:"Host|3A| www.av-pro-2009.com"; fast_pattern:only; metadata:service http; reference:url,www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=75472; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99&tabid=2; classtype:misc-activity; sid:16276; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software pc antispyware 2010 runtime detection - files"; flow:to_server,established; content:"/files"; http_uri; content:"gomafobianiotas.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453172046; classtype:trojan-activity; sid:16267; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software pc antispyware 2010 runtime detection - buy"; flow:to_server,established; content:"/buy.html"; http_uri; content:"pc-antispy2010.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453172046; classtype:trojan-activity; sid:16266; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software 007 anti-spyware runtime detection - register"; flow:to_server,established; content:"/register"; http_uri; content:"www.007antispyware.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-073120-1433-99; classtype:trojan-activity; sid:16265; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software 007 anti-spyware runtime detection - update"; flow:to_server,established; content:"/007AS/update/Update.ini"; http_uri; content:"www.webslt.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-073120-1433-99; classtype:trojan-activity; sid:16264; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software xp-shield outbound connection - installation"; flow:to_server,established; content:"/install/?aid"; http_uri; content:"www.xp-shield.cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453133950; classtype:trojan-activity; sid:16263; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software xp-shield outbound connection"; flow:to_server,established; content:"/purchase.htm?aid"; http_uri; content:"www.xp-shield.cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453133950; classtype:trojan-activity; sid:16262; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software xp antivirus protection runtime detection - runtime"; flow:to_server,established; content:"/order_xp.php"; nocase; http_uri; content:"ver="; distance:0; http_uri; content:"liveresponsesite.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453122012; classtype:trojan-activity; sid:16261; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software xp antivirus protection runtime detection - installation"; flow:to_server,established; content:"/firstrun.php"; nocase; http_uri; content:"product=XPA"; distance:0; nocase; http_uri; content:"aff="; distance:0; nocase; http_uri; content:"liveresponsesite.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453122012; classtype:trojan-activity; sid:16260; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software antivirusdoktor2009 runtime detection"; flow:to_server,established; content:"/join.html"; http_uri; content:"www.antivirus-doktor.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453164387; classtype:trojan-activity; sid:16259; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software perfect defender 2009 outbound connection - purchase"; flow:to_server,established; content:"/buy.php"; http_uri; content:"www.pdefender2009.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453144750; classtype:trojan-activity; sid:16258; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software perfect defender 2009 outbound connection - update"; flow:to_server,established; content:"/upd1.php"; http_uri; content:"dbbasediv="; distance:0; http_uri; content:"download.pdefender2009.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453144750; classtype:trojan-activity; sid:16257; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software coreguard antivirus 2009 runtime detection"; flow:to_server,established; content:"/c.dat"; http_uri; content:"guardlab2009.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453157038; classtype:trojan-activity; sid:16256; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-ADWARE rogue software system security 2009 outbound connection"; flow:to_client,established; flowbits:isset,systemsecurity2009; content:"location|3A| in.php?url="; nocase; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453154339; classtype:trojan-activity; sid:16255; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software system security 2009 outbound connection"; flow:to_server,established; content:"/in.php"; http_uri; content:"url="; http_uri; content:"affid="; http_uri; flowbits:set,systemsecurity2009; flowbits:noalert; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453154339; classtype:trojan-activity; sid:16254; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software system security 2009 outbound connection"; flow:to_server,established; content:"/cards/"; http_uri; content:"affid="; distance:0; http_uri; content:"electronicbillinghost.com"; fast_pattern:only; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453154339; classtype:trojan-activity; sid:16253; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software pro antispyware 2009 runtime detection - purchase"; flow:to_server,established; content:"/pay/"; http_uri; content:"sales.proantispyware-2009-buy.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453144054; classtype:trojan-activity; sid:16252; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software win pc defender outbound connection"; flow:to_server,established; content:"/installed.php?"; nocase; http_uri; content:"id="; distance:0; nocase; http_uri; content:"win-pc-defender.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453153970; classtype:trojan-activity; sid:16251; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software win pc defender outbound connection"; flow:to_server,established; content:"/pp/?id="; nocase; http_uri; content:"billingpayment.net"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453153970; classtype:trojan-activity; sid:16250; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software ms antispyware 2009 runtime detection - pay"; flow:to_server,established; content:"/pay/"; http_uri; content:"sales.buy-msantispyware2009.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453146855; classtype:trojan-activity; sid:16249; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software ms antispyware 2009 runtime detection - start"; flow:to_server,established; content:"/stat.php"; http_uri; content:"func="; distance:0; nocase; http_uri; content:"int.ms-asreport1.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453146855; classtype:trojan-activity; sid:16248; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software spyware protect 2009 outbound connection - block"; flow:to_server,established; content:"/block.php?"; nocase; http_uri; content:"r=19.0"; distance:0; nocase; http_uri; content:"browser-security.microsoft.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453151948; classtype:trojan-activity; sid:16247; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software spyware protect 2009 outbound connection - purchase request"; flow:to_server,established; content:"/purchase?"; nocase; http_uri; content:"r="; distance:0; nocase; http_uri; content:"spywprotect.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453151948; classtype:trojan-activity; sid:16246; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software xp police antivirus install-timedetection"; flow:to_server,established; content:"/controller.php"; nocase; http_uri; content:"action="; distance:0; nocase; http_uri; content:"guid="; distance:0; nocase; http_uri; content:"rnd="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453151932; classtype:trojan-activity; sid:16245; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue software xp police antivirus runtime detection - purchase"; flow:to_server,established; content:"/xpbuy/"; nocase; http_uri; content:"xp-police.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453151932; classtype:trojan-activity; sid:16244; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker xp antispyware 2009 runtime detection - pre-sale webpage"; flow:to_server,established; content:"/buy.html?"; nocase; http_uri; content:"wmid="; nocase; http_uri; content:"skey="; nocase; http_uri; content:"Host|3A| www.xpas2009.com"; fast_pattern; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=XPAntiSpyware%202009&threatid=429593; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453141780; classtype:misc-activity; sid:16136; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware spyware guard 2008 runtime detection - purchase page"; flow:to_server,established; content:"/buy.html?"; nocase; http_uri; content:"track_id="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"gosg2008.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*gosg2008\x2ecom/smiH"; metadata:service http; reference:url,malwaredatabase.net/blog/index.php/2008/10/23/antivirus-2009-2-file-added-5-domains-added-low-detection-136/; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453141606; classtype:misc-activity; sid:16135; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware spyware guard 2008 runtime detection - contacts remote server"; flow:to_server,established; content:"/api.php?"; nocase; http_uri; content:"data="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"cmserv.org"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*cmserv\x2eorg/smiH"; metadata:service http; reference:url,malwaredatabase.net/blog/index.php/2008/10/23/antivirus-2009-2-file-added-5-domains-added-low-detection-136/; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453141606; classtype:misc-activity; sid:16134; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware superiorads runtime detection"; flow:to_server,established; content:"/bc/123kah.php"; nocase; content:"Host|3A|"; nocase; http_header; content:"superiorads.biz"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*superiorads\x2ebiz/smiH"; metadata:service http; reference:url,www.adwareaway.net/superiorads.htm; reference:url,www.precisesecurity.com/threats/adwaresuperiorads/; classtype:misc-activity; sid:16127; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler virusremover 2008 outbound connection"; flow:to_server,established; content:"/2009/order/index.html?"; fast_pattern; nocase; http_uri; content:"addt="; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=3P_UVRM"; nocase; http_uri; content:"nid=3P_UVRM"; nocase; http_uri; metadata:service http; reference:url,ca.com/fr/securityadvisor/pest/pest.aspx?id=453137574; reference:url,www.spywareremove.com/removeVirusRemover2008.html; classtype:misc-activity; sid:16126; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue antivirus xp 2008 runtime detection - update"; flow:to_server,established; content:"/updates/check.html"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.anti-virusxp2008.net"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2eanti\x2dvirusxp2008\x2enet/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Antivirus%20XP%202008%20(Winifixer)&threatid=310434; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-071613-4343-99&tabid=2; classtype:misc-activity; sid:16123; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE rogue antivirus xp 2008 runtime detection - buy"; flow:to_server,established; content:"/buy2/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.anti-virusxp2008.net"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2eanti\x2dvirusxp2008\x2enet/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Antivirus%20XP%202008%20(Winifixer)&threatid=310434; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-071613-4343-99&tabid=2; classtype:misc-activity; sid:16122; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker weatherstudio outbound connection"; flow:to_server,established; content:"/dp/"; nocase; http_uri; content:"x="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"as.weatherstudio.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*as\x2eweatherstudio\x2ecom/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453122854; reference:url,vil.nai.com/vil/content/v_137487.htm; classtype:misc-activity; sid:16121; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware winreanimator runtime detection - daily update"; flow:to_server,established; content:"/WinReanimator/daily.cvd"; nocase; http_uri; metadata:service http; reference:url,www.411-spyware.com/effacer-winreanimator; reference:url,www.windowsvistaplace.com/winreanimator-removal-instructions-winreanimator/spyware-removal; classtype:misc-activity; sid:16119; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware winreanimator runtime detection - register request"; flow:to_server,established; content:"/buy.html"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.winreanimator.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2ewinreanimator\x2ecom/smiH"; metadata:service http; reference:url,www.411-spyware.com/effacer-winreanimator; reference:url,www.windowsvistaplace.com/winreanimator-removal-instructions-winreanimator/spyware-removal; classtype:misc-activity; sid:16118; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Martuz HTTP GET request attempt"; flow:to_server,established; content:"/martuz.cn"; nocase; http_uri; pcre:"/\x2Fmartuz\x2Ecn\x2Fvid\x2F\x3Fid\x3D\d+/smi"; metadata:service http; reference:url,www.us-cert.gov/current/archive/2009/06/01/archive.html; classtype:trojan-activity; sid:15567; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Gumblar HTTP GET request attempt"; flow:to_server,established; content:"/gumblar.cn"; nocase; http_uri; pcre:"/\x2Fgumblar\x2Ecn\x2Frss\x2F\x3Fid\x3D\d+/smi"; metadata:service http; reference:url,www.us-cert.gov/current/archive/2009/06/01/archive.html; classtype:trojan-activity; sid:15566; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Waledac spam bot HTTP POST request"; flow:to_server,established; content:"X-Request-Kind-Code|3A|"; nocase; http_header; metadata:service http; reference:url,blogs.technet.com/mmpc/archive/2009/04/14/wheres-waledac.aspx; classtype:misc-activity; sid:15476; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware winspywareprotect runtime detection - connection to malicious server"; flow:to_server,established; content:"/confuci.php?"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"xiphoman.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*xiphoman\x2Ecom/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453132073; reference:url,www.spywareremove.com/removeWinSpywareProtect.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042206-4253-99&tabid=1; classtype:misc-activity; sid:14080; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware winspywareprotect runtime detection - connection to malicious sites"; flow:to_server,established; content:"/bc/123kah.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"a1.mxlivemedia.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*a1\x2Emxlivemedia\x2Ecom/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453132073; reference:url,www.spywareremove.com/removeWinSpywareProtect.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042206-4253-99&tabid=1; classtype:misc-activity; sid:14079; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware winspywareprotect runtime detection - download malicous code"; flow:to_server,established; content:"/mxlivemedia/multi/73.exe"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Installer"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Installer/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453132073; reference:url,www.spywareremove.com/removeWinSpywareProtect.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042206-4253-99&tabid=1; classtype:misc-activity; sid:14078; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker Adware win32 mostofate runtime detection - redirect search results"; flow:to_server,established; content:"/results/?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"pstv="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.powersearchtool.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2epowersearchtool\x2ecom/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Mostofate.dx&threatid=356346; reference:url,www.f-secure.com/sw-desc/adware_w32_mostofate.shtml; classtype:misc-activity; sid:14077; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker Adware win32 mostofate runtime detection - hijack search"; flow:to_server,established; content:"/search/"; nocase; http_uri; content:"q="; nocase; http_uri; content:"pstv="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.powersearchtool.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2epowersearchtool\x2ecom/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Mostofate.dx&threatid=356346; reference:url,www.f-secure.com/sw-desc/adware_w32_mostofate.shtml; classtype:misc-activity; sid:14076; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker Adware bho.gen runtime detection - prompt download page"; flow:to_server,established; content:"/download.php"; nocase; http_uri; content:"ieantivirus.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*ieantivirus\x2Ecom/smi"; metadata:service http; reference:url,vil.nai.com/vil/content/v_140752.htm; reference:url,www.pctools.com/mrc/infections/id/Adware.BHO.GEN/; classtype:misc-activity; sid:14073; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker Adware bho.gen runtime detection - pop-up window traffic #2"; flow:to_server,established; content:"/?pp"; nocase; http_uri; content:"id="; nocase; http_uri; content:"free-viruscan.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*free\x2Dviruscan\x2Ecom/smi"; metadata:service http; reference:url,vil.nai.com/vil/content/v_140752.htm; reference:url,www.pctools.com/mrc/infections/id/Adware.BHO.GEN/; classtype:misc-activity; sid:14072; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker Adware bho.gen runtime detection - pop-up window traffic #1"; flow:to_server,established; content:"/id/"; nocase; http_uri; content:"free-viruscan.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*free\x2Dviruscan\x2Ecom/smi"; metadata:service http; reference:url,vil.nai.com/vil/content/v_140752.htm; reference:url,www.pctools.com/mrc/infections/id/Adware.BHO.GEN/; classtype:misc-activity; sid:14071; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware brave sentry runtime detection - self update"; flow:to_server,established; content:"/update.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"d="; nocase; http_uri; content:"vs="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.bravesentry.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2ebravesentry\x2ecom/smiH"; metadata:service http; reference:url,vil.nai.com/vil/content/v_138897.htm; reference:url,www.spywareremove.com/removeBravesentry.html; classtype:misc-activity; sid:14070; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware brave sentry runtime detection - order request"; flow:to_server,established; content:"/buy.php?"; nocase; http_uri; content:"advid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.bravesentry.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2ebravesentry\x2ecom/smiH"; metadata:service http; reference:url,vil.nai.com/vil/content/v_138897.htm; reference:url,www.spywareremove.com/removeBravesentry.html; classtype:misc-activity; sid:14069; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware rond runtime detection"; flow:to_server,established; content:"/st?"; nocase; http_uri; content:"ad_type=pop"; nocase; http_uri; content:"ad_size="; nocase; http_uri; content:"section="; nocase; http_uri; content:"banned_pop_types="; nocase; http_uri; content:"pop_times="; nocase; http_uri; content:"http|3A|//mtn5.goole.ws/ac.php"; distance:0; nocase; pcre:"/^Referer\x3a[^\r\n]*http\x3A\x2F\x2Fmtn5\x2Egoole\x2Ews\x2Fac\x2Ephp/smi"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Adware.Rond&threatid=164718; reference:url,www.spywaredetector.net/spyware_encyclopedia/Adware.Rond.htm; classtype:misc-activity; sid:14068; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware swizzor runtime detection"; flow:to_server,established; content:"/tba/cm"; nocase; content:"Host|3A|"; nocase; http_header; content:"ads.netbios-local.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ads\x2enetbios\x2dlocal\x2ecom/smiH"; metadata:service http; reference:url,vil.nai.com/vil/content/v_136491.htm; reference:url,www.411-spyware.com/remove-swizzor; classtype:misc-activity; sid:14067; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware winsecuredisc runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"WinSecureDisc"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*WinSecureDisc/smiH"; metadata:service http; reference:url,www.emsisoft.com/fr/malware/?Adware.Win32.WinSecureDisc; reference:url,www.spywareremove.com/removeWinSecureDisc.html; classtype:misc-activity; sid:14066; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker cashon outbound connection - auto update"; flow:to_server,established; content:"/app/cashonband/bin/CashOnUpdate.exe"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=CashOn&threatid=53428; reference:url,vil.nai.com/vil/content/v_142287.htm; classtype:misc-activity; sid:14064; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker cashon outbound connection - hijack ie searches"; flow:to_server,established; content:"/search/search.php?"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.cashon.co.kr"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2ecashon\x2eco\x2ekr/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=CashOn&threatid=53428; reference:url,vil.nai.com/vil/content/v_142287.htm; classtype:misc-activity; sid:14063; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler antimalware guard runtime detection - auto update"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"proto="; nocase; http_uri; content:"ac="; nocase; http_uri; content:"abbr=3P_UAMG"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"rc=3P_UAMG"; nocase; http_uri; metadata:service http; reference:url,www.spyware-techie.com/how-to-remove-anti-malware-guard/; reference:url,www.xp-vista.com/spyware-removal/antimalwareguard-antimalware-guard-removal-instructions; classtype:misc-activity; sid:14062; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler antimalware guard runtime detection - order/register request"; flow:to_server,established; content:"/2009/order/index.html?"; fast_pattern; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=3P_UAMG"; nocase; http_uri; content:"aa="; nocase; http_uri; content:"al="; nocase; http_uri; content:"af="; nocase; http_uri; content:"an="; nocase; http_uri; content:"addt="; nocase; http_uri; content:"nid=3P_UAMG"; nocase; http_uri; metadata:service http; reference:url,www.spyware-techie.com/how-to-remove-anti-malware-guard/; reference:url,www.xp-vista.com/spyware-removal/antimalwareguard-antimalware-guard-removal-instructions; classtype:misc-activity; sid:14061; rev:8;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"PUA-ADWARE Hijacker cpush 2 outbound connection - pass info to controlling server"; content:"|01 0F|_H"; depth:4; content:"|00 00 00|"; offset:26; nocase; content:"|00 00|http|3A|//"; offset:1; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453101269; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-031215-0744-99; classtype:misc-activity; sid:14058; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware AdwareALERT runtime detection - auto update"; flow:to_server,established; content:"/update/info"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"AdwareAlert"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*AdwareAlert/smiH"; metadata:service http; reference:url,www.2-spyware.com/remove-adwarealert.html; reference:url,www.411-spyware.com/remove-adwarealert; classtype:misc-activity; sid:14054; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler dropper agent.rqg outbound connection"; flow:to_server,established; content:"/cc.txt"; nocase; http_uri; flowbits:set,Dropper_Agent.rqg_Detection; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:13943; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker win32.bho.bgf outbound connection"; flow:to_server,established; content:"/105/bmw.q?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"44.770304123.cn"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*44\x2e770304123\x2ecn/smiH"; metadata:service http; reference:url,www.baidumsg.com/malwareremoval/malwareremoval_5947.html; classtype:misc-activity; sid:13940; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-ADWARE Hijacker adware.win32.ejik.ec variant runtime detection - auto update"; flow:to_client,established; flowbits:isset,AdWare_Ejik.ec_Detection; file_data; content:"|3B|aa88.dll|3B|"; pcre:"/^\d+\x3baa88\x2edll\x3b\d+\x3b/smi"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Ejik.ec&threatid=281451; reference:url,www.emsisoft.fr/fr/malware/?Adware.Win32.Ejik.ec; classtype:misc-activity; sid:13939; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adware.win32.ejik.ec variant outbound connection"; flow:to_server,established; content:"/ver.txt"; nocase; http_uri; flowbits:set,AdWare_Ejik.ec_Detection; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:13938; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adware.win32.ejik.ec variant runtime detection - call home"; flow:to_server,established; content:"/topnew/passdomain.txt"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.web228.cn"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2eweb228\x2ecn/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Ejik.ec&threatid=281451; reference:url,www.emsisoft.fr/fr/malware/?Adware.Win32.Ejik.ec; classtype:misc-activity; sid:13937; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler pc privacy cleaner outbound connection - order/register request"; flow:to_server,established; content:"/2009/order/index.html?"; fast_pattern; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=UPCPC"; nocase; http_uri; content:"nid=UPCPC"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"UPCPC"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*UPCPC/smiH"; metadata:service http; reference:url,malware-remover.com/pcprivacycleaner-removal-tool-pc-privacy-cleaner/; reference:url,www.xp-vista.com/spyware-removal/pcprivacycleaner-pc-privacy-cleaner-removal-instructions; classtype:misc-activity; sid:13930; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware malware destructor 4.5 runtime detection - auto update"; flow:to_server,established; content:"/application/appver.php"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"MalwareDestructor"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*MalwareDestructor/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453116773; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-090713-4427-99; classtype:misc-activity; sid:13875; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware malware destructor 4.5 runtime detection - order request"; flow:to_server,established; content:"/order.php?"; nocase; http_uri; content:"date="; nocase; http_uri; content:"currentDate="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.malwaredestructor.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2emalwaredestructor\x2ecom/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453116773; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-090713-4427-99; classtype:misc-activity; sid:13874; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler fushion 1.2.4.17 outbound connection - underground traffic"; flow:to_server,established; content:"/account_logout"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"xikee.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*xikee\x2ecom/smiH"; metadata:service http; reference:url,www.siteadvisor.pl/sites/funshion.com/downloads/11570528/; classtype:misc-activity; sid:13873; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler fushion 1.2.4.17 outbound connection - notice"; flow:to_server,established; content:"/sobar/notice/notice_baiducb.txt?"; fast_pattern; nocase; http_uri; content:"tn=funshion"; nocase; http_uri; content:"ss="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"bar-get"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*bar\x2dget/smiH"; metadata:service http; reference:url,www.siteadvisor.pl/sites/funshion.com/downloads/11570528/; classtype:misc-activity; sid:13872; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware coopen 5.0.0.87 runtime detection - ads"; flow:to_server,established; content:"/Adpic/"; fast_pattern; nocase; http_uri; content:".jpg"; nocase; http_uri; pcre:"/\x2fAdpic\x2f\d+\x2f\d+ad\x28\d+\x2c\d+\x2c\d+\x2c\d+\x29\x2ejpg/Ui"; metadata:service http; reference:url,www.spywareguide.com/spydet_3326_coopen.html; reference:url,www.spywaresignatures.com/details.php?spyware=coopen; classtype:misc-activity; sid:13871; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware coopen 5.0.0.87 runtime detection - init conn"; flow:to_server,established; content:"/87/param.aspx?"; fast_pattern; nocase; http_uri; content:"groupID="; nocase; http_uri; content:"spaceIDs="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"ver=5.0.0.87"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/spydet_3326_coopen.html; reference:url,www.spywaresignatures.com/details.php?spyware=coopen; classtype:misc-activity; sid:13870; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware antispywaremaster runtime detection - sale/register request"; flow:to_server,established; content:"/data/sale.php?"; fast_pattern; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=UASM"; nocase; http_uri; content:"nid=UASM"; nocase; http_uri; metadata:service http; reference:url,www.spywareremove.com/removeAntiSpywareMaster.html; reference:url,www.xp-vista.com/spyware-removal/antispywaremaster-antispyware-master-removal-instructions; classtype:misc-activity; sid:13869; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware antispywaremaster runtime detection - start fake scanning"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"gai="; nocase; http_uri; content:"gli="; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=UASM"; fast_pattern; nocase; http_uri; content:"err="; nocase; http_uri; metadata:service http; reference:url,www.spywareremove.com/removeAntiSpywareMaster.html; reference:url,www.xp-vista.com/spyware-removal/antispywaremaster-antispyware-master-removal-instructions; classtype:misc-activity; sid:13868; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker bitroll 5.0 outbound connection"; flow:to_server,established; content:"/banner.php?"; nocase; http_uri; content:"skin=Flexi.skf"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www.411-spyware.com/remove-bitroll; reference:url,www.spywareremove.com/removeBitroll.html; classtype:misc-activity; sid:13852; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware roogoo 2.0 runtime detection - upgrade"; flow:to_server,established; content:"/upgrade/?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"fromid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"show.newRooGoo.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*show\x2enewRooGoo\x2ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/spydet_3018_roogoo.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097966; classtype:misc-activity; sid:13851; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware roogoo 2.0 runtime detection - popup ads"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"VER="; nocase; http_uri; content:"AdID="; nocase; http_uri; content:"UID="; nocase; http_uri; content:"SURL="; nocase; http_uri; content:"Host="; nocase; http_uri; content:"ConditionID="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"show.newroogoo.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*show\x2enewroogoo\x2ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/spydet_3018_roogoo.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097966; classtype:misc-activity; sid:13850; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker rcse 4.4 outbound connection - hijack ie browser"; flow:to_server,established; content:"/10025rel/landing.php"; fast_pattern:only; content:"Rabio|3A|"; nocase; content:"RCSE"; distance:0; nocase; pcre:"/^Rabio\x3a[^\r\n]*RCSE/smi"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rabio&threatid=169974; reference:url,www.spywareguide.com/spydet_3770_rabio.html; classtype:misc-activity; sid:13849; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler zwinky runtime detection"; flow:to_server,established; content:"/registration/logins.jhtml?"; fast_pattern; nocase; http_uri; content:"caller=desktop"; nocase; http_uri; content:"action=check"; nocase; http_uri; content:"username="; nocase; http_uri; content:"dt="; nocase; http_uri; metadata:service http; reference:url,www.castlecops.com/p970801-Zwinky_MyWebSearch_Installer.html; reference:url,www.emsisoft.net/fr/malware/?Adware.Win32.Zwinky_Test; classtype:misc-activity; sid:13848; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware phoenician casino runtime detection"; flow:to_server,established; content:"/viperML/phoenician/phoenician.cab"; nocase; http_uri; metadata:service http; reference:url,spywaredetector.net/spyware_encyclopedia/Adware.Phoenician%20.htm; reference:url,www.spywareguide.com/spydet_3441_phoenician_casino.html; classtype:misc-activity; sid:13847; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-ADWARE Trickler mm.exe outbound connection"; flow:to_client,established; file_data; content:"MZKERNEL32.DLL"; nocase; content:"LoadLibraryA"; distance:0; nocase; content:"GetProcAddress"; distance:0; nocase; pcre:"/^MZKERNEL32\x2eDLL\x00\x00LoadLibraryA\x00\x00\x00\x00GetProcAddress/smi"; metadata:service http; reference:url,www.auditmypc.com/process/mm.asp; reference:url,www.fbmsoftware.com/spyware-net/process/mm_exe/1960/; classtype:misc-activity; sid:13813; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware xp antivirus runtime detection"; flow:to_server,established; content:"/order_xp.php?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"liveresponsesite.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*liveresponsesite\x2Ecom/smiH"; metadata:service http; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453122012; reference:url,www.spywareguide.com/spydet_27817_xpantivirus.html; classtype:misc-activity; sid:13811; rev:6;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 31890 (msg:"PUA-ADWARE Trickler Adware.Win32.Ejik runtime detection - udp payload"; content:"60198E081622F7BCC5489B"; depth:22; nocase; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453123013; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Ejik.bc&threatid=239207; reference:url,www.emsisoft.it/it/malware/?Adware.Win32.Ejik.er; classtype:misc-activity; sid:13810; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ie antivirus runtime detection - update request"; flow:to_server,established; content:"/updates.php?"; nocase; http_uri; content:"data1="; nocase; http_uri; content:"data2="; nocase; http_uri; content:"data3="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"ieantivirus.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ieantivirus\x2Ecom/smiH"; metadata:service http; reference:url,ca.com/securityadvisor/pest/pest.aspx?id=453132958; reference:url,www.411-spyware.com/remove-ie-antivirus-3-2; classtype:misc-activity; sid:13809; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ie antivirus runtime detection - presale request"; flow:to_server,established; content:"/index.php?"; nocase; http_uri; content:"la=order"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"ieantivirus.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ieantivirus\x2Ecom/smiH"; metadata:service http; reference:url,ca.com/securityadvisor/pest/pest.aspx?id=453132958; reference:url,www.411-spyware.com/remove-ie-antivirus-3-2; classtype:misc-activity; sid:13808; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler trojan ecodec outbound connection - initial server connection #2"; flow:to_server,established; content:"/spbrn/cinst.php?"; nocase; http_uri; content:"affid="; nocase; http_uri; content:"Host|3A|"; nocase; content:"safe-strip-download.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*safe-strip-download\x2ecom/smi"; metadata:service http; reference:url,spywarefiles.prevx.com/RRHHHJ44382562/MMCODEC%2EEXE.html; reference:url,virusinfo.prevx.com/viruscenter.asp?GRP=4812100013; classtype:misc-activity; sid:13775; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler trojan ecodec outbound connection - initial server connection #1"; flow:to_server,established; content:"/in.cgi?"; nocase; http_uri; content:"group="; nocase; http_uri; content:"Host|3A|"; nocase; content:"theonlybookmark.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*theonlybookmark\x2ecom/smi"; metadata:service http; reference:url,spywarefiles.prevx.com/RRHHHJ44382562/MMCODEC%2EEXE.html; reference:url,virusinfo.prevx.com/viruscenter.asp?GRP=4812100013; classtype:misc-activity; sid:13774; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware winxdefender runtime detection - auto update"; flow:to_server,established; content:"/checkupdate.php"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"WinXDefender.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*WinXDefender\x2Ecom/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinXDefender&threatid=155747; reference:url,www.411-spyware.com/remove-winxdefender; classtype:misc-activity; sid:13766; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware winxdefender runtime detection - presale request"; flow:to_server,established; content:"/order.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"id="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.winxdefender.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Ewinxdefender\x2Ecom/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinXDefender&threatid=155747; reference:url,www.411-spyware.com/remove-winxdefender; classtype:misc-activity; sid:13765; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PUA-ADWARE Snoopware xpress remote outbound connection - init connection"; flow:to_client,established; content:"|01 00 01 00 03 00 01 00 14 00 01 01 01 00 DD DD DD DD 00 00 00 00|"; depth:22; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=XpressRemote&threatid=29388; classtype:successful-recon-limited; sid:13764; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware system defender runtime detection"; flow:to_server,established; content:"uid="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"SystemDefender"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*SystemDefender/smiH"; metadata:service http; reference:url,www.411-spyware.com/remove-systemdefender; reference:url,www.enigmasoftware.com/support/systemdefender-removal/; classtype:misc-activity; sid:13762; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware cashfiesta adbar runtime detection - updates traffic"; flow:to_server,established; content:"/partners/alex.php?"; fast_pattern; nocase; http_uri; content:"t="; nocase; http_uri; content:"dm="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.cashfiesta.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ecashfiesta\x2Ecom/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=CashFiesta%20AdBar&threatid=42051; classtype:misc-activity; sid:13653; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"PUA-ADWARE Keylogger all in one Keylogger runtime detection"; flow:to_server,established; content:"All In One Keylogger report."; nocase; content:"PGh0bWw+PGhlYWQ+PHRpdGxlPkFsbCBJbiBPbmUgS2V5bG9nZ2VyIFJlcG9y"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.All+In+One+Keylogger; reference:url,www.noadware.net/research/index2.php?item_id=1201&item_name=all-in-one%20spy; classtype:successful-recon-limited; sid:13652; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware spyware stop runtime detection - auto updates"; flow:to_server,established; content:"/update/info"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"SpywareStop"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*SpywareStop/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=SpywareStop&threatid=205898; reference:url,www.prevx.com/filenames/1299278770072512825-0/SPYWARESTOP.MSI.html; classtype:misc-activity; sid:13650; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware spyware stop runtime detection - presale request"; flow:to_server,established; content:"/register.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.spywarestop.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2espywarestop\x2ecom/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=SpywareStop&threatid=205898; reference:url,www.prevx.com/filenames/1299278770072512825-0/SPYWARESTOP.MSI.html; classtype:misc-activity; sid:13649; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker mysearch bar 2.0.2.28 runtime detection"; flow:to_server,established; content:"/jsp/"; nocase; http_uri; content:"?st=bar"; nocase; http_uri; content:"searchfor="; fast_pattern; nocase; http_uri; pcre:"/jsp\/(GG(main|img|dirs?)|A(jmain|wns|wimg|wvid|waud)|Lsmain)\x2Ejsp\?st=bar&searchfor=/Ui"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=My%20Search%20Bar&threatid=14832; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.My+Search+Bar; classtype:misc-activity; sid:13648; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware registry defender runtime detection - error report request"; flow:to_server,established; content:"/report_error.aspx?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"e="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"registrydefender.techwithyou.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*registrydefender\x2Etechwithyou\x2Ecom/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Registry%20Defender&threatid=91028; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Registry+Defender; classtype:misc-activity; sid:13647; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware registry defender runtime detection - presale request"; flow:to_server,established; content:"/shoppingcart.aspx?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"dlg="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.registrydefender.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eregistrydefender\x2Ecom/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Registry%20Defender&threatid=91028; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Registry+Defender; classtype:misc-activity; sid:13646; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware virus heat runtime detection - presale request"; flow:to_server,established; content:"/buy_online.php?"; nocase; http_uri; content:"aff="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.virusheat.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2evirusheat\x2ecom/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453124583; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=VirusHeat&threatid=203189; classtype:misc-activity; sid:13637; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler downloader trojan.gen outbound connection - download malicious link"; flow:to_server,established; content:"/download.php?"; nocase; http_uri; content:"track_id="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"dl1.virusheat.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*dl1\x2Evirusheat\x2Ecom/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453120536; reference:url,www.prevx.com/filenames/X1895686732762432147-0/LAF4.EXE.html; classtype:misc-activity; sid:13636; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler downloader trojan.gen outbound connection - get malicious link"; flow:to_server,established; content:"/get.php?"; nocase; http_uri; content:"partner="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.allcollisions.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Eallcollisions\x2Ecom/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453120536; reference:url,www.prevx.com/filenames/X1895686732762432147-0/LAF4.EXE.html; classtype:misc-activity; sid:13635; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler iecodec outbound connection - message dialog"; flow:to_server,established; content:"/a/pic1.gif"; nocase; http_uri; content:"Host|3A| vscodecsupport.com"; fast_pattern:only; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453122786; reference:url,www.prevx.com/filenames/X743654547251516036-0/IECODEC.DLL.html; classtype:misc-activity; sid:13566; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler iecodec outbound connection - initial traffic"; flow:to_server,established; content:"/hb.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"q="; nocase; http_uri; content:"id="; nocase; http_uri; content:"aff="; nocase; http_uri; content:"Host|3A| vscodecsupport.com"; fast_pattern:only; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453122786; reference:url,www.prevx.com/filenames/X743654547251516036-0/IECODEC.DLL.html; classtype:misc-activity; sid:13565; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware system doctor runtime detection - update status"; flow:to_server,established; content:"/stats.php?"; nocase; http_uri; content:"site_id=systemdoctor"; fast_pattern; nocase; http_uri; content:"lp="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"ref="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"USDR"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n].*USDR\d+/smiH"; metadata:service http; reference:url,www.2-spyware.com/remove-systemdoctor.html; reference:url,www.spywareguide.com/spydet_3049_systemdoctor_2006.html; classtype:misc-activity; sid:13564; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware system doctor runtime detection - presale request"; flow:to_server,established; content:"/download/2006/order.php?"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"Host|3A| systemdoctor.com"; nocase; metadata:service http; reference:url,www.2-spyware.com/remove-systemdoctor.html; reference:url,www.spywareguide.com/spydet_3049_systemdoctor_2006.html; classtype:misc-activity; sid:13563; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware malware alarm runtime detection - update request"; flow:to_server,established; content:"/update.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"d="; nocase; http_uri; content:"vs="; nocase; http_uri; content:"Host|3A| www.malware-alarm.com"; fast_pattern:only; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453113983; reference:url,www.sophos.com/security/analyses/malwarealarm.html; classtype:misc-activity; sid:13562; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware malware alarm runtime detection - presale request"; flow:to_server,established; content:"/buy.php?"; nocase; http_uri; content:"advid="; nocase; http_uri; content:"emla="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"Host|3A| www.malware-alarm.com"; fast_pattern:only; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453113983; reference:url,www.sophos.com/security/analyses/malwarealarm.html; classtype:misc-activity; sid:13561; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker kword interkey outbound connection - log user info"; flow:to_server,established; content:"/dwi_log/catch?"; fast_pattern; nocase; http_uri; content:"C="; nocase; http_uri; content:"V="; nocase; http_uri; content:"E="; nocase; http_uri; content:"R="; nocase; http_uri; content:"www.kword.co.kr"; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Kword.InterKey&threatid=46477; reference:url,www.noadware.net/research/index2.php?item_id=2656&item_name=Kword.InterKey; classtype:misc-activity; sid:13558; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker kword interkey outbound connection - search traffic 2"; flow:to_server,established; content:"/search.asp?"; nocase; http_uri; content:"fcode="; nocase; http_uri; content:"keywords="; nocase; http_uri; content:"part="; nocase; http_uri; content:"Host|3A| search.kword.co.kr"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Kword.InterKey&threatid=46477; reference:url,www.noadware.net/research/index2.php?item_id=2656&item_name=Kword.InterKey; classtype:misc-activity; sid:13557; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker kword interkey outbound connection - search traffic 1"; flow:to_server,established; content:"/kwordenter.asp?"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"ver=KW"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"vb"; nocase; http_header; content:"wininet"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*vb\s+wininet/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Kword.InterKey&threatid=46477; reference:url,www.noadware.net/research/index2.php?item_id=2656&item_name=Kword.InterKey; classtype:misc-activity; sid:13556; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware iedefender runtime detection - update"; flow:to_server,established; content:"/updates.php?"; nocase; http_uri; content:"data1="; nocase; http_uri; content:"data2="; nocase; http_uri; content:"Host|3A| iedefender.com"; fast_pattern:only; metadata:service http; reference:url,www.sophos.com/security/analyses/iedefender.html; reference:url,www.spywareguide.com/spydet_5318_ie_defender.html; classtype:misc-activity; sid:13505; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware iedefender runtime detection - presale request"; flow:to_server,established; content:"/ie/"; nocase; http_uri; content:"Host|3A| iedefender.com"; fast_pattern:only; metadata:service http; reference:url,www.sophos.com/security/analyses/iedefender.html; reference:url,www.spywareguide.com/spydet_5318_ie_defender.html; classtype:misc-activity; sid:13504; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware contravirus runtime detection - update"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"ContraVirusPro"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*ContraVirusPro/smiH"; metadata:service http; reference:url,www.spywaredetector.net/spyware_encyclopedia/Fake%20Anti%20Spyware.Contra%20Virus.htm; reference:url,www.spywareguide.com/spydet_3552_contravirus.html; classtype:misc-activity; sid:13502; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware contravirus runtime detection - presale request"; flow:to_server,established; content:"/buy2.php?"; nocase; http_uri; content:"date="; nocase; http_uri; content:"currentDate="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"Host|3A| www.contraviruspro.com"; fast_pattern:only; metadata:service http; reference:url,www.spywaredetector.net/spyware_encyclopedia/Fake%20Anti%20Spyware.Contra%20Virus.htm; reference:url,www.spywareguide.com/spydet_3552_contravirus.html; classtype:misc-activity; sid:13501; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker hbtbar outbound connection - log information"; flow:to_server,established; content:"/log.htm?"; nocase; http_uri; content:"website_id="; fast_pattern; nocase; http_uri; content:"unique="; nocase; http_uri; content:"all_unique="; nocase; http_uri; content:"dpi="; nocase; http_uri; content:"location="; nocase; http_uri; content:"t2t21"; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=HDTBar&threatid=15102; reference:url,www.spywareremove.com/removeHDTBar.html; classtype:misc-activity; sid:13500; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker hbtbar outbound connection - search traffic 2"; flow:to_server,established; content:"/baidu?"; nocase; http_uri; content:"tn=t2t21"; fast_pattern; nocase; http_uri; content:"word="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=HDTBar&threatid=15102; reference:url,www.spywareremove.com/removeHDTBar.html; classtype:misc-activity; sid:13499; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker hbtbar outbound connection - search traffic 1"; flow:to_server,established; content:"/jump.asp?"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"t2t21"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"siteid="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=HDTBar&threatid=15102; reference:url,www.spywareremove.com/removeHDTBar.html; classtype:misc-activity; sid:13498; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware spy shredder 2.1 runtime detection - update"; flow:to_server,established; content:"/update.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"d="; nocase; http_uri; content:"Host|3A| www.spy-shredder.com"; fast_pattern:only; metadata:service http; reference:url,www.ca.com/ca/en/securityadvisor/pest/pest.aspx?id=453123853; classtype:misc-activity; sid:13491; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware spy shredder 2.1 runtime detection - presale request"; flow:to_server,established; content:"/buy.php?"; nocase; http_uri; content:"advid="; nocase; http_uri; content:"emla="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"Host|3A| www.spy-shredder.com"; fast_pattern:only; metadata:service http; reference:url,www.ca.com/ca/en/securityadvisor/pest/pest.aspx?id=453123853; classtype:misc-activity; sid:13490; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware elite protector runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"EliteProtector"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*EliteProtector/smiH"; metadata:service http; reference:url,www.ca.com/ca/en/securityadvisor/pest/pest.aspx?id=453123830; classtype:misc-activity; sid:13487; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Snoopware remote desktop inspector runtime detection - init connection"; flow:to_client,established; flowbits:isset,RemoteDesktopInspector_detection; content:"DS"; depth:2; nocase; content:"|00 00 01 00 00 00 00 FE 01 00 00 F1 00 00 00 00|"; within:16; distance:2; nocase; reference:url,attack.mitre.org/techniques/T1076; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Remote%20Desktop%20Inspector&threatid=41996; reference:url,www.emsisoft.com/es/malware/?Adware.Win32.Remote+Desktop+Inspector; classtype:successful-recon-limited; sid:13347; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Snoopware remote desktop inspector outbound connection - init connection"; flow:to_server,established; content:"DS|00 00 00 00 01 00 00 00 00 FE 01 00 00 F1 00 00 00 00|"; depth:20; nocase; flowbits:set,RemoteDesktopInspector_detection; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1076; classtype:successful-recon-limited; sid:13346; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware yourprivacyguard runtime detection - update"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"proto="; nocase; http_uri; content:"rc="; nocase; http_uri; content:"v="; nocase; http_uri; content:"abbr="; nocase; http_uri; content:"platform="; nocase; http_uri; content:"os_version="; nocase; http_uri; content:"User-Agent|3A| Updater"; fast_pattern:only; metadata:service http; reference:url,removers.volyn.net/2007/11/02/yourprivacyguard-removal-tool-remove-yourprivacyguard-pop-ups/; reference:url,www.spywaredetector.net/spyware_encyclopedia/Adware.Yourprivacyguard.htm; classtype:misc-activity; sid:13345; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware yourprivacyguard runtime detection - presale request"; flow:to_server,established; content:"/privacy/presale.php?"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"lp="; nocase; http_uri; content:"addt="; nocase; http_uri; content:"air="; nocase; http_uri; content:"lir="; nocase; http_uri; content:"afr="; nocase; http_uri; content:"rem="; nocase; http_uri; metadata:service http; reference:url,removers.volyn.net/2007/11/02/yourprivacyguard-removal-tool-remove-yourprivacyguard-pop-ups/; reference:url,www.spywaredetector.net/spyware_encyclopedia/Adware.Yourprivacyguard.htm; classtype:misc-activity; sid:13344; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware 2005-search loader runtime detection"; flow:to_server,established; content:"/go/go.php"; nocase; http_uri; content:"Host|3A| 2005-search.com"; fast_pattern:only; metadata:service http; reference:url,koffix.com/research/sites/2005-search.com.html; reference:url,www.malware.com.br/cgi/submit?action=list_comp; classtype:misc-activity; sid:13343; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker search4top outbound connection - popup ads"; flow:to_server,established; content:"/adjs.php?"; nocase; http_uri; content:"n="; nocase; http_uri; content:"what="; nocase; http_uri; content:"target="; nocase; http_uri; content:"exclude="; nocase; http_uri; content:"Referer|3A| www.search4top.com/english.asp?q="; fast_pattern:only; metadata:service http; reference:url,www.spyware-research-center.com/threatdisplay.aspx?name=Search4Top&threatid=100124; reference:url,www.spywareguide.com/spydet_3578_search4top.html; classtype:misc-activity; sid:13341; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker search4top outbound connection - hijack ie searches and error pages"; flow:to_server,established; content:"/0409/as.asp?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| www.search4top.com"; fast_pattern:only; metadata:service http; reference:url,www.spyware-research-center.com/threatdisplay.aspx?name=Search4Top&threatid=100124; reference:url,www.spywareguide.com/spydet_3578_search4top.html; classtype:misc-activity; sid:13340; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware 3wplayer 1.7 runtime detection"; flow:to_server,established; content:"/stats/stats.php"; fast_pattern; nocase; http_uri; content:"AppName=3wPlayer"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"WakeSpace"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*WakeSpace/smiH"; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453120279; reference:url,www.spywareremove.com/remove3wPlayer.html; classtype:misc-activity; sid:13286; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker phazebar outbound connection"; flow:to_server,established; content:"/__utm.gif?"; nocase; http_uri; content:"utmwv="; nocase; http_uri; content:"utmn="; nocase; http_uri; content:"utmhn=www.crawl.ws"; fast_pattern; nocase; http_uri; content:"utmr="; nocase; http_uri; content:"utmp="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/spydet_2531_phazebar.html; reference:url,www.spywareremove.com/removePhaZeBar.html; reference:url,www.uninstall-spyware.com/uninstallPhaZeBar.html; classtype:misc-activity; sid:13285; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware netguarder web cleaner runtime detection"; flow:to_server,established; content:"/update/webcleaner/en/updatelist.ini"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"NetGuarder WebCleaner"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*NetGuarder\s+WebCleaner/smiH"; metadata:service http; reference:url,www.ca.com/ca/fr/securityadvisor/pest/pest.aspx?id=453075057; reference:url,www.spywareguide.com/spydet_1824_netguarder_web_cleaner.html; classtype:misc-activity; sid:13284; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker dreambar outbound connection"; flow:to_server,established; content:"/setting/geturl_kword.html"; fast_pattern; nocase; http_uri; content:"uCode="; nocase; http_uri; content:"Host|3A| oper.dreambar.co.kr"; nocase; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Dreambar&threatid=97491; classtype:misc-activity; sid:13283; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware netword agent runtime detection"; flow:to_server,established; content:"/q/qry.phtml?"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"cx="; nocase; http_uri; content:"cxv="; nocase; http_uri; content:"qs="; nocase; http_uri; content:"get="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/spydet_2332_Netword_agent.html; reference:url,www.symantec.com/fr/fr/security_response/writeup.jsp?docid=2006-042614-1031-99; classtype:misc-activity; sid:13277; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware netpumper 1.26 runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"NetPumper"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*NetPumper/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453099585; reference:url,www.spywareguide.com/spydet_975_netpumper_1_2.html; classtype:misc-activity; sid:13242; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware live protection 2.1 runtime detection - application updates"; flow:to_server,established; content:"/update.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"d="; nocase; http_uri; content:"vs="; nocase; http_uri; content:"Host|3A| www.LiveProtection.net"; fast_pattern:only; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453122098; reference:url,liveprotection.net; classtype:misc-activity; sid:13241; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware live protection 2.1 runtime detection - redirects to purchase page"; flow:to_server,established; content:"/buy.php?"; nocase; http_uri; content:"advid="; nocase; http_uri; content:"emla="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"Host|3A| www.liveprotection.net"; fast_pattern:only; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453122098; reference:url,liveprotection.net; classtype:misc-activity; sid:13240; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware adult p2p 1.5 runtime detection"; flow:to_server,established; content:"/cgi-bin/nodes.cgi"; fast_pattern; nocase; http_uri; content:"app=Porn2Peer"; nocase; http_uri; content:"version="; nocase; http_uri; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453122013; classtype:misc-activity; sid:13238; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware x-con spyware destroyer eh 3.2.8 runtime detection"; flow:to_server,established; content:"/xcon/XP/update.enc?="; nocase; http_uri; content:"Host|3A| x-conspywaredestroyer.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/spydet_2599_x_con_spyware_destroyer.html; reference:url,x-conspywaredestroyer.com; classtype:misc-activity; sid:12797; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker gralicwrap outbound connection - display frauddb information"; flow:to_server,established; content:"/DisplayFraudDBInformation.php?id="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=GralicWrap&threatid=40183; reference:url,www.spywareguide.com/spydet_2594_gralicwrap.html; classtype:misc-activity; sid:12795; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker gralicwrap outbound connection - search frauddb process"; flow:to_server,established; content:"/SearchFraudDBProcess.php?vbfraudURL="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=GralicWrap&threatid=40183; reference:url,www.spywareguide.com/spydet_2594_gralicwrap.html; classtype:misc-activity; sid:12794; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware sunshine spy 1.0 runtime detection - check update"; flow:to_server,established; content:"/gate/chkupdate.php"; nocase; http_uri; content:"Host|3A| www.sunshinespy.com"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Sunshine%20Spy&threatid=171191; classtype:misc-activity; sid:12789; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker sexyvideoscreensaver outbound connection"; flow:to_server,established; content:"/?adv=usernames&p=1"; fast_pattern; nocase; http_uri; content:"Host|3A| icoonet.com"; nocase; metadata:service http; reference:url,www.siteadvisor.com/sites/brothersoft.com/downloads/8226422/; reference:url,www.spywareguide.com/spydet_2535_sexyvideoscreensaver.html; classtype:misc-activity; sid:12722; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware pestbot runtime detection - purchase"; flow:to_server,established; content:"/purchase/"; nocase; http_uri; content:"Host|3A| pestbot.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/spydet_3581_pestbot.html; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm; classtype:misc-activity; sid:12721; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware pestbot runtime detection - update"; flow:to_server,established; content:"/SpyBase/version.txt"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"AlertSpy"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*AlertSpy/smiH"; metadata:service http; reference:url,www.spywareguide.com/spydet_3581_pestbot.html; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm; classtype:misc-activity; sid:12720; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker side find 1.0 outbound connection - hijacks search engine"; flow:to_server,established; content:"/bin/findwhat.dll?"; nocase; http_uri; content:"Host|3A| admedia.xmlsearch.findwhat.com"; fast_pattern:only; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453088285; classtype:misc-activity; sid:12719; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker side find 1.0 outbound connection - initial connection"; flow:to_server,established; content:"/results.php?target="; nocase; http_uri; content:"Host|3A| www.sidefind.com"; fast_pattern:only; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453088285; classtype:misc-activity; sid:12718; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware coopen 3.6.1 runtime detection - automatic upgrade"; flow:to_server,established; content:"/ForceUpgrade.aspx"; fast_pattern; nocase; http_uri; content:"mac="; nocase; http_uri; content:"hdid="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/spydet_3326_coopen.html; classtype:misc-activity; sid:12696; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware coopen 3.6.1 runtime detection - initial connection"; flow:to_server,established; content:"/61/param.aspx"; fast_pattern; nocase; http_uri; content:"groupID="; nocase; http_uri; content:"spaceIDs="; nocase; http_uri; content:"mac="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/spydet_3326_coopen.html; classtype:misc-activity; sid:12695; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware avsystemcare runtime detection"; flow:to_server,established; content:"/?proto"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Updater"; nocase; http_header; content:"Host|3A| free.version.bestsellerantivirus.com"; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]*Updater/smiH"; metadata:service http; reference:url,www.spywareguide.com/spydet_3529_avsystemcare.html; classtype:misc-activity; sid:12694; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker personalweb outbound connection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"PWeb"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:".personalweb.com"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*PWeb/smiH"; pcre:"/^Host\x3a[^\r\n]*\x2epersonalweb\x2ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/spydet_3785_personal_web.html; classtype:misc-activity; sid:12693; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SpyTech Realtime Spy Detection"; flow:to_server,established; content:"/realtime-spy/"; nocase; http_uri; content:"Host|3A| www.spytech-web.com"; nocase; http_header; metadata:service http; reference:url,www.spytech-web.com; classtype:misc-activity; sid:12678; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ISTBar runtime detection - softwares"; flow:to_server,established; content:"/ist/softwares/"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=572; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075516; classtype:misc-activity; sid:12677; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Conspy Update Checking Detected"; flow:to_server,established; content:"quicken_update.php"; fast_pattern; nocase; http_uri; content:"Host|3A| conspy.com"; nocase; metadata:service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-021210-1340-99&tabid=2se; classtype:misc-activity; sid:12676; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler zlob media codec outbound connection - download redirect domains"; flow:to_server,established; content:"/redirect-settings.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"said="; nocase; http_uri; content:"Host|3A| nameservicedirect.com"; fast_pattern:only; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453118001; classtype:misc-activity; sid:12660; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler zlob media codec outbound connection - automatic updates"; flow:to_server,established; content:"/get-update.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"said="; nocase; http_uri; content:"Host|3A| www.thenmnetwork.com"; fast_pattern:only; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453118001; classtype:misc-activity; sid:12659; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware winantivirus pro 2007 runtime detection"; flow:to_server,established; content:"/?proto"; nocase; http_uri; content:"User-Agent|3A| Updater"; nocase; http_header; content:"Host|3A| trial.updates.winsoftware.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareremove.com/security/winantiviruspro2007-removal-instructions; classtype:misc-activity; sid:12658; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware icoo loader 2.5 runtime detection 2"; flow:to_server,established; content:"/upd.html"; nocase; http_uri; content:"rnd="; nocase; http_uri; content:"Host|3A| www.icooloader.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareremove.com/removeICOOLoader.html; classtype:misc-activity; sid:12657; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware icoo loader 2.5 runtime detection 1"; flow:to_server,established; content:"/net.php"; http_uri; content:"login="; nocase; http_uri; content:"vk="; nocase; http_uri; content:"Host|3A| cserv.icoosoft.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareremove.com/removeICOOLoader.html; classtype:misc-activity; sid:12656; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker rabio 4.2 outbound connection - download updates"; flow:to_server,established; content:"/search-enhancer/updates/se.info"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/spydet_3770_rabio.html; classtype:misc-activity; sid:12655; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker rabio 4.2 outbound connection - hijack browser"; flow:to_server,established; content:"/10023rel/landing.php"; fast_pattern; nocase; http_uri; content:"Rabio|3A|"; nocase; content:"search-enhancer"; distance:0; nocase; pcre:"/^Rabio\x3a[^\r\n]*search\x2Denhancer/smi"; metadata:service http; reference:url,www.spywareguide.com/spydet_3770_rabio.html; classtype:misc-activity; sid:12654; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker new.net domain 7.2.2 outbound connection - download code"; flow:to_server,established; content:"/d/sr/"; nocase; http_uri; content:"xargs="; nocase; http_uri; content:"yargs="; nocase; http_uri; content:"Host|3A| rc12.overture.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/spydet_417_new_net.html; classtype:misc-activity; sid:12653; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker new.net domain 7.2.2 outbound connection - hijack browser"; flow:to_server,established; content:"/search.cgi"; nocase; http_uri; content:"Host|3A| www.quickbrowsersearch.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/spydet_417_new_net.html; classtype:misc-activity; sid:12652; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker onestepsearch 1.0.118 outbound connection - upgrade"; flow:to_server,established; content:"/?vn"; nocase; http_uri; content:"partner=onestep"; nocase; http_uri; content:"ptag="; nocase; http_uri; content:"initial_install="; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=3762; classtype:misc-activity; sid:12624; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker onestepsearch 1.0.118 outbound connection"; flow:to_server,established; content:"/b.cgi?"; nocase; http_uri; content:"bk="; nocase; http_uri; content:"Host|3A| www.onestepsearch.net"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=3762; classtype:misc-activity; sid:12623; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware drive cleaner 1.0.111 runtime detection"; flow:to_server,established; content:"/site_drivecleaner/ad_keyin/link_keyin/aff_keyin"; fast_pattern; nocase; http_uri; content:"Host|3A| stats.drivecleaner.com"; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=3150; classtype:misc-activity; sid:12620; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware instant buzz runtime detection - random text ads"; flow:to_server,established; content:"/click.php?"; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A| www2.instantbuzz.com"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=InstantBuzz&threatid=30791; reference:url,www.spywareguide.com/spydet_3102_instant_buzz.html; reference:url,www.spywareremove.com/removeInstantBuzz.html; classtype:misc-activity; sid:12485; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware instant buzz runtime detection - ads for members"; flow:to_server,established; content:"/members.php?"; fast_pattern; nocase; http_uri; content:"username="; nocase; http_uri; content:"auth="; nocase; http_uri; content:"page="; nocase; http_uri; pcre:"/page=(messages|community)/Ui"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=InstantBuzz&threatid=30791; reference:url,www.spywareguide.com/spydet_3102_instant_buzz.html; reference:url,www.spywareremove.com/removeInstantBuzz.html; classtype:misc-activity; sid:12484; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Other-Technologies virusprotectpro 3.7 outbound connection"; flow:to_server,established; content:"/buy_online.php?"; nocase; http_uri; content:"aff="; nocase; http_uri; content:"Host|3A| www.virusprotectpro.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/spydet_3699_virusprotectpro.html; reference:url,www.xp-vista.com/spyware-removal/virusprotectpro-removal-instructions; classtype:misc-activity; sid:12483; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker imesh mediabar outbound connection - collect user information"; flow:to_server,established; content:"__utm.gif?"; nocase; http_uri; content:"utmwv="; nocase; http_uri; content:"utmn="; nocase; http_uri; content:"utmcs="; nocase; http_uri; content:"utmsr="; nocase; http_uri; content:"utmhn=search.imesh.com"; fast_pattern; nocase; http_uri; content:"utmp="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=imesh&threatid=6994; reference:url,www.spywaredata.com/spyware/malware/mediabar.dll.php; classtype:misc-activity; sid:12369; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker imesh mediabar outbound connection - hijack ie side search"; flow:to_server,established; content:"/sidebar.html?"; fast_pattern; nocase; http_uri; content:"src=ssb"; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=imesh&threatid=6994; reference:url,www.spywaredata.com/spyware/malware/mediabar.dll.php; classtype:misc-activity; sid:12368; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker imesh mediabar outbound connection - hijack ie searches"; flow:to_server,established; content:"/webResults.html?"; nocase; http_uri; content:"src="; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| search.imesh.com"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=imesh&threatid=6994; reference:url,www.spywaredata.com/spyware/malware/mediabar.dll.php; classtype:misc-activity; sid:12367; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker proventactics 3.5 outbound connection - redirect searches"; flow:to_server,established; content:"/search/index.php?"; nocase; http_uri; content:"query_string="; nocase; http_uri; content:"Host|3A| www.proventactics.com"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=ProvenTactics&threatid=10038; reference:url,www.spywareguide.com/spydet_1826_proventactics.html; classtype:misc-activity; sid:12365; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Other-Technologies malware-stopper outbound connection"; flow:to_server,established; content:"/update.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"d="; nocase; http_uri; content:"vs="; nocase; http_uri; content:"Host|3A| www.malware-stopper.com"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Malware-Stopper&threatid=136931; reference:url,www.spywareguide.com/spydet_3513_malware_stopper.html; classtype:misc-activity; sid:12363; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Infostealer.Monstres outbound connection"; flow:to_server,established; content:"grabv2.php"; nocase; http_uri; metadata:service http; reference:url,www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-081617-4608-99; classtype:misc-activity; sid:12361; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker 3search outbound connection - hijacking"; flow:to_server,established; content:"/search.php?q="; nocase; http_uri; content:"Host|3A| downloadfile.org"; fast_pattern:only; metadata:service http; reference:url,www.downloadfile.org; reference:url,www.softwarerevenue.org; classtype:misc-activity; sid:12295; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker newdotnet quick! search outbound connection"; flow:to_server,established; content:"/apps/eps/eps.cgi?"; fast_pattern; nocase; http_uri; content:"cid="; nocase; http_uri; content:"dp_lp="; nocase; http_uri; content:"dp_p4pid="; nocase; http_uri; content:"dp_format="; nocase; http_uri; content:"s="; nocase; http_uri; content:"nnreq="; nocase; http_uri; content:"prt="; nocase; http_uri; metadata:service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-102018-0405-99; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090680; classtype:misc-activity; sid:12290; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware errorsafe runtime detection"; flow:to_server,established; content:"/pages/scanner/order.php"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"affid="; nocase; http_uri; content:"nid="; nocase; http_uri; content:"err="; nocase; http_uri; metadata:service http; reference:url,www.spywareremove.com/removeErrorSafe.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-012017-0346-99; classtype:misc-activity; sid:12232; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware vroomsearch runtime detection"; flow:to_server,established; content:"/cgi-bin/v30/pop.fcgi"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"gpstool.globaladserver.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*gpstool\x2eglobaladserver\x2ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/spydet_1274_vroomsearch.html; classtype:misc-activity; sid:12231; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware vroomsearch runtime detection"; flow:to_server,established; content:"/cgi-bin/v30/pop.fcgi"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"Host|3A| gpstool.globaladserver.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/spydet_1274_vroomsearch.html; classtype:misc-activity; sid:12229; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware enbrowser snackman runtime detection"; flow:to_server,established; content:"/mbop/index.php3?"; nocase; content:"UID="; distance:0; nocase; content:"DIST="; distance:0; nocase; content:"VER="; distance:0; nocase; content:"Host|3A| www.digink.com"; fast_pattern:only; metadata:service http; reference:url,www.popupsentry.com/S/SNACKMAN.EXE-4411.html; reference:url,www.spywareguide.com/spydet_2334_enbrowser.html; classtype:misc-activity; sid:12224; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker cnnic update outbound connection"; flow:to_server,established; content:"/cn.dll?"; fast_pattern; nocase; http_uri; content:"pid="; nocase; http_uri; content:"met="; nocase; http_uri; content:"charset="; nocase; http_uri; content:"name="; nocase; http_uri; metadata:service http; reference:url,www.econsultant.com/spyware-database/c/cnnic-update.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097703; classtype:misc-activity; sid:12140; rev:8;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-ADWARE Adware zamingo runtime detection"; flow:to_client,established; content:"Set-Cookie|3A|"; nocase; http_header; content:"LastURL=http|3A|//www.680180.net|3A|80/ads/"; nocase; http_header; pcre:"/^Set-Cookie\x3a[^\r\n]*LastURL\x3dhttp\x3a\x2f\x2fwww\x2e680180\x2enet\x3a80\x2fads\x2f/smiH"; metadata:service http; reference:url,www.spywareguide.com/spydet_795_zamingo.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088136; classtype:misc-activity; sid:12138; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker lookquick outbound connection - monitor and collect user info"; flow:to_server,established; content:"/r.look?plq="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1810; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079050; classtype:misc-activity; sid:12124; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker lookquick outbound connection - hijack ie"; flow:to_server,established; content:"/search.php?keywords="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.lookquick.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Elookquick\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1810; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079050; classtype:misc-activity; sid:12123; rev:9;)
+# alert udp $HOME_NET 6600 -> $EXTERNAL_NET 30000 (msg:"PUA-ADWARE Adware pprich runtime detection - udp info sent out"; flow:to_server; content:"adf`%|24|%^pk*|94|"; depth:12; offset:8; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453100047; classtype:misc-activity; sid:12121; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware pprich runtime detection - version check"; flow:to_server,established; content:"/NewVerInfo.txt"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"down.pprich.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*down\x2Epprich\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453100047; classtype:misc-activity; sid:12120; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware yayad runtime detection"; flow:to_server,established; content:"/ad.asmx"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"yayad.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*yayad\x2Ecom/smiH"; metadata:service http; reference:url,www.360safe.com/elist.html; classtype:misc-activity; sid:12047; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler iowa webdownloader - icq notification"; flow:to_server,established; content:"/wwp/msg/1,,,00.html"; fast_pattern; nocase; http_uri; content:"Uin="; nocase; http_uri; content:"Name="; nocase; http_uri; content:"iowA"; nocase; http_uri; content:"WebDloader"; nocase; http_uri; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59689; classtype:misc-activity; sid:11310; rev:10;)
+# alert udp $HOME_NET 8765 -> 255.255.255.255 8765 (msg:"PUA-ADWARE Snoopware childwebguardian outbound connection - udp broadcast"; flow:to_server; content:"ChildWebGuardian|3A|"; depth:17; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453099134; classtype:successful-recon-limited; sid:11306; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"PUA-ADWARE Snoopware childwebguardian outbound connection - send log through smtp"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"Report"; distance:0; nocase; content:"from"; distance:0; nocase; content:"ChildWebGuardian"; distance:0; nocase; content:"filename=|22|report.html|22|"; fast_pattern:only; pcre:"/^Subject\x3a[^\r\n]*Report[^\r\n]*from[^\r\n]*ChildWebGuardian/smi"; metadata:service smtp; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453099134; classtype:successful-recon-limited; sid:11305; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware mokead runtime detection"; flow:to_server,established; content:"/starts.asp"; nocase; http_uri; content:"ids="; nocase; http_uri; content:"webid="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"ad.mokead.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ad\x2Emokead\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453101519; classtype:misc-activity; sid:10439; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker bazookabar outbound connection"; flow:to_server,established; content:"/updates/checkversion.php"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.myarmory.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Emyarmory\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073886; classtype:misc-activity; sid:10437; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware newweb runtime detection"; flow:to_server,established; content:"/cliententry/"; fast_pattern; nocase; http_uri; content:"X-TITLE|3A|"; nocase; http_header; content:"X-KEYWORD|3A|"; nocase; http_header; content:"X-ADLIST|3A|"; nocase; http_header; content:"X-COMMAND|3A|"; nocase; http_header; content:"X-CLIENTID|3A|"; nocase; http_header; content:"X-TARGETURL|3A|"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097957; classtype:misc-activity; sid:10182; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware adclicker-ej runtime detection"; flow:to_server,established; content:"/SetIE/SetIE.txt"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_139523.htm; classtype:misc-activity; sid:10164; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware borlan runtime detection"; flow:to_server,established; content:"/send"; nocase; http_uri; content:"type="; nocase; http_uri; content:"pop_rule_id="; nocase; http_uri; content:"n="; nocase; http_uri; content:"Host|3A| www.borlander.com.cn"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097501; classtype:misc-activity; sid:10094; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler zango easymessenger outbound connection"; flow:to_server,established; content:"/connect.php"; nocase; http_uri; content:"N="; nocase; http_uri; content:"Zango"; nocase; http_uri; content:"Messenger"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.easymessage.net"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eeasymessage\x2Enet/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2182; classtype:misc-activity; sid:10090; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware u88 runtime detection"; flow:to_server,established; content:"friendlink="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.u88.cn"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eu88\x2Ecn/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Adware.U88&threatid=46383; classtype:misc-activity; sid:9831; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker oemji bar outbound connection"; flow:to_server,established; content:"/bar/"; nocase; http_uri; content:"keywords="; nocase; http_uri; content:"app="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.oemji.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eoemji\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094187; classtype:misc-activity; sid:9652; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker ricercadoppia outbound connection"; flow:to_server,established; content:"/banner/banner.asp"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.ricercadoppia.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Ericercadoppia\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098730; classtype:misc-activity; sid:9651; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker sogou outbound connection - keyword hijack"; flow:to_server,established; content:"/express/sq.jsp"; fast_pattern; nocase; http_uri; content:"query="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.sogou.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Esogou\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098380; classtype:misc-activity; sid:9645; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware imnames runtime detection"; flow:to_server,established; content:"/bho/ibho.php"; fast_pattern; nocase; http_uri; content:"add="; nocase; http_uri; content:"hdid="; nocase; http_uri; content:"os="; nocase; http_uri; content:"ie="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"modid="; nocase; http_uri; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453100875; classtype:misc-activity; sid:9644; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware roogoo runtime detection - show ads"; flow:to_server,established; content:"/show/"; nocase; http_uri; content:"VER="; nocase; http_uri; content:"AdID="; nocase; http_uri; content:"UID="; nocase; http_uri; content:"SURL="; nocase; http_uri; content:"Host="; nocase; http_uri; content:"ConditionID="; nocase; http_uri; content:"HostJ"; nocase; content:"show.roogoo.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*show\x2Eroogoo\x2Ecom/smi"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=3018; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097966; classtype:misc-activity; sid:8546; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware roogoo runtime detection - surfing monitor"; flow:to_server,established; content:"|7C|roogoo|7C|"; fast_pattern:only; pcre:"/^\x23\d+\x7c([0-9A-E]{2}\x2d){5}[0-9A-E]{2}\x7croogoo\x7c/smi"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=3018; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097966; classtype:misc-activity; sid:8545; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker accoona outbound connection - open sidebar search url"; flow:to_server,established; content:"/search_assistant/accoona_search_assistant.jsp"; http_uri; content:"utm_id="; nocase; http_uri; content:"utm_content="; nocase; http_uri; content:"utm_source="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.accoona.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eaccoona\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096478; classtype:misc-activity; sid:8469; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker accoona outbound connection - collect info"; flow:to_server,established; content:"/soap"; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.accoona.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eaccoona\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096478; classtype:misc-activity; sid:8468; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware henbang runtime detection"; flow:to_server,established; content:"/hap/adserver.aspx"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"distributorid="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"AD"; nocase; http_header; content:"Request"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"wwws.henbang.net"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*AD[^\r\n]*Request/smiH"; pcre:"/^Host\x3a[^\r\n]*wwws\x2Ehenbang\x2Enet/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094312; classtype:misc-activity; sid:8464; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker yok supersearch outbound connection - search info collect"; flow:to_server,established; content:"/stat.htm"; nocase; http_uri; content:"id="; nocase; http_uri; content:"repeatip="; nocase; http_uri; content:"Host|3A| count.yok.com"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Yok.SuperSearch&threatid=44407; classtype:misc-activity; sid:8360; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker yok supersearch outbound connection - target website display"; flow:to_server,established; content:"/related_bottom_v2.php"; fast_pattern; nocase; http_uri; content:"key="; nocase; http_uri; content:"No="; http_uri; content:"Host|3A|"; nocase; content:"related.yok.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*related\x2Eyok\x2Ecom/smi"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Yok.SuperSearch&threatid=44407; classtype:misc-activity; sid:8359; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker yok supersearch outbound connection - addressbar keyword search hijack"; flow:to_server,established; content:"/go3.php"; nocase; http_uri; content:"key="; nocase; http_uri; content:"NO="; nocase; http_uri; content:"PID="; nocase; http_uri; content:"UN="; nocase; http_uri; content:"Host|3A|"; nocase; content:"www.yok.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*www\x2Eyok\x2Ecom/smi"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Yok.SuperSearch&threatid=44407; classtype:misc-activity; sid:8358; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware desktopmedia runtime detection - surf monitoring"; flow:to_server,established; content:"/script/judge/judge.html"; fast_pattern; nocase; http_uri; content:"mid="; nocase; http_uri; content:"type="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"cojud.dmcast.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*cojud\x2Edmcast\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156; classtype:misc-activity; sid:8354; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware desktopmedia runtime detection - auto update"; flow:to_server,established; content:"/script/update.asp"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"ownerversion="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"dcww.dmcast.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*dcww\x2Edmcast\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156; classtype:misc-activity; sid:8353; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware desktopmedia runtime detection - ads popup"; flow:to_server,established; content:"/rep/pop/pop_"; nocase; http_uri; content:"ad_soft_type="; nocase; http_uri; content:"ad_mid="; nocase; http_uri; content:"ad_type="; nocase; http_uri; content:"dm_source="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"corep.dmcast.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*corep\x2Edmcast\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156; classtype:misc-activity; sid:8352; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker findthewebsiteyouneed outbound connection - surf monitor"; flow:to_server,established; content:"/1.asp"; nocase; http_uri; content:"r_t="; nocase; http_uri; content:"rnd="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.internetadvertisingcompany.biz"; nocase; http_header; content:"keyword="; nocase; content:"url="; distance:0; nocase; content:"www%2efindthewebsiteyouneed%2ecom"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*www\x2Einternetadvertisingcompany\x2Ebiz/smiH"; pcre:"/keyword\x3d[^\r\n]*url\x3d[^\r\n]*www\x252efindthewebsiteyouneed\x252ecom/smi"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098705; classtype:misc-activity; sid:8072; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker findthewebsiteyouneed outbound connection - search hijack"; flow:to_server,established; content:"/search.asp"; nocase; http_uri; content:"group=autosearch"; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"searches.worldtostart.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*searches\x2Eworldtostart\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098705; classtype:misc-activity; sid:8071; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware web-nexus runtime detection - ad url 2"; flow:to_server,established; content:"/exclurls.php"; nocase; http_uri; content:"loc="; nocase; http_uri; content:"cid="; nocase; http_uri; content:"eus="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"dl.web-nexus.net"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*dl\x2Eweb-nexus\x2Enet/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=381; classtype:misc-activity; sid:7855; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware web-nexus runtime detection - config retrieval"; flow:to_server,established; content:"/cconfig.php"; nocase; http_uri; content:"Qool-Uptime|3A|"; nocase; http_header; content:"Win-Version|3A|"; nocase; http_header; content:"QoolIE-Version|3A|"; nocase; content:"Host|3A|"; nocase; http_header; content:"dl.web-nexus.net"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*dl\x2Eweb-nexus\x2Enet/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=381; classtype:misc-activity; sid:7854; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware web-nexus runtime detection - ad url 1"; flow:to_server,established; content:"/cp.php"; nocase; http_uri; content:"QoolShown-Popups|3A|"; nocase; content:"QoolShown-Popups-nt|3A|"; fast_pattern:only; content:"Host|3A|"; nocase; http_header; content:"stech.web-nexus.net"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*stech\x2Eweb-nexus\x2Enet/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=381; classtype:misc-activity; sid:7853; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler maxsearch outbound connection - advertisement"; flow:to_server,established; content:"/pan/adlogbundle.php"; fast_pattern; nocase; http_uri; content:"bannerid="; nocase; http_uri; content:"zoneid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.adoptim.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Eadoptim\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2248; classtype:misc-activity; sid:7852; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler maxsearch outbound connection - ack"; flow:to_server,established; content:"/director/ack.php"; fast_pattern; nocase; http_uri; content:"uid="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"version="; nocase; http_uri; content:"actionname="; nocase; http_uri; content:"action="; nocase; http_uri; content:"success="; nocase; http_uri; content:"debug="; nocase; http_uri; content:"nocache="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.maxifiles.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Emaxifiles\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2248; classtype:misc-activity; sid:7851; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler maxsearch outbound connection - retrieve command"; flow:to_server,established; content:"/director/wtd.php"; fast_pattern; nocase; http_uri; content:"uid="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"version="; nocase; http_uri; content:"nocache="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.maxifiles.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Emaxifiles\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2248; classtype:misc-activity; sid:7850; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker avenuemedia.dyfuca outbound connection - post data"; flow:to_server,established; content:"/conf/xml/"; nocase; http_uri; content:"ver="; nocase; content:"rid="; nocase; content:"cls="; nocase; content:"ser="; nocase; content:"signint="; nocase; content:"installt="; nocase; content:"rmods="; nocase; content:"mods="; nocase; content:"iea="; nocase; content:"speed="; nocase; content:"Host|3A|"; nocase; http_header; content:"www.internet-optimizer.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Einternet-optimizer\x2Ecom/smiH"; metadata:service http; reference:url,www.itsecurity.com/security.htm?s=9473&sid=875854b6006d07f08dae34f1b78a4600; classtype:misc-activity; sid:7844; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker avenuemedia.dyfuca outbound connection - search engine hijack"; flow:to_server,established; content:"/searchresult/"; fast_pattern; nocase; http_uri; content:"lt="; nocase; http_uri; content:"q="; nocase; http_uri; content:"cls="; nocase; http_uri; content:"rid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.yoogee.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Eyoogee\x2Ecom/smiH"; metadata:service http; reference:url,www.itsecurity.com/security.htm?s=9473&sid=875854b6006d07f08dae34f1b78a4600; classtype:misc-activity; sid:7843; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker instafinder error redirect detection"; flow:to_server,established; content:"/error2.asp"; http_uri; content:"err="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; pcre:"/^Host\x3A\s+www\x2Einstafinder\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1130; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090786; classtype:misc-activity; sid:7841; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware smiley central runtime detection"; flow:to_server,established; content:"/iframe.html"; nocase; http_uri; content:"bisFWB="; nocase; http_uri; content:"sPartnerID="; nocase; http_uri; content:"UID="; nocase; http_uri; content:"rand="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.smileycentral.com"; nocase; http_header; pcre:"/^Host\x3A\s+www\x2Esmileycentral\x2Ecom/smiH"; metadata:service http; reference:url,www.mac-net.com/893488.page; reference:url,www.spywareguide.com/product_show.php?id=2181; classtype:misc-activity; sid:7838; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker navexcel helper outbound connection - search"; flow:to_server,established; content:"/search?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"ts="; nocase; http_uri; content:"Host|3A| www.trustedsearch.com"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=607; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074928; classtype:misc-activity; sid:7833; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware downloadplus runtime detection"; flow:to_server,established; content:"guid="; nocase; http_uri; content:"affid="; nocase; http_uri; content:"update="; nocase; http_uri; content:"brand="; nocase; http_uri; content:"User-Agent|3A| Message Center"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=532; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076008; classtype:misc-activity; sid:7831; rev:9;)
+# alert tcp $HOME_NET 1174 -> $EXTERNAL_NET any (msg:"PUA-ADWARE Botnet dacryptic outbound connection"; flow:to_client,established; content:"lasd|0A|"; depth:5; nocase; reference:url,www.spywareguide.com/product_show.php?id=1392; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=26162; classtype:trojan-activity; sid:7830; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware gator user-agent detected"; flow:to_server,established; content:"User-Agent|3A| Gator"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=10; reference:url,www.spywareguide.com/product_show.php?id=1201; reference:url,www.spywareguide.com/product_show.php?id=2179; reference:url,www.spywareguide.com/product_show.php?id=741; reference:url,www.spywareguide.com/product_show.php?id=774; reference:url,www.spywareguide.com/product_show.php?id=898; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094081; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094082; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094083; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094087; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094088; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094092; classtype:misc-activity; sid:7829; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware whenu runtime detection - search request 2"; flow:to_server,established; content:"/searchb?"; nocase; http_uri; content:"datatype="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"partner="; nocase; http_uri; content:"app=desktop"; fast_pattern; nocase; http_uri; content:"ui="; nocase; http_uri; content:"srchtrig="; nocase; http_uri; content:"pat="; nocase; http_uri; content:"cc="; nocase; http_uri; content:"rgn="; nocase; http_uri; content:"type="; nocase; http_uri; content:"sid="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=18; reference:url,www.spywareguide.com/product_show.php?id=2485; classtype:misc-activity; sid:7828; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware whenu runtime detection - search request 1"; flow:to_server,established; content:"/SearchBar?"; fast_pattern; nocase; http_uri; content:"templ="; nocase; http_uri; content:"num="; nocase; http_uri; content:"app=desktop"; nocase; http_uri; content:"uiv="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"ctr="; nocase; http_uri; content:"cc="; nocase; http_uri; content:"rgn="; nocase; http_uri; content:"sgp="; nocase; http_uri; content:"stp="; nocase; http_uri; content:"cnt="; nocase; http_uri; content:"sid="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=18; reference:url,www.spywareguide.com/product_show.php?id=2230; reference:url,www.spywareguide.com/product_show.php?id=2485; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079971; classtype:misc-activity; sid:7827; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler whenu.weathercast outbound connection - check"; flow:to_server,established; content:"/WthrPrefs"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"whenu.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*whenu\x2Ecom/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threat_display.cfm?name=WhenU.WeatherCast&threatid=14106; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074634; classtype:misc-activity; sid:7826; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware whenu.savenow runtime detection"; flow:to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"program=savenow"; fast_pattern; nocase; http_uri; content:"partner="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=18; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075520; classtype:misc-activity; sid:7825; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler whenu.clocksync outbound connection"; flow:to_server,established; content:"/ClockDB"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"whenu.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*whenu\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=871; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076030; classtype:misc-activity; sid:7824; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware whenu runtime detection - datachunksgz"; flow:to_server,established; content:"/DataChunksGZ"; fast_pattern; nocase; http_uri; content:"update="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=18; reference:url,www.spywareguide.com/product_show.php?id=2485; reference:url,www.spywareguide.com/product_show.php?id=871; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075520; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076030; classtype:misc-activity; sid:7823; rev:10;)
+# alert tcp $HOME_NET 7000 -> $EXTERNAL_NET any (msg:"PUA-ADWARE Snoopware big brother v3.5.1 outbound connection - connect to receiver"; flow:to_client,established; flowbits:isset,snoopware.big.brother.3.5.1.conn.cts; content:"HBand"; depth:6; nocase; content:"ZBM"; distance:0; nocase; pcre:"/^HBand,[^\r\n]*,[^\r\n]*,\d+,\d+\x2A\xD5ZBM/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=45916; classtype:successful-recon-limited; sid:7603; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7000 (msg:"PUA-ADWARE Snoopware big brother v3.5.1 outbound connection - connect to receiver - flowbit set"; flow:to_server,established; content:"HBand"; depth:6; nocase; content:"~EOL!"; distance:0; nocase; pcre:"/^HBand\d+,\d+,\d+,\d+,\d+,\d+~EOL!/smi"; flowbits:set,snoopware.big.brother.3.5.1.conn.cts; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=45916; classtype:successful-recon-limited; sid:7602; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 7001 (msg:"PUA-ADWARE Snoopware big brother v3.5.1 outbound connection - connect to keyserver"; flow:to_server,established; content:"login"; depth:5; nocase; content:"~EOL!"; distance:0; nocase; pcre:"/^login\s+[^\r\n]*\x2A[^\r\n]*~EOL!/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=45916; classtype:successful-recon-limited; sid:7601; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adtraffic outbound connection - notfound website search hijack and redirection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"EFError"; nocase; http_header; content:"Internet"; nocase; http_header; content:"Connection"; nocase; http_header; content:"Test"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*EFError\s+Internet\s+Connection\s+Test/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094115; classtype:misc-activity; sid:7600; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware comedy planet runtime detection - collect user information"; flow:to_server,established; content:"/index.php?document="; fast_pattern:only; content:"form-data|3B|"; nocase; content:"name="; distance:0; nocase; content:"user_name"; distance:0; nocase; content:"user_email"; distance:0; nocase; metadata:service http; reference:url,labs.paretologic.com/spyware.aspx?remove=Comedy-Planet; classtype:misc-activity; sid:7595; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware comedy planet runtime detection - ads"; flow:to_server,established; content:"/advertisement/advertisement.php?"; fast_pattern; nocase; http_uri; content:"systemTray="; nocase; http_uri; content:"joke_category="; nocase; http_uri; content:"joke_id="; nocase; http_uri; metadata:service http; reference:url,labs.paretologic.com/spyware.aspx?remove=Comedy-Planet; classtype:misc-activity; sid:7594; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"PUA-ADWARE Trickler urlblaze outbound connection - irc notification"; flow:to_server,established; content:"NICK"; depth:4; nocase; content:"6633"; distance:0; nocase; pcre:"/^NICK\s+\x5E\d+\x5E\d+\x5E\d+\x5E\d+\x5E6633/smi"; reference:url,www.spywareguide.com/product_show.php?id=743; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073195; classtype:misc-activity; sid:7589; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler urlblaze outbound connection - files search or download"; flow:to_server,established; content:"/phppbc.php"; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"www.urlblaze.net"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"www.peer2mail.com"; nocase; http_header; pcre:"/^Referer\x3a[^\r\n]*www\x2eurlblaze\x2enet.*Host\x3A[^\r\n]*www\x2Epeer2mail\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=743; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073195; classtype:misc-activity; sid:7588; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler album galaxy outbound connection - p2p gnutella"; flow:to_server,established; content:"/P2P/gnutella/cache/gerry.asp"; fast_pattern; nocase; http_uri; content:"urlfile="; nocase; http_uri; content:"client=GALA"; nocase; http_uri; content:"version="; nocase; http_uri; content:"get="; nocase; http_uri; metadata:service http; reference:url,codegravity.com/index.php/spyware; classtype:misc-activity; sid:7573; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker linkspider search bar outbound connection - ads"; flow:to_server,established; content:"/pagead/ads?"; nocase; http_uri; content:"www.linkspider.co.uk/cgi-bin/cgsearch/cgsearch.cgi"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,linkspider.co.uk; classtype:misc-activity; sid:7570; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware lordofsearch runtime detection"; flow:to_server,established; content:"/home/lordofsearch"; nocase; http_uri; pcre:"/\x5Chome\/lordofsearch[^\r\n]*\x2Ehtml/smi"; metadata:service http; reference:url,www.spywareguide.com/product_list_category.php?category_id=12; classtype:misc-activity; sid:7569; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adshooter.searchforit outbound connection - redirector"; flow:to_server,established; content:"/redirector.html"; fast_pattern; nocase; http_uri; content:"image_id="; nocase; http_uri; content:"advertiser_id="; nocase; http_uri; content:"keyword_id="; nocase; http_uri; content:"bid="; nocase; http_uri; content:"url="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=860; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079051; classtype:misc-activity; sid:7566; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adshooter.searchforit outbound connection - search engine"; flow:to_server,established; content:"/searchbar/engine.php"; fast_pattern; nocase; http_uri; content:"cver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.searchexpert.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Esearchexpert\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=860; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079051; classtype:misc-activity; sid:7565; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker startnow outbound connection"; flow:to_server,established; content:"/ieb/res/topres.xsl"; nocase; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1220; reference:url,www.spywareguide.com/product_show.php?id=1356; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083036; classtype:misc-activity; sid:7564; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware morpheus runtime detection - ad 2"; flow:to_server,established; content:"Referer|3A|"; nocase; http_header; content:"downloads.morpheus.com/rotation/"; nocase; http_header; pcre:"/^Referer\x3A[^\r\n]*downloads\x2Emorpheus\x2Ecom\x2Frotation/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075453; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=54367; classtype:misc-activity; sid:7563; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware morpheus runtime detection - ad 1"; flow:to_server,established; content:"/rotation/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"downloads.morpheus.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*downloads\x2Emorpheus\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075453; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=54367; classtype:misc-activity; sid:7562; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker blazefind outbound connection - search bar"; flow:to_server,established; content:"/search_results.php"; fast_pattern; nocase; http_uri; content:"account_id="; nocase; http_uri; content:"search_string="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.blazefind.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]+www\x2Eblazefind\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=724; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079063; classtype:misc-activity; sid:7556; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware hxdl runtime detection - hxdownload user-agent"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"HXDownload"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]+HXDownload/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=516; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075079; classtype:misc-activity; sid:7554; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware hxdl runtime detection - hxlogonly user-agent"; flow:to_server,established; content:"ClientID="; nocase; http_uri; content:"ServerTableID="; fast_pattern; nocase; http_uri; content:"ClientData="; nocase; http_uri; content:"AuxData="; nocase; http_uri; content:"ReleaseID="; nocase; http_uri; content:"ClientStats="; nocase; http_uri; content:"StoreID="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"HXLogOnly"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]+HXLogOnly/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=516; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075079; classtype:misc-activity; sid:7553; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware adroar runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"ADROAR"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*ADROAR/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=761; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077256; classtype:misc-activity; sid:7550; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker 2020search outbound connection"; flow:to_server,established; content:"/9894/search/search.html"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"pop.popuptoast.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*pop\x2Epopuptoast\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=640; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076971; classtype:misc-activity; sid:7543; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PUA-ADWARE Screen-Scraper hidden camera outbound connection"; flow:to_server,established; content:"100"; depth:3; nocase; content:"hcarchive"; distance:0; nocase; content:"jpg"; distance:0; nocase; reference:url,www.sofotex.com/Hidden-Camera-download_L14936.html; classtype:successful-recon-limited; sid:7538; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker clearsearch variant outbound connection - popup"; flow:to_server,established; content:"/popup/popup.php?"; fast_pattern; nocase; http_uri; content:"cat="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"sc="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"clearsearch.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*clearsearch\x2Ecom/smiH"; metadata:service http; reference:url,www.2-spyware.com/remove-clearsearch.html; reference:url,www.doxdesk.com/parasite/ClearSearch.html; classtype:misc-activity; sid:7536; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker clearsearch variant outbound connection - pass information"; flow:to_server,established; content:"/fast-cgi/bsc?"; nocase; http_uri; content:"mandant=clear"; nocase; http_uri; content:"synd=clear"; nocase; http_uri; content:"device="; nocase; http_uri; content:"portalLanguage="; fast_pattern; nocase; http_uri; content:"userLanguage="; nocase; http_uri; content:"context="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"q="; nocase; http_uri; metadata:service http; reference:url,www.2-spyware.com/remove-clearsearch.html; reference:url,www.doxdesk.com/parasite/ClearSearch.html; classtype:misc-activity; sid:7535; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware piolet runtime detection - ads request"; flow:to_server,established; content:"/ads/468x60"; nocase; http_uri; content:"Host|3A| www.piolet.com"; fast_pattern:only; http_header; metadata:service http; reference:url,taxster.fateback.com/piolet.htm; classtype:misc-activity; sid:7533; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware piolet runtime detection - user-agent"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Microsoft"; nocase; http_header; content:"URL"; nocase; http_header; content:"Control"; nocase; http_header; content:"Host|3A| www.piolet.com"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Microsoft\s+URL\s+Control/smiH"; metadata:service http; reference:url,taxster.fateback.com/piolet.htm; classtype:misc-activity; sid:7532; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"PUA-ADWARE Trickler mediaseek.pl client outbound connection - login"; flow:to_server,established; content:"GET"; depth:3; nocase; content:"/K?"; distance:0; nocase; pcre:"/^GET\s+\x2FK\x3F[^\r\n]*\x7C*\x7C*\x7C*\s+HTTP/smi"; metadata:service ftp; reference:url,www.remove-spyware-now.net/MediaSeek-pl-Client.html; classtype:misc-activity; sid:7531; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler mediaseek.pl client outbound connection - trickler"; flow:to_server,established; content:"/gs_trickler"; fast_pattern; nocase; http_uri; content:"TRICKLER"; nocase; pcre:"/^TRICKLER\d+=[^\r\n]*MediaSeek/smi"; metadata:service http; reference:url,www.remove-spyware-now.net/MediaSeek-pl-Client.html; classtype:misc-activity; sid:7530; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Snoopware halflife jacker outbound connection"; flow:to_server,established; content:"from=HL-Jacker"; nocase; http_uri; content:"body=key"; nocase; http_uri; content:"fromemail=Jacked"; fast_pattern; nocase; http_uri; content:"to="; nocase; http_uri; metadata:service http; reference:url,www.megasecurity.org/trojans/h/halflifejacker/Halflifejacker1.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077199; classtype:successful-recon-limited; sid:7529; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker moneybar outbound connection - cgispy counter"; flow:to_server,established; content:"/counter3.cgi?"; fast_pattern; nocase; http_uri; content:"p=moneytreck"; nocase; http_uri; metadata:service http; reference:url,www.aladdin.com/home/csrt/grayware-list2.asp?GraywareNo=277; classtype:misc-activity; sid:7524; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker chinese keywords outbound connection"; flow:to_server,established; content:"cn.dll?pid="; nocase; http_uri; content:"met="; nocase; http_uri; content:"charset="; nocase; http_uri; content:"name="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"name.cnnic.cn"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*name\x2ecnnic\x2ecn/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074952; classtype:misc-activity; sid:7517; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler edonkey2000 outbound connection - version verification"; flow:to_server,established; content:"/ver/ver.php"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"app="; nocase; http_uri; content:"install_date="; nocase; http_uri; content:"reg="; nocase; http_uri; content:"sys="; nocase; http_uri; content:"sver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"home.edonkey.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*home\x2Eedonkey\x2Ecom/smiH"; metadata:service http; reference:url,www.fbmsoftware.com/spyware-net/Process/edonkey2000_exe/705/; classtype:misc-activity; sid:7510; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shopprreports outbound connection - services requests"; flow:to_server,established; content:"/cs/cs.aspx?"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"cs.shopperreports.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*cs\x2Eshopperreports\x2Ecom/smiH"; metadata:service http; reference:url,vil.mcafeesecurity.com/vil/content/v_133312.htm; classtype:misc-activity; sid:7194; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"PUA-ADWARE Adware trustyfiles v3.1.0.1 runtime detection - startup access"; flow:to_server,established; content:"/index-tfc.php"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"trustyfiles"; nocase; http_header; content:"com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*trustyfiles\x2Ecom/smiH"; metadata:service http; reference:url,www.softpicks.net/software/TrustyFiles-Personal-File-Sharing-13308.htm; classtype:misc-activity; sid:7193; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"PUA-ADWARE Adware trustyfiles v3.1.0.1 runtime detection - sponsor selection"; flow:to_server,established; content:"/rd/feed/XMLFeed.jsp"; fast_pattern; nocase; http_uri; content:"trackID="; nocase; http_uri; content:"pID="; nocase; http_uri; content:"cat="; nocase; http_uri; content:"nl="; nocase; http_uri; content:"page="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"excID="; nocase; http_uri; metadata:service http; reference:url,www.softpicks.net/software/TrustyFiles-Personal-File-Sharing-13308.htm; classtype:misc-activity; sid:7192; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"PUA-ADWARE Adware trustyfiles v3.1.0.1 runtime detection - url retrieval"; flow:to_server,established; content:"/."; http_uri; content:"urlfile="; nocase; http_uri; content:"client=TFLS"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"get="; nocase; http_uri; metadata:service http; reference:url,www.softpicks.net/software/TrustyFiles-Personal-File-Sharing-13308.htm; classtype:misc-activity; sid:7191; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware trustyfiles v3.1.0.1 runtime detection - host retrieval"; flow:to_server,established; content:"?hostfile="; depth:20; nocase; http_uri; content:"client=TFLS"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"get="; nocase; http_uri; metadata:service http; reference:url,www.softpicks.net/software/TrustyFiles-Personal-File-Sharing-13308.htm; classtype:misc-activity; sid:7190; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shop at home select - merchant redirect in progress"; flow:to_server,established; content:"/frameset.asp?"; fast_pattern; nocase; http_uri; content:"MID="; nocase; http_uri; content:"ruleID="; nocase; http_uri; content:"popupID="; nocase; http_uri; content:"doPopup="; nocase; http_uri; content:"version="; nocase; http_uri; content:"requested="; nocase; http_uri; content:"CustomerID="; nocase; http_uri; content:"owner="; nocase; http_uri; content:"refer="; nocase; http_uri; content:"LastPrefs="; http_uri; content:"GUID="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076082; classtype:successful-recon-limited; sid:7188; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler jubster outbound connection"; flow:to_server,established; content:"/sresult.aspx"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.emp3finder.com"; nocase; http_header; content:"txtSearch="; nocase; content:"mp3s="; nocase; pcre:"/^Host\x3A\s+www\x2Eemp3finder\x2Ecom/smiH"; metadata:service http; reference:url,freeware4pc.com/multimedia/jubster.shtml; classtype:misc-activity; sid:7155; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker cnsmin 3721 outbound connection - hijacking"; flow:to_server,established; content:"/cns.dll"; nocase; http_uri; content:"coagent="; nocase; http_uri; content:"3721cnsmin"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,doxdesk.com/parasite/CnsMin.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072511; classtype:misc-activity; sid:7153; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker cnsmin 3721 outbound connection - installation"; flow:to_server,established; content:"/download/CnsMinM.ini"; fast_pattern; nocase; http_uri; content:"t="; nocase; http_uri; metadata:service http; reference:url,doxdesk.com/parasite/CnsMin.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072511; classtype:misc-activity; sid:7152; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker cool search outbound connection"; flow:to_server,established; content:"/_other/dll/blank8.pac"; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"WinInet"; nocase; http_header; content:"Test"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*WinInet\s+Test/smiH"; metadata:service http; reference:url,www.spywaredb.com/remove-pcshare-2-0/; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079768; classtype:misc-activity; sid:7144; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware digink.com runtime detection"; flow:to_server,established; content:"/mbop/index.php3"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Microsoft"; nocase; http_header; content:"URL"; nocase; http_header; content:"Control"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"www.digink.com"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Microsoft\s+URL\s+Control\s+-/smiH"; pcre:"/^Host\x3A\s+www\x2Edigink\x2Ecom/smiH"; metadata:service http; reference:url,www.nuker.com/container/details/snackman.php; reference:url,www.techsupportforum.com/archive/index.php/t-46308.html; classtype:misc-activity; sid:7143; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ares flash downloader 2.04 runtime detection"; flow:to_server,established; content:"/lordofsearchD_468X60.html"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"aresflashdownloader.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*aresflashdownloader\x2Ecom/smiH"; metadata:service http; reference:url,www.download2you.com/details_page.asp?titleID=12388; classtype:misc-activity; sid:7142; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware pay-per-click runtime detection - update"; flow:to_server,established; content:"/1.hta"; http_uri; content:"Host|3A|"; nocase; http_header; content:"dimattic.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*dimattic\x2Ecom/smiH"; metadata:service http; reference:url,attack.mitre.org/techniques/T1170; reference:url,ppcdomain.co.uk; classtype:misc-activity; sid:7141; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware pay-per-click runtime detection - configuration"; flow:to_server,established; content:"/cgi-bin/rb/cout.cgi"; http_uri; content:"Host|3A|"; nocase; http_header; content:"ppcdomain.co.uk"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*ppcdomain\x2Eco\x2Euk/smiH"; metadata:service http; reference:url,ppcdomain.co.uk; classtype:misc-activity; sid:7140; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Other-Technologies clicktrojan outbound connection - fake search query"; flow:to_server,established; content:"/search.php"; nocase; http_uri; content:"aid="; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.searchadv.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Esearchadv\x2Ecom/smiH"; metadata:service http; reference:url,sunbeltblog.blogspot.com/2006/01/seen-in-wild-new-pay-per-click-fraud.html; classtype:misc-activity; sid:7139; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Other-Technologies clicktrojan outbound connection - version check"; flow:to_server,established; content:"/xversion.php"; nocase; http_uri; content:"version="; nocase; http_uri; content:"mode="; nocase; http_uri; content:"click="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"loomcompany.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*loomcompany\x2Ecom/smiH"; metadata:service http; reference:url,sunbeltblog.blogspot.com/2006/01/seen-in-wild-new-pay-per-click-fraud.html; classtype:misc-activity; sid:7138; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker dsrch outbound connection - side search redirect"; flow:to_server,established; content:"/sidesearch/sidesearch.html"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"websearch.drsnsrch.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*websearch\x2Edrsnsrch\x2Ecom/smiH"; metadata:service http; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=DSrch&threatid=41080; classtype:misc-activity; sid:7137; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker dsrch outbound connection - search assistant redirect"; flow:to_server,established; content:"/url.cgi"; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"badurl.grandstreetinteractive.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*badurl\x2Egrandstreetinteractive\x2Ecom/smiH"; metadata:service http; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=DSrch&threatid=41080; classtype:misc-activity; sid:7136; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking"; flow:to_server,established; content:"/?s="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.weepee.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Eweepee\x2Ecom/smiH"; metadata:service http; reference:url,www.zdnet.com.au/downloads/0,39024478,39111669s,00.htm; classtype:misc-activity; sid:7130; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2"; flow:to_server,established; content:"/ea.exe"; nocase; http_uri; content:"sb"; nocase; http_uri; content:"joelesoftware"; nocase; http_uri; content:"01"; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"www.wowokay.com/wowokaybar.php"; nocase; http_header; pcre:"/^Referer\x3A[^\r\n]*www\x2Ewowokay\x2Ecom\/wowokaybar\x2Ephp/smiH"; metadata:service http; reference:url,www.zdnet.com.au/downloads/0,39024478,39111669s,00.htm; classtype:misc-activity; sid:7129; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1"; flow:to_server,established; content:"/mb/text_group.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"col="; nocase; http_uri; content:"br="; nocase; http_uri; content:"dk="; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"www.wowokay.com/wowokaybar.php"; nocase; http_header; pcre:"/^Referer\x3A[^\r\n]*www\x2Ewowokay\x2Ecom\/wowokaybar\x2Ephp/smiH"; metadata:service http; reference:url,www.zdnet.com.au/downloads/0,39024478,39111669s,00.htm; classtype:misc-activity; sid:7128; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking"; flow:to_server,established; content:"t.php"; nocase; http_uri; content:"sc_project="; fast_pattern; nocase; http_uri; content:"resolution="; nocase; http_uri; content:"camefrom="; nocase; http_uri; content:"camefrom="; nocase; http_uri; content:"u="; nocase; http_uri; content:"java="; nocase; http_uri; content:"security="; nocase; http_uri; content:"sc_random="; nocase; http_uri; pcre:"/u=[^\r\n]*www\.wowokay\.com/Ui"; metadata:service http; reference:url,www.zdnet.com.au/downloads/0,39024478,39111669s,00.htm; classtype:misc-activity; sid:7127; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"PUA-ADWARE Hijacker trojan proxy atiup outbound connection - notification"; flow:to_server,established; content:"/devrandom/r.php"; nocase; http_uri; content:"Host|3A| jupitersatellites.biz"; metadata:service http; reference:url,vil.nai.com/vil/content/v_137129.htm; classtype:misc-activity; sid:7126; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker traffbest biz outbound connection - adv"; flow:to_server,established; content:"/progs_exe/"; nocase; http_uri; content:".php"; nocase; http_uri; content:"adv="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"traffbest.biz"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*traffbest\x2Ebiz/smiH"; metadata:service http; reference:url,forums.maddoktor2.com/index.php?showtopic=3601; classtype:misc-activity; sid:7125; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Other-Technologies alfacleaner outbound connection - buy"; flow:to_server,established; content:"/buy.dhtml"; nocase; http_uri; content:"aff="; nocase; http_uri; content:"sub="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.alfacleaner.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ealfacleaner\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2733; classtype:misc-activity; sid:7124; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Other-Technologies alfacleaner outbound connection - update"; flow:to_server,established; content:"/updates/update.php"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.alfacleaner.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ealfacleaner\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2733; classtype:misc-activity; sid:7123; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker vip01 biz outbound connection - adv"; flow:to_server,established; content:"/progs/"; nocase; http_uri; content:".php"; nocase; http_uri; content:"adv="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"vip01.biz"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*vip01\x2Ebiz/smiH"; metadata:service http; reference:url,forums.maddoktor2.com/index.php?showtopic=3601; classtype:misc-activity; sid:7055; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler download arq variant outbound connection"; flow:to_server,established; content:"/b/info.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"ccecaedbebfcaf.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*ccecaedbebfcaf\x2Ecom.*?uuid=.*?wv=.*?cargo=.*?check=/smiH"; metadata:service http; reference:url,vil.nai.com/vil/content/v_137359.htm; classtype:misc-activity; sid:7054; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware webredir runtime detection"; flow:to_server,established; content:"/whois.xml"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"cache.everer.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*cache\x2Eeverer\x2Ecom/smiH"; metadata:service http; reference:url,castlecops.com/tk1907-pxwma_dll.html; classtype:misc-activity; sid:7053; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler generic downloader.g outbound connection - adv"; flow:to_server,established; content:"adv="; nocase; http_uri; content:"ads="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.topadwarereviews.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Etopadwarereviews\x2Ecom/smiH"; metadata:service http; reference:url,vil.mcafeesecurity.com/vil/content/v_128719.htm; classtype:misc-activity; sid:7052; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler generic downloader.g outbound connection - spyware injection"; flow:to_server,established; content:"/newsys/options.xml"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"i-femdom.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*i\-femdom\x2Ecom/smiH"; metadata:service http; reference:url,vil.mcafeesecurity.com/vil/content/v_128719.htm; classtype:misc-activity; sid:7051; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker extreme biz outbound connection - uniq1"; flow:to_server,established; content:"/uniq1.php"; nocase; http_uri; content:"exp="; nocase; http_uri; content:"adv="; nocase; http_uri; content:"code1="; nocase; http_uri; content:"code2="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"1-extreme.biz"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*1\-extreme\x2Ebiz/smiH"; metadata:service http; reference:url,vil.nai.com/vil/content/v_139122.htm; classtype:misc-activity; sid:7049; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware adpowerzone runtime detection"; flow:to_server,established; content:"/advertpro/servlet/view/dynamic/html/campaign"; fast_pattern; nocase; http_uri; content:"cid="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"media.top-banners.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*media\x2Etop-banners\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1299; classtype:misc-activity; sid:6496; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker troj_spywad.x outbound connection"; flow:to_server,established; content:"/trial.php"; fast_pattern; nocase; http_uri; content:"rest="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"a="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"httphost"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*httphost/smiH"; metadata:service http; reference:url,www.sophos.com/virusinfo/analyses/trojspywadi.html; classtype:misc-activity; sid:6495; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware yourenhancement runtime detection"; flow:to_server,established; content:"/mbop/display.php3"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"yourenhancement.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*yourenhancement\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097585; classtype:misc-activity; sid:6494; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker analyze IE outbound connection - default page hijacker"; flow:to_server,established; content:"/hp/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.webcruiser.cc"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ewebcruiser\x2Ecc/smiH"; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.spywaredetails.com/index.php?a=spyware&act=read&id=1680; classtype:misc-activity; sid:6489; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker cws.cameup outbound connection - search"; flow:to_server,established; content:"/searchtb.php?q="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"fast-look.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*fast-look\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079081; classtype:misc-activity; sid:6481; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker cws.cameup outbound connection - home page"; flow:to_server,established; content:"/hpt/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.e-finder.cc"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ee-finder\x2Ecc/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079081; classtype:misc-activity; sid:6480; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Snoopware totalvelocity zsearch outbound connection"; flow:to_server,established; content:"/e.aspx"; nocase; content:"ver="; nocase; content:"host="; nocase; content:"Host|3A|"; nocase; http_header; content:"www.ZSearchResults.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2EZSearchResults\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=763; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083031; classtype:successful-recon-limited; sid:6479; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker zeropopup outbound connection"; flow:to_server,established; content:"/searchbar/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.znext.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=627; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075510; classtype:misc-activity; sid:6392; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware esyndicate runtime detection - ads popup"; flow:to_server,established; flowbits:isset,eSyndicate.ads; content:"/ad/zadframe.esyn"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"aw="; nocase; http_uri; content:"ah="; nocase; http_uri; content:"dt="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1759; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; classtype:misc-activity; sid:6391; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware esyndicate runtime detection - ads popup"; flow:to_server,established; content:"/content/"; fast_pattern; nocase; http_uri; flowbits:set,eSyndicate.ads; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:6390; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware esyndicate runtime detection - postinstall request"; flow:to_server,established; content:"/exclusionlist/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"client.contextual.esyndicate.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*client\x2Econtextual\x2Eesyndicate\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1759; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; classtype:misc-activity; sid:6389; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker internet optimizer outbound connection - error page hijack"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"js="; nocase; http_uri; content:"e=ERR404"; fast_pattern; nocase; http_uri; content:"u=http"; nocase; http_uri; content:"cls="; nocase; http_uri; content:"rid="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=869; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453093995; classtype:misc-activity; sid:6388; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker internet optimizer outbound connection - autosearch hijack"; flow:to_server,established; content:"/query/"; fast_pattern; nocase; http_uri; content:"lt="; nocase; http_uri; content:"q="; nocase; http_uri; content:"cls="; nocase; http_uri; content:"rid="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=869; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453093995; classtype:misc-activity; sid:6387; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adbars outbound connection - homepage hijack"; flow:to_server,established; content:"/r/banner_iw_codigo_gtc.php"; fast_pattern; nocase; http_uri; content:"idrotador="; nocase; http_uri; content:"tamano="; nocase; http_uri; content:"iw_alternativo="; nocase; http_uri; content:"www.adbars.com"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1331; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079049; classtype:misc-activity; sid:6378; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler spyblocs.eblocs detection - register request"; flow:to_server,established; content:"/cart11.html?affl="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.eblocs.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Eeblocs\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088571; classtype:misc-activity; sid:6375; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler spyblocs eblocs detection - get spyblpat.dat/spyblini.ini"; flow:to_server,established; content:"/products/spyblocs/"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"download.eblocs.com"; nocase; http_header; pcre:"/\x2Fproducts\x2Fspyblocs\x2F(spyblpat\d*\x2Edat\x2E\d+|spyblini\x2Eini)/Ui"; pcre:"/^Host\x3A[^\r\n]*download\x2Eeblocs\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088571; classtype:misc-activity; sid:6374; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler spyblocs eblocs detection - stbarpat.dat"; flow:to_server,established; content:"/products/stbar/stbarpat.dat"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"download.eblocs.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*download\x2Eeblocs\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088571; classtype:misc-activity; sid:6373; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler spyblocs eblocs detection - get wsliveup.dat"; flow:to_server,established; content:"/wsliveup/advisor/wsliveup.dat"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"spybl.cyberdefender.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*spybl\x2Ecyberdefender\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088571; classtype:misc-activity; sid:6372; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware flashtrack media/spoton runtime detection - pop up ads"; flow:to_server,established; content:"/js/jsnew2.php?"; fast_pattern; nocase; http_uri; content:"grp="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"ft_id="; nocase; http_uri; content:"c="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"k="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=477; classtype:misc-activity; sid:6371; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware flashtrack media/spoton runtime detection - update request"; flow:to_server,established; content:"?c="; nocase; http_uri; content:"&g="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"User-Agent|3A| Daemon"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=477; classtype:misc-activity; sid:6368; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler eacceleration downloadreceiver outbound connection - stop-sign ads"; flow:to_server,established; content:"/dlp_def/"; nocase; http_uri; content:"imod="; nocase; http_uri; content:"prod=scanner"; fast_pattern; nocase; http_uri; content:"lng="; nocase; http_uri; content:"geo="; nocase; http_uri; content:"ftid="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"ui="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=398; classtype:misc-activity; sid:6367; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware altnet runtime detection - status report"; flow:to_server,established; content:"/backoffice.net/stats/Add.aspx"; fast_pattern; nocase; http_uri; content:"ST="; nocase; http_uri; content:"PN=Altnet"; nocase; http_uri; content:"AN=Altnet"; nocase; http_uri; content:"LN="; nocase; http_uri; content:"DN="; nocase; http_uri; content:"GR="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.altnet.com"; nocase; http_header; pcre:"/^HOST\x3A[^\r\n]*www\x2Ealtnet\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1369; reference:url,www.spywareremove.com/removeAltnet.html; classtype:misc-activity; sid:6361; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware altnet runtime detection - update"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Peer"; nocase; http_header; content:"Points"; nocase; http_header; content:"Manager"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Peer\s+Points\s+Manager/smiH"; content:"Host|3A|"; nocase; http_header; content:"pm.altnet.com"; fast_pattern; nocase; http_header; pcre:"/^HOST\x3A[^\r\n]*pm\x2Ealtnet\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1369; reference:url,www.spywareremove.com/removeAltnet.html; classtype:misc-activity; sid:6360; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware altnet runtime detection - initial retrieval"; flow:to_server,established; content:"/pm/start.asp"; nocase; http_uri; content:"pmver="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.altnet.com"; nocase; http_header; pcre:"/^HOST\x3A[^\r\n]*www\x2Ealtnet\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1369; reference:url,www.spywareremove.com/removeAltnet.html; classtype:misc-activity; sid:6359; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker need2find search query detection"; flow:to_server,established; content:"/jsp/cfg_redir.jsp"; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"searchfor="; nocase; http_uri; pcre:"/url=[^\r\n]*kl\x2Esearch\x2Eneed2find\x2Ecom/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2195; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096250; classtype:misc-activity; sid:6358; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler wsearch outbound connection - desktop search"; flow:to_server,established; content:"/desksearch.cgi"; nocase; http_uri; content:"tps="; nocase; http_uri; content:"word="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.zhongsou.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ezhongsou\x2Ecom/smiH"; metadata:service http; reference:url,www.zhongsou.com; classtype:misc-activity; sid:6356; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler wsearch outbound connection - mp3 search"; flow:to_server,established; content:"/zsmp3"; nocase; http_uri; content:"tps="; nocase; http_uri; content:"word="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"mp3.zhongsou.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*mp3\x2Ezhongsou\x2Ecom/smiH"; metadata:service http; reference:url,www.zhongsou.com; classtype:misc-activity; sid:6355; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adblock ie search assistant redirect detection"; flow:to_server,established; content:"/iesearch.php"; fast_pattern; nocase; http_uri; content:"term="; nocase; http_uri; content:"Submit=Search"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"linkz.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*linkz\x2Ecom/smiH"; metadata:service http; reference:url,adblock.linkz.com/Home.php; reference:url,www.spywareguide.com/product_show.php?id=48; classtype:misc-activity; sid:6353; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adblock auto search redirect detection"; flow:to_server,established; content:"/abho/autosrch.abs"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"adblock.linkz.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*adblock\x2Elinkz\x2Ecom/smiH"; metadata:service http; reference:url,adblock.linkz.com/Home.php; reference:url,www.spywareguide.com/product_show.php?id=48; classtype:misc-activity; sid:6352; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adblock update detection"; flow:to_server,established; content:"/abho/chkupdate.abs"; fast_pattern; nocase; http_uri; content:"cv="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"adblock.linkz.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*adblock\x2Elinkz\x2Ecom/smiH"; metadata:service http; reference:url,adblock.linkz.com/Home.php; reference:url,www.spywareguide.com/product_show.php?id=48; classtype:misc-activity; sid:6351; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker richfind auto search redirect detection"; flow:to_server,established; content:"/search.php"; nocase; http_uri; content:"qq="; nocase; http_uri; content:"said=bar"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"richfind.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*richfind\x2Ecom/smiH"; metadata:service http; reference:url,users.telenet.be/marcvn/spyware/1954375.htm; reference:url,www.f-secure.com/sw-desc/iehijacker_richfind.shtml; classtype:misc-activity; sid:6350; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker richfind update detection"; flow:to_server,established; content:"/news.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.richfind.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Erichfind\x2Ecom/smiH"; metadata:service http; reference:url,users.telenet.be/marcvn/spyware/1954375.htm; reference:url,www.f-secure.com/sw-desc/iehijacker_richfind.shtml; classtype:misc-activity; sid:6349; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Snoopware zenosearch outbound connection"; flow:to_server,established; content:"/engine"; fast_pattern; nocase; http_uri; content:"site="; nocase; http_uri; content:"page="; nocase; http_uri; content:"space="; nocase; http_uri; content:"size="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"domain="; nocase; http_uri; metadata:service http; reference:url,www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=ADW%5FZENO%2EA; classtype:successful-recon-limited; sid:6348; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware stationripper ad display detection"; flow:to_server,established; content:"/minimall"; nocase; http_uri; content:"w="; nocase; http_uri; content:"h="; nocase; http_uri; content:"client="; nocase; http_uri; content:"noctxt="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"url=http|3A|/www.stationripper.com/Portal/ad.htm"; fast_pattern; nocase; http_uri; content:"query="; nocase; http_uri; metadata:service http; reference:url,stationripper.com; classtype:misc-activity; sid:6347; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware stationripper update detection"; flow:to_server,established; content:"/version/stationripper-getver"; nocase; http_uri; metadata:service http; reference:url,stationripper.com; classtype:misc-activity; sid:6346; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware excite search bar runtime detection - search"; flow:to_server,established; content:"/tr.js"; nocase; http_uri; content:"a="; nocase; http_uri; content:"r="; nocase; http_uri; content:"site=excite"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www.scanspyware.net/info/ExciteSearchBar.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078495; classtype:misc-activity; sid:6345; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware excite search bar runtime detection - config"; flow:to_server,established; content:"/speedbar/speedbarcfg.jsp"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Excite"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Excite/smiH"; metadata:service http; reference:url,www.scanspyware.net/info/ExciteSearchBar.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078495; classtype:misc-activity; sid:6344; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware targetsaver runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"TSA/"; fast_pattern; nocase; http_header; content:"Ts2/"; nocase; http_header; content:"OS/"; nocase; http_header; content:"IE/"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*?TSA\x2F[^\r\n]*?Ts2\x2F[^\r\n]*?OS\x2F[^\r\n]*?IE\x2F[^\r\n]*?CD\x2F[^\r\n]*?UID\x2F[^\r\n]*?AID\x2F/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1914; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090707; classtype:misc-activity; sid:6343; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker spediabar outbound connection - info check"; flow:to_server,established; content:"/cgi-bin/tz.cgi"; nocase; http_uri; content:"run="; nocase; http_uri; content:"Host|3A| spedia.net"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1693; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074295; classtype:misc-activity; sid:6342; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker websearch outbound connection - webstat"; flow:to_server,established; content:"/WebStat.asmx/GetXML2"; fast_pattern; nocase; http_uri; content:"sDate="; nocase; http_uri; content:"sModule="; nocase; http_uri; content:"sCID="; nocase; http_uri; content:"sIP="; nocase; http_uri; content:"sURL="; nocase; http_uri; content:"sReferrer="; nocase; http_uri; content:"sBT="; nocase; http_uri; content:"sAgent="; nocase; http_uri; content:"sName="; nocase; http_uri; content:"sAction="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=769; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074933; classtype:misc-activity; sid:6284; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker websearch outbound connection - sitereview"; flow:to_server,established; content:"/sitereview.asmx/GetReview"; fast_pattern; nocase; http_uri; content:"URL="; nocase; http_uri; content:"SITE="; nocase; http_uri; content:"TUID="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=769; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074933; classtype:misc-activity; sid:6283; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker sidefind outbound connection - cookie"; flow:to_server,established; content:"/javascripts/common.js"; fast_pattern; nocase; http_uri; content:"Cookie|3A| "; nocase; http_header; content:"origin=sidefind"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1147; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088285; classtype:misc-activity; sid:6280; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker sidefind outbound connection"; flow:to_server,established; content:"target="; nocase; http_uri; content:"tv="; nocase; http_uri; content:"tu="; nocase; http_uri; content:"td="; nocase; http_uri; content:"account_id="; nocase; http_uri; content:"tt="; http_uri; content:"search_string="; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1147; classtype:misc-activity; sid:6279; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker incredifind outbound connection - cookie"; flow:to_server,established; content:"/index.cfm"; nocase; http_uri; content:"action="; nocase; http_uri; content:"pc="; nocase; http_uri; content:"keywords="; nocase; http_uri; content:"Cookie|3A| "; nocase; http_header; content:"source=IncrediFind"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=530; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077295; classtype:misc-activity; sid:6275; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler bundleware runtime detection"; flow:to_server,established; content:"/AD/UCMD?"; fast_pattern; nocase; http_uri; content:"&ID={"; nocase; http_uri; content:"&rand="; nocase; http_uri; metadata:service http; reference:url,www.xp-vista.com/spyware-removal/antimalwareguard-antimalware-guard-removal-instructions; classtype:misc-activity; sid:6271; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker gigatech superbar outbound connection - track event"; flow:to_server,established; content:"/superbar/event.php"; fast_pattern; nocase; http_uri; content:"event="; nocase; content:"gmt="; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6269; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker gigatech superbar outbound connection - self update - download exe"; flow:to_server,established; content:"/SUPERBARINSTALL_2.2.1.EXE"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6268; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker gigatech superbar outbound connection - self update - get update"; flow:to_server,established; content:"/superbar/seupdate.php"; fast_pattern; nocase; http_uri; content:"action=getUpdate"; nocase; content:"fileName="; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6267; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker gigatech superbar outbound connection - self update - check update"; flow:to_server,established; content:"/superbar/seupdate.php"; fast_pattern; nocase; http_uri; content:"action=checkUpdate"; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6266; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker gigatech superbar outbound connection - self update - engine"; flow:to_server,established; content:"/superbar/engine.php"; fast_pattern; nocase; http_uri; content:"requests="; nocase; content:"engine="; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6265; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker gigatech superbar outbound connection - self update - movie"; flow:to_server,established; content:"/superbar/movie.php"; fast_pattern; nocase; http_uri; content:"requests="; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6264; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker gigatech superbar outbound connection - collect information"; flow:to_server,established; content:"/adi/fandango.dart/theaterselectionpage|3B|"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6263; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware overpro runtime detection"; flow:to_server,established; content:"/cmapp/zx-popup.php?"; fast_pattern; nocase; http_uri; content:"uid="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"m="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"url=http"; nocase; http_uri; content:"Host|3A| newads1.com"; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=757; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090731; classtype:misc-activity; sid:6260; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware searchsquire runtime detection - search forward"; flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"domain="; nocase; http_uri; content:"term="; nocase; http_uri; content:"partner=searchsquire"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=584; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094363; classtype:misc-activity; sid:6259; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware searchsquire runtime detection - get engine file"; flow:to_server,established; content:"/engine"; fast_pattern; nocase; http_uri; content:".txt"; nocase; http_uri; pcre:"/\x2Fengine2?\x2Etxt/Ui"; content:"User-Agent|3A|"; nocase; http_header; content:"Agent"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Agent[0-9]{7}/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=584; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094363; classtype:misc-activity; sid:6258; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware searchsquire runtime detection - testgeonew query"; flow:to_server,established; content:"/testgeonew.php"; nocase; http_uri; content:"Referer|3A| http|3A|//ad.searchsquire.com/blank.html"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=584; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094363; classtype:misc-activity; sid:6257; rev:9;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-ADWARE Adware searchsquire installtime/auto-update"; flow:to_client,established; file_data; content:"907CA0E5-CE84-11D6-9508-02608CDD2846"; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3A\s*\x7B?\s*907CA0E5-CE84-11D6-9508-02608CDD2846/si"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=584; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094363; classtype:misc-activity; sid:6256; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware hotbar runtime detection - hostie user-agent"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"hostie"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*?hostie/Hsmi"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=481; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075474; classtype:misc-activity; sid:6251; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware hotbar runtime detection - hotbar user-agent"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"hotbar"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*?hotbar/Hsmi"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=481; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075474; classtype:misc-activity; sid:6250; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ezula toptext runtime detection - redirect"; flow:to_server,established; content:"/IntermixWO/redirect/redirect.asp?"; fast_pattern; nocase; http_uri; content:"DS_ID="; nocase; http_uri; content:"PubName="; nocase; http_uri; content:"UV_ID="; nocase; http_uri; content:"country="; nocase; http_uri; content:"region="; nocase; http_uri; content:"city="; nocase; http_uri; content:"zip="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=9; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072551; classtype:misc-activity; sid:6249; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ezula toptext runtime detection - popup"; flow:to_server,established; content:"/TopText/pop-popup.html"; fast_pattern; nocase; http_uri; content:"Host|3A| www.ezula.com"; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=9; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072551; classtype:misc-activity; sid:6248; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ezula toptext runtime detection - help redirect"; flow:to_server,established; content:"/IntermixWO/Redirect/HelpRedirect.asp?"; fast_pattern; nocase; http_uri; content:"var="; nocase; http_uri; content:"Host|3A| www.ezula.com"; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=9; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072551; classtype:misc-activity; sid:6247; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker exact navisearch outbound connection - search hijack"; flow:to_server,established; content:"/404/search.php?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"Keywords="; nocase; http_uri; content:"a="; nocase; http_uri; content:"Host|3A| www.navisearch.net"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1169; classtype:misc-activity; sid:6246; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker coolwebsearch startpage outbound connection"; flow:to_server,established; content:"/2gt.php"; nocase; http_uri; content:"cp="; nocase; http_uri; content:"dn=daosearch.com"; fast_pattern; nocase; http_uri; content:"ckey="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"iphsh="; nocase; http_uri; content:"tm="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=599; classtype:misc-activity; sid:6245; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker coolwebsearch cameup outbound connection - ie auto search hijack"; flow:to_server,established; content:"/notfound.php"; nocase; http_uri; content:"Host|3A| www.cameup.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079081; classtype:misc-activity; sid:6244; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker coolwebsearch cameup outbound connection - home page hijack"; flow:to_server,established; content:"/justas.css"; nocase; http_uri; content:"Host|3A| www.kliksearch.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079081; classtype:misc-activity; sid:6243; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker coolwebsearch.cameup outbound connection"; flow:to_server,established; content:"svc="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"type="; nocase; http_uri; content:"mode="; nocase; http_uri; content:"art="; nocase; http_uri; content:"acct="; nocase; http_uri; content:"url="; nocase; http_uri; content:"category="; fast_pattern; nocase; http_uri; content:"view="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; classtype:misc-activity; sid:6242; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware lop runtime detection - ie autosearch hijack"; flow:to_server,established; content:"/exe/dns.html"; nocase; http_uri; content:"User-Agent|3A| TPSystem"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024; classtype:misc-activity; sid:6241; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware lop runtime detection - pop up ads"; flow:to_server,established; content:"/prod/C2mediapops/pop3.asp?"; fast_pattern; nocase; http_uri; content:"mt="; nocase; http_uri; content:"popid="; nocase; http_uri; content:"User-Agent|3A| TPSystem"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024; classtype:misc-activity; sid:6240; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware lop runtime detection - collect info request 2"; flow:to_server,established; content:"/tba/p?"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"version="; nocase; http_uri; content:"clientid="; nocase; http_uri; content:"time="; nocase; http_uri; content:"locale="; nocase; http_uri; content:"session="; nocase; http_uri; content:"idle="; nocase; http_uri; content:"crc="; nocase; http_uri; content:"User-Agent|3A| TPSystem"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024; classtype:misc-activity; sid:6239; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware lop runtime detection - collect info request 1"; flow:to_server,established; content:"/tba/"; nocase; content:"guid="; distance:0; nocase; content:"version="; distance:0; nocase; content:"clientid="; distance:0; nocase; content:"time="; distance:0; nocase; content:"locale="; distance:0; nocase; content:"session="; distance:0; nocase; content:"id="; distance:0; nocase; content:"idle="; distance:0; nocase; content:"queued="; distance:0; nocase; content:"crc="; distance:0; nocase; content:"User-Agent|3A| TPSystem"; fast_pattern:only; http_header; pcre:"/\x2Ftba\x2F(cm|cu)\?/smi"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024; classtype:misc-activity; sid:6238; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware lop runtime detection - check update request"; flow:to_server,established; content:"/upd/check?version="; nocase; http_uri; content:"User-Agent|3A| Download UBAgent"; fast_pattern:only; http_header; metadata:service http; classtype:misc-activity; sid:6237; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware lop runtime detection - pass info to server"; flow:to_server,established; content:"/abt?data="; nocase; http_uri; content:"User-Agent|3A| Travel Update"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024; classtype:misc-activity; sid:6236; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware mirar runtime detection - delayed"; flow:to_server,established; content:"/delayed.cgi"; nocase; http_uri; content:"g"; nocase; http_uri; content:"edata"; nocase; http_uri; content:"q"; nocase; http_uri; content:"User-Agent|3A| Mirar_KeywordContent"; fast_pattern:only; http_header; metadata:service http; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Adware%3AWin32%2FMirar; classtype:misc-activity; sid:6233; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker ieplugin outbound connection - search"; flow:to_server,established; content:"/q.cgi?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| wwd.ieplugin"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=482; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072530; classtype:misc-activity; sid:6224; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware delfin media viewer runtime detection - retrieve schedule"; flow:to_server,established; content:"/Delfin/schedule.html"; nocase; http_uri; content:"pBrd"; nocase; http_uri; content:"pSch"; nocase; http_uri; content:"pIsp"; nocase; http_uri; content:"pVer"; http_uri; content:"pZip"; nocase; http_uri; content:"pSer"; nocase; http_uri; content:"User-Agent|3A| PromulGate"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=727; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076775; classtype:misc-activity; sid:6223; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware delfin media viewer runtime detection - contact server"; flow:to_server,established; content:"/Delfin/ini.html"; nocase; http_uri; content:"pBrd"; nocase; http_uri; content:"pIsp"; nocase; http_uri; content:"pVer"; nocase; http_uri; content:"pSer"; nocase; http_uri; content:"User-Agent|3A| PromulGate"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=727; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076775; classtype:misc-activity; sid:6222; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware bonzibuddy runtime detection"; flow:to_server,established; content:"/bonzibuddy/"; fast_pattern; nocase; http_uri; content:".nbd"; nocase; http_uri; pcre:"/\x2Fbonzibuddy\x2F(updates|products|daily)\x2Enbd/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=512; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59256; classtype:misc-activity; sid:6219; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware aornum/iwon copilot runtime detection - ads"; flow:to_server,established; content:"/ad_string.js?"; fast_pattern; nocase; http_uri; content:"tagad"; nocase; http_uri; content:"site=iwon"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=461; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072491; classtype:misc-activity; sid:6218; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware aornum/iwon copilot runtime detection - config"; flow:to_server,established; content:"/copilot/copilotcfg.jsp?"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| "; nocase; http_header; content:"iWon"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=461; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072491; classtype:misc-activity; sid:6216; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker 7fasst outbound connection - track"; flow:to_server,established; content:"/data/track.aspx?"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"userid="; nocase; http_uri; content:"affiliateid="; nocase; http_uri; content:"theurl="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=419; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072502; classtype:misc-activity; sid:6215; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker 7fasst outbound connection - search"; flow:to_server,established; content:"/searchweb.aspx?"; fast_pattern; nocase; http_uri; content:"userid="; nocase; http_uri; content:"affiliateid="; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"theurl="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=419; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072502; classtype:misc-activity; sid:6214; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker 7fasst outbound connection - auto requests"; flow:to_server,established; content:".aspx?"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"affiliateid="; nocase; http_uri; content:"Host|3A| client.browseraccelerator.com"; fast_pattern:only; http_header; pcre:"/\x2F(word|news|weather|joke|tip)\x2Easpx\?/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=419; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072502; classtype:misc-activity; sid:6213; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware commonname runtime detection"; flow:to_server,established; content:"User-Agent|3A| CommonName Agent"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=429; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078618; classtype:misc-activity; sid:6212; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware deskwizz runtime detection - pop-up ad request"; flow:to_server,established; content:"/select/Get"; nocase; http_uri; pcre:"/select\x2FGet(One|SbAts)\x2Ephp/Ui"; content:"Host|3A| "; nocase; content:"deskwizz.com"; distance:0; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1127; classtype:misc-activity; sid:6211; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware deskwizz/zquest runtime detection - get config information / ad banner"; flow:to_server,established; content:"/GetAd/"; nocase; http_uri; content:"Host|3A| "; nocase; content:"deskwizz.com"; distance:0; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1127; reference:url,www.symantec.com/avcenter/venc/data/adware.zquest.html; classtype:misc-activity; sid:6209; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler farmmext outbound connection - track activity"; flow:to_server,established; content:"/imp/servlet/ImpServe?"; fast_pattern; nocase; http_uri; content:"urlContext="; nocase; http_uri; content:"domainContext="; nocase; http_uri; content:"distID="; nocase; http_uri; content:"MM_RECO.EXE"; nocase; http_uri; content:"country="; nocase; http_uri; content:"transponderID="; nocase; http_uri; metadata:service http; reference:url,www.spyany.com/files/farmmext_exe.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090784; classtype:misc-activity; sid:6204; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler farmmext outbound connection - drk.syn request"; flow:to_server,established; content:"/a/Drk.syn?"; fast_pattern; nocase; http_uri; content:"bho="; nocase; http_uri; content:"DistID="; nocase; http_uri; content:"MM_RECO.EXE"; nocase; http_uri; metadata:service http; reference:url,www.spyany.com/files/farmmext_exe.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090784; classtype:misc-activity; sid:6203; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware twaintec runtime detection"; flow:to_server,established; content:"/twain/servlet/Twain"; fast_pattern; nocase; http_uri; content:"adcontext="; nocase; http_uri; content:"contextpeak="; nocase; http_uri; content:"contextcount="; nocase; http_uri; content:"countrycodein="; nocase; http_uri; content:"cookie1="; nocase; http_uri; content:"cookie2="; nocase; http_uri; content:"InstID="; nocase; http_uri; content:"status="; nocase; http_uri; content:"smode="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=650; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078844; classtype:misc-activity; sid:6201; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker smart search outbound connection - get settings"; flow:to_server,established; content:"/settings/"; nocase; content:"Host|3A| www.searchreslt.com"; distance:0; nocase; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078876; classtype:misc-activity; sid:6200; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker smart search outbound connection - hijack/ads"; flow:to_server,established; content:"/files/adframe.aspx?"; nocase; http_uri; content:"SE="; nocase; http_uri; content:"ST="; nocase; http_uri; content:"Host|3A| www.searchreslt.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078876; classtype:misc-activity; sid:6199; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker smart shopper outbound connection - services requests"; flow:to_server,established; content:"/cs/cs.aspx?"; nocase; http_uri; content:"Host|3A| cs.smartshopper.com"; fast_pattern:only; metadata:service http; reference:url,vil.mcafeesecurity.com/vil/content/v_133312.htm; classtype:misc-activity; sid:6196; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware seekmo runtime detection - download .cab"; flow:to_server,established; content:"/downloads/ff/"; nocase; http_uri; content:"/seekmo/npclntax.CAB"; nocase; http_uri; content:"Host|3A| installs.seekmo.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2368; classtype:misc-activity; sid:6195; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware seekmo runtime detection - config upload"; flow:to_server,established; content:"/config.aspx?"; nocase; http_uri; content:"did="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"duid="; nocase; http_uri; content:"partner_id="; nocase; http_uri; content:"product_id="; nocase; http_uri; content:"Host|3A| config.seekmo.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2368; classtype:misc-activity; sid:6194; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware seekmo runtime detection - pop up ads"; flow:to_server,established; content:"/display.aspx?"; nocase; http_uri; content:"adid="; nocase; http_uri; content:"kwid="; nocase; http_uri; content:"umt="; nocase; http_uri; content:"inid="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"tv.seekmo.com/showme.aspx?keyword="; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2368; classtype:misc-activity; sid:6193; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware seekmo runtime detection - reporting keyword"; flow:to_server,established; content:"/showme.aspx?keyword="; fast_pattern; nocase; http_uri; content:"Host|3A| tv.seekmo.com"; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2368; classtype:misc-activity; sid:6192; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ISTBar runtime detection - bar"; flow:to_server,established; content:"/ist/bars/istbar"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=572; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075516; classtype:misc-activity; sid:6188; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ISTBar runtime detection - scripts"; flow:to_server,established; content:"/ist/scripts/"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=572; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075516; classtype:misc-activity; sid:6187; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware 180Search assistant runtime detection - reporting keyword"; flow:to_server,established; content:"/showme.aspx?keyword="; nocase; http_uri; content:"Host|3A| tv.180solutions.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=507; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090677; classtype:misc-activity; sid:6185; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware 180Search assistant runtime detection - config upload"; flow:to_server,established; content:"/config.aspx?"; nocase; http_uri; content:"did="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"duid="; nocase; http_uri; content:"partner_id="; nocase; http_uri; content:"product_id="; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=507; classtype:misc-activity; sid:6184; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware 180Search assistant runtime detection - tracked event URL"; flow:to_server,established; content:"/trackedevent.aspx?"; fast_pattern; nocase; http_uri; content:"eid="; nocase; http_uri; content:"mt="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"basename="; nocase; http_uri; content:"time="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=507; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090677; classtype:misc-activity; sid:6183; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware offeragent runtime detection - ads request"; flow:to_server,established; content:"/103/getad.aspx?"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"ciso="; nocase; http_uri; content:"pcpi="; nocase; http_uri; content:"Host|3A| dist.atlas-ia.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096710; classtype:misc-activity; sid:5996; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware offeragent runtime detection - information checking"; flow:to_server,established; content:"/103/co.aspx?"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"cv="; nocase; http_uri; content:"cfv="; nocase; http_uri; content:"sfv="; nocase; http_uri; content:"ciso="; nocase; http_uri; content:"Host|3A| dist.atlas-ia.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096710; classtype:misc-activity; sid:5995; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker getmirar outbound connection - click related button"; flow:to_server,established; content:"/thumbnail.cgi?"; fast_pattern:only; http_uri; content:"DURL="; nocase; http_uri; content:"TAG="; nocase; http_uri; metadata:service http; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Adware%3AWin32%2FMirar; classtype:misc-activity; sid:5994; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker getmirar outbound connection - track activity"; flow:to_server,established; content:"/v70click.cgi?"; fast_pattern:only; http_uri; content:"u="; nocase; http_uri; content:"adurl="; nocase; http_uri; content:"adtitle="; nocase; http_uri; content:"adbody="; nocase; http_uri; metadata:service http; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Adware%3AWin32%2FMirar; classtype:misc-activity; sid:5993; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware broadcastpc runtime detection - get up-to-date movie/tv/ad information"; flow:to_server,established; content:"/client/"; nocase; http_uri; content:".aspx"; nocase; http_uri; content:"Host|3A| www.broadcastpc.tv"; fast_pattern:only; pcre:"/\x2Fclient\x2F(view|tvlistings|tvshowtickets|movietickets)\x2Easpx/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=738; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074364; classtype:misc-activity; sid:5990; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware broadcastpc runtime detection - get config"; flow:to_server,established; content:"/v2.asmx"; nocase; content:"SOAPAction|3A| |22|http|3A|//ws.broadcastpc.tv/GetConfig|22|"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=738; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074364; classtype:misc-activity; sid:5989; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware powerstrip runtime detection"; flow:to_server,established; content:"/Subscriptions/NewsFeed.asp?"; fast_pattern; nocase; http_uri; content:"selection="; nocase; http_uri; content:"distribution="; nocase; http_uri; content:"User-Agent|3A| POWRSTRP"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=522; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074932; classtype:misc-activity; sid:5983; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE hijacker topfive searchassistant detection - side search"; flow:to_server,established; content:"/index.php?"; nocase; http_uri; content:"st="; nocase; http_uri; content:"ldid="; nocase; http_uri; content:"fpid="; nocase; http_uri; content:"fdid="; nocase; http_uri; content:"prid="; nocase; http_uri; content:"tpid="; nocase; http_uri; content:"ttid="; nocase; http_uri; content:"tspid="; nocase; http_uri; content:"pn="; nocase; http_uri; content:"x="; nocase; http_uri; content:"y="; nocase; http_uri; content:"Referer|3A| ws1.appswebservice.com/index.php?tpid="; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2645; classtype:misc-activity; sid:5976; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE hijacker topfive searchassistant detection - search request"; flow:to_server,established; content:"/index.php?tpid="; nocase; http_uri; content:"ttid="; nocase; http_uri; content:"st="; nocase; http_uri; content:"Host|3A| ws1.appswebservice.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2645; classtype:misc-activity; sid:5975; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE hijacker smart finder detection - pop-up ads"; flow:to_server,established; content:"/ad/cc.php?"; fast_pattern:only; http_uri; content:"pin="; nocase; http_uri; content:"qq="; nocase; http_uri; content:"v0="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2165; classtype:misc-activity; sid:5974; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE hijacker smart finder detection - search engines hijack"; flow:to_server,established; content:"/gc/xsearch.php?"; nocase; http_uri; content:"qq="; nocase; http_uri; content:"pin="; nocase; http_uri; content:"v0="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2165; classtype:misc-activity; sid:5973; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE hijacker smart finder detection - ie autosearch hijack 1"; flow:to_server,established; content:"/sh.php?"; nocase; http_uri; content:"qq="; nocase; http_uri; content:"pin="; nocase; http_uri; content:"v0="; nocase; http_uri; content:"HelpAgent|3A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2165; classtype:misc-activity; sid:5972; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE trackware searchinweb detection - collect information"; flow:to_server,established; content:"/r?X="; nocase; http_uri; content:"Referer|3A| http|3A|//www.searchinweb.com/search.php?said=bar&q="; fast_pattern; nocase; http_header; content:"Host|3A| c.goclick.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1787; classtype:successful-recon-limited; sid:5969; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE trackware searchinweb detection - redirect"; flow:to_server,established; content:"/go.php?c="; nocase; http_uri; content:"Referer|3A| http|3A|//www.searchinweb.com/search.php?said=bar&q="; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1787; classtype:successful-recon-limited; sid:5968; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE trackware searchinweb detection - click result links"; flow:to_server,established; content:"/click.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"Referer|3A| http|3A|//www.searchinweb.com/search.php?said=bar&q="; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1787; classtype:successful-recon-limited; sid:5967; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE trackware searchinweb detection - search request"; flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"said=bar"; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| www.searchinweb.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1787; classtype:successful-recon-limited; sid:5966; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker searchfast detection - search request"; flow:to_server,established; content:"/fstdirectory/searchResults.php?searchTerm="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1694; classtype:misc-activity; sid:5963; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker searchfast detection - catch search keyword"; flow:to_server,established; content:"/keyword.php?"; nocase; http_uri; content:"installID="; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"partnerID="; nocase; http_uri; content:"partnerReferID="; nocase; http_uri; content:"Host|3A| searchfst.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1694; classtype:misc-activity; sid:5962; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker searchfast detection - news ticker"; flow:to_server,established; content:"/searchfast/ticker.xml"; nocase; http_uri; content:"Host|3A| www.thecommunicator.net"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1694; classtype:misc-activity; sid:5961; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker raxsearch detection - pop-up raxsearch window"; flow:to_server,established; content:"/search.m?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"q="; nocase; http_uri; content:"r=rxh"; nocase; http_uri; content:"Host|3A| www.raxsearch.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2485; classtype:misc-activity; sid:5960; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker raxsearch detection - send search keywords to raxsearch"; flow:to_server,established; content:"/gettotal.m?"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; content:"a="; nocase; http_uri; content:"r=rxh"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2485; classtype:misc-activity; sid:5959; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker 123mania outbound connection - sidesearch hijacking"; flow:to_server,established; content:"/ie?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"hl="; nocase; http_uri; content:"lr="; nocase; http_uri; content:"ie="; nocase; http_uri; content:"btnG="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"www.123mania.com/0409/ie.asp"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=940; classtype:misc-activity; sid:5953; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker 123mania outbound connection - autosearch hijacking"; flow:to_server,established; content:"/english.asp?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| www.123mania.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=940; classtype:misc-activity; sid:5952; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware weirdontheweb runtime detection - update notifier"; flow:to_server,established; content:"/notifier/"; nocase; http_uri; content:"v="; nocase; http_uri; content:"b="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"metadata="; nocase; http_uri; content:"Host|3A| www.weirdontheweb.net"; fast_pattern:only; pcre:"/\x2Fnotifier\x2F(configINTERNAL\.ini|update\.cgi)\?/Ui"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094260; classtype:misc-activity; sid:5948; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware weirdontheweb runtime detection - log url"; flow:to_server,established; content:"/cgi/logurl.cgi"; nocase; content:"form-data|3B| name=|22|pid|22|"; fast_pattern:only; content:"internal"; nocase; content:"User-Agent|3A| MyPost"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094260; classtype:misc-activity; sid:5947; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware weirdontheweb runtime detection - monitor user web activity"; flow:to_server,established; content:"/request/req.cgi?"; fast_pattern; nocase; http_uri; content:"gu=TN-internal"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"sp="; nocase; http_uri; content:"v="; nocase; http_uri; content:"sn="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"AID="; nocase; http_uri; content:"FT="; nocase; http_uri; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094260; classtype:misc-activity; sid:5946; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware weirdontheweb runtime detection - track.cgi request"; flow:to_server,established; content:"/track.cgi?"; nocase; http_uri; content:"prov=INTERNAL"; nocase; http_uri; content:"prog="; nocase; http_uri; content:"siteid="; nocase; http_uri; content:"group="; nocase; http_uri; content:"Host|3A| track.aadserver.net"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094260; classtype:misc-activity; sid:5945; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware free access bar runtime detection 1"; flow:to_server,established; content:"User-Agent|3A| FreeAccessBar"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2493; classtype:misc-activity; sid:5944; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker dropspam outbound connection - third party information collection"; flow:to_server,established; content:"/d/sr/?"; nocase; http_uri; content:"xargs="; nocase; http_uri; content:"yargs="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"mysearch.dropspam.com/index.php?tpid="; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5938; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker dropspam outbound connection - pass information to its controlling server"; flow:to_server,established; content:"/r.php?"; nocase; http_uri; content:"apid="; nocase; http_uri; content:"ldid="; nocase; http_uri; content:"tpid="; nocase; http_uri; content:"ttid="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"st="; nocase; http_uri; content:"cdurl="; nocase; http_uri; content:"srurl="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"mysearch.dropspam.com/index.php?tpid="; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5937; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker dropspam outbound connection - side search"; flow:to_server,established; content:"/sidesearch.htm"; nocase; http_uri; content:"Host|3A| sidesearch.dropspam.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5936; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker dropspam outbound connection - search request 3"; flow:to_server,established; content:"/search.cgi"; nocase; content:"source=lifestyle"; nocase; content:"query="; distance:0; nocase; content:"select="; distance:0; nocase; content:"Host|3A| desksearch.dropspam.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5935; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker dropspam outbound connection - search request 2"; flow:to_server,established; content:"/search.cgi?"; nocase; http_uri; content:"tbid="; nocase; http_uri; content:"query="; nocase; http_uri; content:"Host|3A| search.dropspam.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5934; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker dropspam outbound connection - search request 1"; flow:to_server,established; content:"/search.cgi?"; nocase; http_uri; content:"source="; nocase; http_uri; content:"query="; nocase; http_uri; content:"Host|3A| search.dropspam.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:misc-activity; sid:5933; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware cashbar runtime detection - stats track"; flow:to_server,established; content:"/cgi-bin/connect.cgi?"; nocase; http_uri; content:"usr="; nocase; http_uri; content:"url="; nocase; http_uri; content:"title=CashSurfers"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5932; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware cashbar runtime detection - pop-up ad 2"; flow:to_server,established; content:"/asp/offers.asp?url=http|3A|/cashsurfers.metareward.com"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5930; rev:15;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware cashbar runtime detection - pop-up ad 1"; flow:to_server,established; content:"si="; nocase; http_uri; content:"Host|3A| www.metareward.com"; fast_pattern:only; pcre:"/\x2F(f|s)\?[^\r\n]*si=/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5929; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware cashbar runtime detection - ads request"; flow:to_server,established; content:"/ads.aspx?"; nocase; http_uri; content:"Host|3A| ads.grokads.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5928; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware cashbar runtime detection - .smx requests"; flow:to_server,established; content:"/cbn/"; nocase; http_uri; content:".smx?"; nocase; http_uri; content:"u="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A| ads.cashsurfers.com"; fast_pattern:only; pcre:"/\x2Fcbn\x2F(c|b)\.smx\?[^\r\n]*u=/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5927; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware active shopper runtime detection - collect information"; flow:to_server,established; content:"/HG?"; nocase; http_uri; content:"hc="; nocase; http_uri; content:"vcon=ActiveShopper"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2410; classtype:misc-activity; sid:5926; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware active shopper runtime detection - check"; flow:to_server,established; content:"/check.asp?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"dom="; nocase; http_uri; content:"Host|3A| sidebar.activeshopper.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2410; classtype:misc-activity; sid:5925; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware active shopper runtime detection - redirect"; flow:to_server,established; content:"/active/redir_sidecheck.php?"; fast_pattern; nocase; http_uri; content:"search="; nocase; http_uri; content:"dom="; nocase; http_uri; content:"Host|3A| data2.activshopper.com"; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2410; classtype:misc-activity; sid:5924; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware active shopper runtime detection - side search request"; flow:to_server,established; content:"/sidebar.asp?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"Host|3A| sidebar.activeshopper.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2410; classtype:misc-activity; sid:5923; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker painter outbound connection - redirect yahoo search through online-casino-searcher"; flow:to_server,established; content:"/mtc/yahoo/search.php?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| online-casino-searcher.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2730; classtype:misc-activity; sid:5920; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker painter outbound connection - redirect to klikvipsearch"; flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"aff="; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| www.klikvipsearch.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2730; classtype:misc-activity; sid:5919; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker painter outbound connection - ping 'alive' signal"; flow:to_server,established; content:"/ping"; nocase; content:"Host|3A| 195.225."; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2730; classtype:misc-activity; sid:5918; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware smartpops runtime detection"; flow:to_server,established; content:"/adserv/GetAd.pl"; fast_pattern; nocase; http_uri; content:"sid="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"rfs="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"uri="; nocase; http_uri; content:"sn="; nocase; http_uri; content:"cv="; nocase; http_uri; content:"mdm="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1910; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074758; classtype:misc-activity; sid:5911; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware download accelerator plus runtime detection - update"; flow:to_server,established; content:"/cgi-bin/update.dll?"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| dapupd"; nocase; http_header; metadata:service http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5906; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware download accelerator plus runtime detection - games center request"; flow:to_server,established; content:"/GamesTab_realarcade.asp"; nocase; http_uri; metadata:service http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5905; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware download accelerator plus runtime detection - download files"; flow:to_server,established; content:"/cgi-bin/MirrorSearch.dll?"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| DA"; nocase; http_header; metadata:service http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5904; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware download accelerator plus runtime detection - get ads"; flow:to_server,established; content:"/cgi-bin/ads9.dll?"; fast_pattern; nocase; http_uri; content:"HTML="; nocase; http_uri; content:"DAUI="; nocase; http_uri; content:"INC="; nocase; http_uri; content:"DL="; nocase; http_uri; content:"CX="; nocase; http_uri; content:"CY="; nocase; http_uri; content:"IIA="; nocase; http_uri; content:"IIG="; nocase; http_uri; content:"IIP="; nocase; http_uri; content:"III="; nocase; http_uri; content:"V="; nocase; http_uri; metadata:service http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5903; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware download accelerator plus runtime detection - startup"; flow:to_server,established; content:"/cgi-bin/ads9.dll?R="; fast_pattern; nocase; http_uri; content:"User-Agent|3A| DA"; nocase; http_header; metadata:service http; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5902; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shopnav outbound connection - self-update request 2"; flow:to_server,established; content:"/9899/srng/jrnl.php"; nocase; content:"PCID="; distance:0; nocase; content:"OS="; distance:0; nocase; content:"Category="; distance:0; nocase; content:"Field="; distance:0; nocase; content:"Description="; distance:0; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5891; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shopnav outbound connection - self-update request 1"; flow:to_server,established; content:"/9899/srng/reg.php?"; fast_pattern; nocase; http_uri; content:"IpAddr="; nocase; http_uri; content:"OS="; nocase; http_uri; content:"RegistryChanged="; nocase; http_uri; content:"RegistryUpdate="; nocase; http_uri; content:"Basedir="; nocase; http_uri; content:"SrngInstalled="; nocase; http_uri; content:"SrngVer="; nocase; http_uri; content:"PCID="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5890; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shopnav outbound connection - collect information"; flow:to_server,established; content:"/dat/bgf/trpix.gif?"; nocase; http_uri; content:"rdm="; nocase; http_uri; content:"dlv="; nocase; http_uri; content:"dmn="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"search2.ad.shopnav.com/9899/search/results.php"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5889; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shopnav outbound connection - ie auto search hijack"; flow:to_server,established; content:"/searchcat.jsp?p="; fast_pattern; nocase; http_uri; content:"appid="; nocase; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"type="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5888; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shopnav outbound connection - ie search assistant hijack"; flow:to_server,established; content:"/9899/search/results.php?"; fast_pattern; nocase; http_uri; content:"source="; nocase; http_uri; content:"pa="; nocase; http_uri; content:"keywords="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5887; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Other-Technologies saria 1.0 outbound connection - send user information"; flow:to_server,established; content:"op="; nocase; http_uri; content:"vic="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"port="; fast_pattern; nocase; http_uri; content:"pass="; nocase; http_uri; pcre:"/pass=(YAHOO|(XP\s+)?MSN|PALTALK)/Ui"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080923; classtype:misc-activity; sid:5883; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"PUA-ADWARE Snoopware pc acme pro outbound connection"; flow:to_server,established; flowbits:isset,PCAcmePro; content:"Attached file is PC Acme report"; fast_pattern:only; metadata:service smtp; reference:url,www.spywareguide.com/product_show.php?id=2271; classtype:successful-recon-limited; sid:5874; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"PUA-ADWARE Snoopware pc acme pro outbound connection"; flow:to_server,established; content:"X-Mailer|3A| mPOP Web-Mail"; fast_pattern:only; flowbits:set,PCAcmePro; flowbits:noalert; metadata:service smtp; reference:url,www.spywareguide.com/product_show.php?id=2271; classtype:successful-recon-limited; sid:5873; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Snoopware hyperlinker outbound connection"; flow:to_server,established; content:"/lm/rtl3i.asp"; nocase; http_uri; content:"si="; nocase; http_uri; content:"k="; nocase; http_uri; content:"Host|3A| www.serverlogic3.com"; fast_pattern:only; metadata:service http; reference:url,www.doxdesk.com/parasite/Hyperlinker.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090785; classtype:successful-recon-limited; sid:5872; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler VX2/ABetterInternet transponder thinstaller outbound connection - post information"; flow:to_server,established; content:"/bi/servlet/Thinstall"; fast_pattern:only; content:"User-Agent|3A|"; nocase; http_header; content:".exe"; nocase; http_header; pcre:"/\x2Fbi\x2Fservlet\x2FThinstall(Pre|Result).*^User-Agent\x3A[^\r\n]*\.exe[^\r\n]*\x7B[\dA-Za-z]{8}-[\dA-Za-z]{4}-[\dA-Za-z]{4}-[\dA-Za-z]{4}-[\dA-Za-z]{12}\x7D\x7C[\dA-Za-z]{8}\x7C\d{5}-\d{3}-\d{7}-\d{5}/smiH"; metadata:service http; reference:url,research.sunbelt-software.com/threat_display.cfm?name=ABetterInternet&threatid=14797; reference:url,www.doxdesk.com/parasite/Transponder.html; reference:url,www.geekstogo.com/forum/Aurora_spyware_Nailexe-t24344.html; classtype:misc-activity; sid:5871; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker couponbar outbound connection - view coupon offers"; flow:to_server,established; content:"/CBTerms.asp"; nocase; http_uri; content:"Host|3A| couponbar.coupons.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079137; classtype:misc-activity; sid:5868; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware zapspot runtime detection - pop up ads"; flow:to_server,established; content:"/cbb/frame.asp?"; nocase; http_uri; content:"cbb="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"Host|3A| www.zapspot.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1714; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075441; classtype:misc-activity; sid:5865; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker isearch outbound connection - search hijack 2"; flow:to_server,established; content:"/phrase.php?"; fast_pattern; nocase; http_uri; content:"text="; nocase; http_uri; content:"tid="; nocase; http_uri; content:"ref=%user_id"; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=732; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082740; classtype:misc-activity; sid:5863; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker isearch outbound connection - search hijack 1"; flow:to_server,established; content:"/dns.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"Host|3A| auto.isearch.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=732; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082740; classtype:misc-activity; sid:5862; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker daosearch outbound connection - search hijack"; flow:to_server,established; content:"o.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A| daosearch.com"; fast_pattern; nocase; http_header; metadata:service http; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.daosearch.html; classtype:misc-activity; sid:5860; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker daosearch outbound connection - information request"; flow:to_server,established; content:"/advers/zl/version.txt"; fast_pattern; nocase; http_uri; content:"Host|3A| daosearch.com"; nocase; metadata:service http; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.daosearch.html; classtype:misc-activity; sid:5859; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker funbuddyicons outbound connection - request config"; flow:to_server,established; content:"/mySpeedbarCfg2.jsp?"; fast_pattern; nocase; http_uri; content:"s="; nocase; http_uri; content:"p=ZB"; nocase; http_uri; content:"v="; nocase; http_uri; content:"e="; nocase; http_uri; metadata:service http; reference:url,www.pchell.com/support/funbuddyicons.shtml; classtype:misc-activity; sid:5855; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware warez_p2p runtime detection - pass user information"; flow:to_server,established; content:"/cache/cache.php?"; nocase; http_uri; content:"host="; nocase; http_uri; content:"state="; nocase; http_uri; content:"nat="; nocase; http_uri; content:"User-Agent|3A| Warez Beta Client"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/category_show.php?id=5; classtype:misc-activity; sid:5854; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware warez_p2p runtime detection - download ads"; flow:to_server,established; content:"/?e="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"Host|3A| adserver.warezclient.com"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/category_show.php?id=5; classtype:misc-activity; sid:5853; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware warez_p2p runtime detection - cache.dat request"; flow:to_server,established; content:"/cache/data/cache.dat"; nocase; http_uri; content:"User-Agent|3A| Warez Beta Client"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/category_show.php?id=5; classtype:misc-activity; sid:5852; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware warez_p2p runtime detection - .txt .dat and .lst requests"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"Indy Library"; nocase; http_header; content:"Host|3A| data.warezclient.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/category_show.php?id=5; classtype:misc-activity; sid:5851; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware warez_p2p runtime detection - check update"; flow:to_server,established; content:"/upd/check?"; nocase; http_uri; content:"version="; nocase; http_uri; content:"localeId="; nocase; http_uri; content:"affid="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"windowsVersion="; nocase; http_uri; content:"rVersion="; nocase; http_uri; content:"updateValue="; nocase; http_uri; content:"User-Agent|3A| Download Agent"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/category_show.php?id=5; classtype:misc-activity; sid:5850; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware warez_p2p runtime detection - update request"; flow:to_server,established; content:"/updn.php?ver="; nocase; http_uri; content:"Host|3A| data.warezclient.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/category_show.php?id=5; classtype:misc-activity; sid:5849; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware warez_p2p runtime detection - ip.php request"; flow:to_server,established; content:"/cache/ip.php"; nocase; http_uri; content:"User-Agent|3A| Warez Beta Client"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/category_show.php?id=5; classtype:misc-activity; sid:5848; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware warez_p2p runtime detection - p2p client home"; flow:to_server,established; content:"/home.php?"; fast_pattern; nocase; http_uri; content:"ver="; nocase; http_uri; content:"co="; nocase; http_uri; content:"NewUser="; nocase; http_uri; content:"info=WDC"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/category_show.php?id=5; classtype:misc-activity; sid:5847; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler VX2/DLmax/BestOffers/Aurora outbound connection"; flow:to_server,established; content:"/a/Drk.syn"; nocase; http_uri; content:"adcontext="; nocase; http_uri; content:"countrycodein="; fast_pattern; nocase; http_uri; content:"lastAdTime="; nocase; http_uri; content:"lastAdCode="; nocase; http_uri; content:"cookie1="; nocase; http_uri; content:"cookie2="; nocase; http_uri; content:"cookie3="; nocase; http_uri; content:"cookie4="; nocase; http_uri; content:"InstID="; nocase; http_uri; content:"status="; nocase; http_uri; content:"smode="; nocase; http_uri; content:"bho="; nocase; http_uri; metadata:service http; reference:url,www.geekstogo.com/forum/Aurora_spyware_Nailexe-t24344.html; reference:url,www.spywareguide.com/product_show.php?id=1646; reference:url,www.spywareguide.com/product_show.php?id=2012; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076992; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453089623; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096297; classtype:misc-activity; sid:5846; rev:15;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker surfsidekick outbound connection - update request"; flow:to_server,established; content:"/rinfo.htm?"; fast_pattern; nocase; http_uri; content:"host="; nocase; http_uri; content:"action="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"bundle="; nocase; http_uri; content:"client="; nocase; http_uri; content:"guid="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1128; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090721; classtype:misc-activity; sid:5845; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker surfsidekick outbound connection - post request"; flow:to_server,established; content:"/requestimpression.aspx?"; nocase; content:"ver="; distance:0; nocase; content:"guid="; distance:0; nocase; content:"host="; distance:0; nocase; content:"Host|3A| ads.surfsidekick.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1128; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090721; classtype:misc-activity; sid:5844; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker surfsidekick outbound connection - hijack ie auto search"; flow:to_server,established; content:"/search.aspx?"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"client=SSKD"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1128; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090721; classtype:misc-activity; sid:5843; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler minibug outbound connection - ads"; flow:to_server,established; content:"/RealMedia/ads/adstream_sx.cgi/www.wbug.com/"; fast_pattern; nocase; http_uri; content:"A1="; nocase; http_uri; content:"A2="; nocase; http_uri; metadata:service http; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.weatherbug.html; reference:url,www.spywareguide.com/product_show.php?id=2178; classtype:misc-activity; sid:5842; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler minibug outbound connection - retrieve weather information"; flow:to_server,established; content:"/WxDataISAPI/WxDataISAPI.cgi"; fast_pattern; nocase; http_uri; content:"Magic="; nocase; http_uri; content:"RegNum="; nocase; http_uri; content:"ZipCode="; nocase; http_uri; content:"StationID="; nocase; http_uri; content:"Units="; nocase; http_uri; content:"Version="; nocase; http_uri; content:"Fore="; nocase; http_uri; content:"t="; nocase; http_uri; content:"lv="; nocase; http_uri; metadata:service http; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.weatherbug.html; reference:url,www.spywareguide.com/product_show.php?id=2178; classtype:misc-activity; sid:5841; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker sep outbound connection"; flow:to_server,established; content:"/ad/?"; nocase; http_uri; content:"st="; nocase; http_uri; content:"SE="; nocase; http_uri; content:"SID="; nocase; http_uri; content:"Host|3A| www.searchreslt.com"; fast_pattern:only; metadata:service http; reference:url,process.networktechs.com/sep.dll.php; classtype:misc-activity; sid:5840; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler nictech.bm2 outbound connection"; flow:to_server,established; content:"/cgi-bin/PopupV"; fast_pattern; nocase; http_uri; content:"type="; nocase; http_uri; content:"mSkip="; nocase; http_uri; content:"rnd="; nocase; http_uri; metadata:service http; reference:url,"research.sunbelt-software.com/threat_display.cfm?name=NicTech.BM2&threatid=15195"; classtype:misc-activity; sid:5836; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware gamespy_arcade runtime detection"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"Gamespy Arcade"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1241; classtype:misc-activity; sid:5835; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler clipgenie outbound connection"; flow:to_server,established; content:"/cgi-bin/omnidirect.cgi"; fast_pattern; nocase; http_uri; content:"SID="; nocase; http_uri; content:"PID="; nocase; http_uri; content:"LID="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"PARMR="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=474; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073486; classtype:misc-activity; sid:5829; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware broadcasturban tuner runtime detection - connect to station"; flow:to_server,established; content:"/newsurfer4/"; fast_pattern; nocase; http_uri; content:"brand="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"speed="; nocase; http_uri; content:"title="; nocase; http_uri; content:"artist="; nocase; http_uri; content:"show="; nocase; http_uri; content:"call="; nocase; http_uri; content:"archive="; nocase; http_uri; pcre:"/\x2Fnewsurfer4\x2F[a-zA-Z0-9_-]*\.asp\?brand=/Ui"; metadata:service http; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=BroadcastURBAN%20tuner&threatid=6093; classtype:misc-activity; sid:5828; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware broadcasturban tuner runtime detection - get gateway"; flow:to_server,established; content:"/newsurfer4/getgateway.asp?"; fast_pattern; nocase; http_uri; content:"userid="; nocase; http_uri; content:"call="; nocase; http_uri; metadata:service http; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=BroadcastURBAN%20tuner&threatid=6093; classtype:misc-activity; sid:5827; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware broadcasturban tuner runtime detection - pass user info to server"; flow:to_server,established; content:"/newsurfer4/"; nocase; http_uri; pcre:"/\x2Fnewsurfer4\x2F((register\.asp)|(survey\.asp\?nUserId=))/Ui"; metadata:service http; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=BroadcastURBAN%20tuner&threatid=6093; classtype:misc-activity; sid:5826; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware broadcasturban tuner runtime detection - start tuner"; flow:to_server,established; content:"/newsurfer4/mainplocal.htm?"; fast_pattern; nocase; http_uri; content:"brand="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"call="; nocase; http_uri; content:"speed="; nocase; http_uri; content:"unlock="; nocase; http_uri; content:"archive="; nocase; http_uri; metadata:service http; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=BroadcastURBAN%20tuner&threatid=6093; classtype:misc-activity; sid:5825; rev:12;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-ADWARE shop at home select installation in progress - clsid detected"; flow:to_client,established; file_data; content:"C0EF89EE-EEC7-4535-A041-F1EBF79560A7"; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0EF89EE-EEC7-4535-A041-F1EBF79560A7/si"; metadata:service http; reference:url,www.nuker.com/container/details/shop_at_home_select.php; classtype:misc-activity; sid:5811; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shop at home select installation in progress"; flow:to_server,established; content:"GRInstallCL.asp"; fast_pattern; nocase; http_uri; content:"E="; nocase; http_uri; content:"MID="; nocase; http_uri; content:"Refer="; nocase; http_uri; content:"WGR="; nocase; http_uri; content:"Prev="; nocase; http_uri; content:"sGUID="; nocase; http_uri; metadata:service http; classtype:misc-activity; sid:5810; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shop at home select merchant redirect in progress"; flow:to_server,established; content:"/frameset3.asp"; fast_pattern; nocase; http_uri; content:"MID="; nocase; http_uri; content:"ruleID="; nocase; http_uri; content:"popupID="; nocase; http_uri; content:"doPopup="; nocase; http_uri; content:"version="; nocase; http_uri; content:"requested="; nocase; http_uri; content:"CustomerID="; nocase; http_uri; content:"owner="; nocase; http_uri; content:"refer="; nocase; http_uri; content:"LastPrefs="; http_uri; content:"GUID="; nocase; http_uri; metadata:service http; classtype:misc-activity; sid:5809; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker shopathomeselect outbound connection"; flow:to_server,established; content:"SAHSelect=GUID="; nocase; content:"CustomerID="; nocase; content:"stealth="; nocase; content:"InstallerLocation="; fast_pattern:only; content:"LastPrefs="; nocase; content:"AgentVersion="; nocase; content:"CTG="; nocase; content:"WSS_GW="; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074921; classtype:misc-activity; sid:5807; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware mydailyhoroscope runtime detection"; flow:to_server,established; content:"/mdh/adcr2.aspx"; fast_pattern; nocase; http_uri; content:"API="; nocase; http_uri; content:"UID="; nocase; http_uri; content:"TZ="; nocase; http_uri; content:"LC="; nocase; http_uri; content:"APL="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1184; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088207; classtype:misc-activity; sid:5798; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware keenvalue runtime detection"; flow:to_server,established; content:"/ping.html"; nocase; http_uri; content:"User-Agent|3A| My AppName"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=530; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094138; classtype:misc-activity; sid:5796; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware ist powerscan runtime detection"; flow:to_server,established; content:"adv_id="; nocase; http_uri; content:"campaign="; nocase; http_uri; content:"origin="; nocase; http_uri; content:"program_id="; nocase; http_uri; content:"subprogram_id="; nocase; http_uri; content:"site_id="; nocase; http_uri; content:"ref_url="; nocase; http_uri; content:"Host|3A| www.power-cleaner.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=981; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077266; classtype:misc-activity; sid:5795; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker coolwebsearch.aboutblank variant outbound connection"; flow:to_server,established; content:"/open_console_out.php"; fast_pattern; nocase; http_uri; content:"n="; nocase; http_uri; content:"pin="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; classtype:misc-activity; sid:5794; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Dialer pluginaccess outbound connection - redirect"; flow:to_server,established; content:"/dlrdir.html?"; fast_pattern; nocase; http_uri; content:"DiallerIP="; nocase; http_uri; content:"dialled="; nocase; http_uri; content:"site="; nocase; http_uri; content:"did="; nocase; http_uri; content:"country="; nocase; http_uri; content:"refid="; nocase; http_uri; content:"udata="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=579; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074883; classtype:misc-activity; sid:5793; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Dialer pluginaccess outbound connection - active proxy"; flow:to_server,established; content:"/activeproxy.php?"; fast_pattern; nocase; http_uri; content:"did="; nocase; http_uri; content:"pin="; nocase; http_uri; content:"refid="; nocase; http_uri; content:"udata="; nocase; http_uri; content:"resdir="; nocase; http_uri; content:"selectbox="; nocase; http_uri; content:"lmi="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=579; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074883; classtype:misc-activity; sid:5792; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Dialer pluginaccess outbound connection - get pin"; flow:to_server,established; content:"/getpin.php?"; fast_pattern; nocase; http_uri; content:"did="; nocase; http_uri; content:"refid="; nocase; http_uri; content:"udata="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=579; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074883; classtype:misc-activity; sid:5791; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware hithopper runtime detection - search"; flow:to_server,established; content:"?search="; nocase; http_uri; content:"Host|3A| www.hithopper.com"; fast_pattern:only; pcre:"/\x2Fs(earch)?\x2Ephp3?\x3Fsearch\x3D/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=746; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079079; classtype:misc-activity; sid:5787; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware hithopper runtime detection - redirect"; flow:to_server,established; content:"/redirectf.php3?"; fast_pattern; nocase; http_uri; content:"url="; nocase; http_uri; content:"id="; nocase; http_uri; content:"adid="; nocase; http_uri; content:"search_parsed="; nocase; http_uri; content:"rank="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=746; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079079; classtype:misc-activity; sid:5786; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware hithopper runtime detection - get xml setting"; flow:to_server,established; content:"/xml/hithopper.xml"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=746; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079079; classtype:misc-activity; sid:5785; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler grokster outbound connection"; flow:to_server,established; content:"P2P-Agent|3A| Grokster"; fast_pattern:only; metadata:service http; reference:url,www.securemost.com/articles/rm_grokster.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060425; classtype:misc-activity; sid:5776; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker freescratch outbound connection - scratch card"; flow:to_server,established; content:"/scratch.php?uid="; nocase; http_uri; content:"Host|3A| www.freescratchandwin.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=478; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073903; classtype:misc-activity; sid:5775; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware forbes runtime detection"; flow:to_server,established; content:"User-Agent|3A| Dripline"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=556; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075448; classtype:misc-activity; sid:5773; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Screen-Scraper farsighter outbound connection - initial connection"; flow:to_client,established; flowbits:isset,Farsighter; content:"|0B 00 00 00 05 00 00 00|OK|00|"; depth:11; nocase; reference:url,www.spywareguide.com/product_show.php?id=587; classtype:successful-recon-limited; sid:5772; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PUA-ADWARE Screen-Scraper farsighter outbound connection - initial connection"; flow:to_server,established; content:"|00 00 05 00 00 00|"; depth:8; offset:2; nocase; flowbits:set,Farsighter; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=587; classtype:successful-recon-limited; sid:5771; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker begin2search outbound connection - play bingo ads"; flow:to_server,established; content:"/adpage2.asp?sourceid="; nocase; http_uri; content:"Host|3A| www.take5bingo.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=924; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175; classtype:misc-activity; sid:5769; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker begin2search outbound connection - pass information"; flow:to_server,established; content:"/client/fcgi/stats-post2.fcgi"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| WebConnLib"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=924; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175; classtype:misc-activity; sid:5768; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker begin2search outbound connection - download unauthorized code"; flow:to_server,established; content:".compress"; nocase; http_uri; pcre:"/\x2F(dist|SupportFiles)\x2F[^\r\n]*\.compress/Ui"; content:"User-Agent|3A| NSISDL"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=924; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175; classtype:misc-activity; sid:5767; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker begin2search outbound connection - install spyware trafficsector"; flow:to_server,established; content:"/install.php?"; fast_pattern; nocase; http_uri; content:"afid=b2search"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"version="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=924; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175; classtype:misc-activity; sid:5766; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker begin2search outbound connection - fcgi query"; flow:to_server,established; content:"/cgi-bin/"; nocase; http_uri; content:".fcgi"; nocase; http_uri; pcre:"/\x2Fcgi-bin\x2F[a-zA-Z0-9_]*\.fcgi/Ui"; content:"Host|3A| begin2search.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=924; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175; classtype:misc-activity; sid:5764; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler bearshare outbound connection - chat request"; flow:to_server,established; content:"/chat/chat.php"; nocase; http_uri; content:"nick="; nocase; content:"initchan=BearShare"; distance:0; nocase; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060286; classtype:misc-activity; sid:5763; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler bearshare outbound connection - p2p information request"; flow:to_server,established; content:"/gwcache/lynnx.asp?"; fast_pattern; nocase; http_uri; content:"client=BEAR"; nocase; http_uri; content:"version="; nocase; http_uri; content:"urlfile="; nocase; http_uri; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060286; classtype:misc-activity; sid:5762; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Trickler bearshare outbound connection - ads popup"; flow:to_server,established; content:"/w/pop.cgi?"; http_uri; content:"sid="; nocase; http_uri; content:"u=http"; nocase; http_uri; content:"bearshare"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060286; classtype:misc-activity; sid:5761; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker ezcybersearch outbound connection - download fastclick pop-under code"; flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/b.fcgi?"; fast_pattern; nocase; http_uri; content:"aff_id="; nocase; http_uri; content:"cid="; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Fb\.fcgi/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=476; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520; classtype:misc-activity; sid:5758; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker ezcybersearch outbound connection - add coolsites to ie favorites"; flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/fav.fcgi?"; fast_pattern; nocase; http_uri; content:"aff_id="; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Ffav\.fcgi/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=476; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520; classtype:misc-activity; sid:5756; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker ezcybersearch outbound connection - check update"; flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/chk.fcgi"; fast_pattern; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Fchk\.fcgi/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=476; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520; classtype:misc-activity; sid:5755; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker ezcybersearch outbound connection - ie auto search hijack"; flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/shdoclc.fcgi?"; fast_pattern; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Fshdoclc\.fcgi/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=476; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520; classtype:misc-activity; sid:5754; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware exactsearch runtime detection - topsearches"; flow:to_server,established; content:"/search.php?Keywords="; fast_pattern; nocase; http_uri; content:"partner=bar"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=475; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072519; classtype:misc-activity; sid:5753; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware exactsearch runtime detection - switch search engine 2"; flow:to_server,established; content:"/setup.asp?src=exact&query="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=475; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072519; classtype:misc-activity; sid:5752; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware exactsearch runtime detection - switch search engine 1"; flow:to_server,established; content:"/d/search/p/exactad/?Keywords="; fast_pattern; nocase; http_uri; content:"Partners=exactad"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=475; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072519; classtype:misc-activity; sid:5751; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adultlinks outbound connection - ads"; flow:to_server,established; content:"/exit/exit.html?act="; fast_pattern; nocase; http_uri; content:".ADbar|3A|X"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=431; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505; classtype:misc-activity; sid:5748; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adultlinks outbound connection - log hits"; flow:to_server,established; content:"/cgi-bin/hits/log.cgi/"; fast_pattern; nocase; http_uri; content:".ADbar|3A|X"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=431; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505; classtype:misc-activity; sid:5747; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adultlinks outbound connection - load url"; flow:to_server,established; content:"/logurl/loadURL/"; fast_pattern; nocase; http_uri; content:".ADbar|3A|X"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=431; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505; classtype:misc-activity; sid:5746; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker adultlinks outbound connection - redirect"; flow:to_server,established; content:"/cgi-bin/lzRedirect.cgi"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"act="; nocase; http_uri; content:"type="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=431; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505; classtype:misc-activity; sid:5745; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker actualnames outbound connection - online.php request"; flow:to_server,established; content:"/online.php?"; nocase; http_uri; content:"Host|3A| actualnames.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=608; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074941; classtype:misc-activity; sid:5744; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Hijacker actualnames outbound connection - plugin list"; flow:to_server,established; content:"/gate.php?plugin="; nocase; http_uri; content:"Host|3A| www.actualnames.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=608; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074941; classtype:misc-activity; sid:5743; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vittalia adware outbound connection - pre install"; flow:to_server,established; content:"/instapi.php?idMk="; http_uri; content:"&state="; distance:0; http_uri; content:"&idTime="; distance:0; http_uri; content:"&idA2="; distance:0; http_uri; content:"&xVal="; distance:0; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27915; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vittalia adware - post install"; flow:to_server,established; content:"/report.php?key="; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27914; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vittalia adware - get ads"; flow:to_server,established; content:"/afr.php?zoneid="; http_uri; content:"/ads/ox.html"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27913; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Linkury outbound time check"; flow:to_server,established; dsize:72; urilen:8; content:"/utc/now HTTP/1.1|0D 0A|Host: www.timeapi.org|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; fast_pattern:only; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/; classtype:trojan-activity; sid:28156; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Schmidti outbound communication attempt"; flow:to_server,established; content:"/widgets/l96f428it5mt/"; fast_pattern:only; http_uri; metadata:service http; reference:url,virustotal.com/en/file/6942313D065F503B6654481A329059DDEACEE09FFC30665C32EFFDDB63D52F5F/analysis/; classtype:misc-activity; sid:28140; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Wajam outbound connection - post install"; flow:to_server,established; content:"/img/icons/2040254.32.png"; http_uri; content:"static.updatestar.net"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/30ab3173d48e3c63d89dcd83eca5d0e28d44f76a9acde9c881a1c40d75771d83/analysis/; classtype:trojan-activity; sid:28280; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Wajam outbound connection - post install"; flow:to_server,established; content:"/install/valid?v"; http_uri; content:"&unique_id="; within:15; http_uri; content:"www.wajam.com|0D 0A|"; fast_pattern:only; http_header; content:!"User-Agent|3A|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/30ab3173d48e3c63d89dcd83eca5d0e28d44f76a9acde9c881a1c40d75771d83/analysis/; classtype:trojan-activity; sid:28279; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE FakeAV runtime detection"; flow:to_server,established; content:"&affid="; fast_pattern:only; http_uri; content:"/api/"; nocase; http_uri; content:"?ts="; nocase; http_uri; content:"&token="; nocase; http_uri; content:"&group="; nocase; http_uri; content:"&nid="; nocase; http_uri; content:"&lid="; nocase; http_uri; content:"&ver="; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28324; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE UpdateStar encapsulated installer outbound connection"; flow:to_server,established; content:"/UpdateStar/?v="; fast_pattern:only; http_uri; content:"updatestarcdn.com|0D 0A|"; http_header; metadata:policy balanced-ips drop, service http; reference:url,www.virustotal.com/en/file/3218fee67b2ea4d1b20a2d06afae6b74c92219a31375b6e8cd8c754a45b10994/analysis/; classtype:misc-activity; sid:28372; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE UpdateStar CIS file retrieval attempt"; flow:to_server,established; flowbits:isset,file.cis; content:"/ofr/"; nocase; http_uri; content:"updatestarcdn.com|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, service http; reference:url,www.virustotal.com/en/file/3218fee67b2ea4d1b20a2d06afae6b74c92219a31375b6e8cd8c754a45b10994/analysis/; classtype:misc-activity; sid:28371; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE FreePDS installer outbound connection"; flow:to_server,established; content:"/freepds/fileinfo.php?"; fast_pattern:only; http_uri; content:"User-Agent: FreePDS"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/477a9be8e560dc85f3346ad2ee8d271d0c8372cedb2a25e0a4da8fe18b693650/analysis/; classtype:trojan-activity; sid:28531; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Apponic encapsulated installer outbound connection"; flow:to_server,established; content:"/Apponic/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/domain/apponic.com/information/; reference:url,www.virustotal.com/en/file/ecb0151cb71a6e331825235de966e8d6c1f5957e21bbb5f24ab690ab973b5e80/analysis/; classtype:misc-activity; sid:28885; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Apponic encapsulated installer outbound connection"; flow:to_server,established; content:"/?pcrc="; fast_pattern:only; http_uri; content:"&v="; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/domain/apponic.com/information/; reference:url,www.virustotal.com/en/file/ecb0151cb71a6e331825235de966e8d6c1f5957e21bbb5f24ab690ab973b5e80/analysis/; classtype:misc-activity; sid:28884; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Apponic CIS file retrieval attempt"; flow:to_server,established; flowbits:isset,file.cis; content:"/ofr/"; nocase; http_uri; content:".cis"; within:20; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/domain/apponic.com/information/; reference:url,www.virustotal.com/en/file/ecb0151cb71a6e331825235de966e8d6c1f5957e21bbb5f24ab690ab973b5e80/analysis/; classtype:misc-activity; sid:28883; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallBrain software download attempt"; flow:to_server,established; content:"HEAD"; nocase; http_method; content:"/files/products/"; fast_pattern:only; http_uri; pcre:"/^\x2Ffiles\x2Fproducts\x2F\w{1,40}\.(exe|cf)$/Ui"; metadata:service http; reference:url,www.virustotal.com/en/domain/softologicse.com/information/; classtype:misc-activity; sid:28935; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallBrain software download attempt"; flow:to_server,established; content:"HEAD"; nocase; http_method; content:"/files/components/"; fast_pattern:only; http_uri; pcre:"/^\x2Ffiles\x2Fcomponents\x2F\w{1,40}\.(exe|cf)$/Ui"; metadata:service http; reference:url,www.virustotal.com/en/domain/softologicse.com/information/; classtype:misc-activity; sid:28934; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Amonetize installer outbound connection attempt"; flow:to_server,established; content:"/script/display.php"; nocase; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b0288d9d29652597764b1dcc51ac7a2da217ca69dfd10b6ce865ad43337596eb/analysis/; classtype:trojan-activity; sid:28929; rev:1;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-ADWARE 4Shared Downloader executable file download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00 5C 00|4|00|s|00|h|00|a|00|r|00|e|00|d|00 5C 00|D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00|H|00|e|00|l|00|p|00|e|00|r"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/c293e43bbe1a8250742e92fdee422d3c43df0aeaf34e43137f6d6d4f36ef1c41/analysis/; classtype:misc-activity; sid:29501; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE 4Shared Downloader outbound connection attempt"; flow:to_server,established; content:"User-Agent|3A| B1 Tiny Loader/1.0|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,virustotal.com/en/file/c293e43bbe1a8250742e92fdee422d3c43df0aeaf34e43137f6d6d4f36ef1c41/analysis/; classtype:misc-activity; sid:29500; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE The Best All Codecs App runtime detection"; flow:to_server,established; content:"/CM/?v=3.0&c="; fast_pattern:only; http_uri; content:"0A0"; depth:3; http_client_body; isdataat:150,relative; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e099a4a8498eec1bd87d691ebac137c5bf2ac6ca1f9c3403c1fcf2ad481aec49/analysis/; classtype:misc-activity; sid:29991; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMonster follow-up outbound connection"; flow:to_server,established; content:"User-Agent|3A|"; http_header; content:"installmonster"; within:300; fast_pattern; nocase; http_header; pcre:"/User-Agent\x3a\s[^\x0d\x0a]*?installmonster/Hi"; metadata:service http; reference:url,www.virustotal.com/en/file/fc37a569c2e6264a4a81b66c3220ffd911bc283b003ae1db25777847a8f6d62c/analysis/; classtype:misc-activity; sid:30238; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMonster initial runtime outbound connection"; flow:to_server,established; urilen:10; content:"/api/index"; http_uri; content:"POST"; nocase; http_method; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/fc37a569c2e6264a4a81b66c3220ffd911bc283b003ae1db25777847a8f6d62c/analysis/; classtype:misc-activity; sid:30237; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.FakeAV variant outbound connection"; flow:to_server,established; content:"/cmd/report.php?"; nocase; http_uri; content:"PartnerId="; distance:0; nocase; http_uri; content:"OfferId="; distance:0; nocase; http_uri; content:"action="; distance:0; nocase; http_uri; content:"program="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/adf2e4e680a4933533436bd7456bee7963eefa1be226112dd529e43c801c3ff9/analysis/; classtype:trojan-activity; sid:30930; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Linkular variant outbound connection"; flow:to_server,established; content:"/api/software/?s="; fast_pattern:only; http_uri; content:"&os="; http_uri; content:"&output="; distance:0; http_uri; content:"&v="; distance:0; http_uri; content:"&l="; distance:0; http_uri; content:"&np="; distance:0; http_uri; content:"&osv="; distance:0; http_uri; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/adf2e4e680a4933533436bd7456bee7963eefa1be226112dd529e43c801c3ff9/analysis/; classtype:trojan-activity; sid:30927; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OptimumInstaller variant outbound connection"; flow:to_server,established; content:".exe?mode="; http_uri; content:"&sf="; distance:0; http_uri; content:"&subid="; distance:0; http_uri; content:"&filedescription="; distance:0; http_uri; content:"&adprovider="; distance:0; http_uri; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2af815929dbf3aa1535c152a0b3c8301d22f6bc9e384b5afa7041a2ddc996c94/analysis/; classtype:policy-violation; sid:31019; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Outbrowse installation attempt"; flow:to_server,established; content:"|2F|Installer|2F|Flow|3F|pubid|3D|"; http_uri; content:"|26|productid|3D|9415"; distance:0; http_uri; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2e8fb978dff63f255ecd3a1cd4b0280011e769f1eb7769fee91c9668501be15e/analysis/; classtype:policy-violation; sid:31042; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Kdupd variant outbound connection"; flow:to_server,established; content:"/debug_report.php?s="; nocase; http_uri; content:"&os="; distance:0; nocase; http_uri; content:"&v="; distance:0; nocase; http_uri; content:"User-Agent|3A| InetURL/1.0|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,virustotal.com/en/file/50466b7394c9aa1986ac751af9bd7c2b3a07d7cafe3bca7f7dc0f73e2f40250a/analysis/; classtype:policy-violation; sid:31052; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.PCSpeedUp variant outbound connection"; flow:to_server,established; content:"&tag="; http_uri; content:"_PCSPEEDUP"; within:14; http_uri; content:"WinHttp.WinHttpRequest.5"; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/42B119767E0465F0FCFE5E2DFAD2BAD8EEC882E0295A5580B9080FE5313D73BB/analysis/; classtype:policy-violation; sid:31048; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Inbox/PCFixSpeed/RebateInformer variant outbound connection"; flow:to_server,established; content:"/RebateInformerSetup.exe"; fast_pattern:only; http_uri; content:"User-Agent|3A| Inno Setup Downloader"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6e598e8ddf7f95542064f41c3a0a4f73b63982948847e40df9dff47186543c46/analysis/; classtype:policy-violation; sid:31091; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.CloseApp variant outbound connection"; flow:to_server,established; content:"/get/?q="; http_uri; content:"User-Agent|3A| win32|0D 0A|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0ec2938841e77e20c5f967bf9b1d7890e18f156ce481568cfe97677d8755ee5d/analysis/; classtype:trojan-activity; sid:31089; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.iBryte variant outbound connection"; flow:to_server,established; content:"/impression.do/?user_id="; http_uri; content:"&event="; distance:0; http_uri; content:"&spsource="; distance:0; http_uri; content:"&implementation_id="; distance:0; http_uri; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/file/c3339ce316926de4d79a7d8ca7f7e26eb33c80b8f4d5de81659d14875403e031/analysis/; classtype:trojan-activity; sid:31146; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallRex bundled installer outbound activity"; flow:to_server,established; urilen:>400; content:"step_id="; fast_pattern:only; http_uri; content:"installer_id="; nocase; http_uri; content:"publisher_id="; within:35; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/80129484d40c28f66426247b74f1a2c92d93ac2d9a08709a4da712e34d6605af/analysis/; classtype:misc-activity; sid:31167; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallRex bundled installer outbound activity"; flow:to_server,established; urilen:>14; content:"report_version="; fast_pattern:only; http_uri; content:"User-Agent: TixDll"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/80129484d40c28f66426247b74f1a2c92d93ac2d9a08709a4da712e34d6605af/analysis/; classtype:misc-activity; sid:31166; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Ticno Multibar installation attempt"; flow:to_server,established; content:"Host: static.install.ticno.com"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b3f928b4be1ff7454d19f357b3e9d2926d0a8607dffeb3bab124208c9e59554b/analysis/; classtype:trojan-activity; sid:31313; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vsearch installer request"; flow:to_server,established; content:"/static/get-js?dc_id="; fast_pattern:only; http_uri; content:"&sub_id"; http_uri; metadata:service http; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:misc-activity; sid:32120; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vsearch installer User-Agent"; flow:to_server,established; content:"User-Agent: VSInstaller/1 CFNetwork/"; fast_pattern:only; http_header; metadata:service http; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:misc-activity; sid:32119; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE MplayerX malvertising connectivity check"; flow:to_server,established; content:"User-Agent: Lavf/5"; fast_pattern:only; http_header; metadata:service http; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:misc-activity; sid:32118; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE MplayerX malvertising browser hijacker"; flow:to_server,established; content:"mac-products/MplayerX.tgz"; fast_pattern:only; http_uri; metadata:service http; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:misc-activity; sid:32117; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Nosibay Bubble Dock freeware auto update outbound connection"; flow:to_server,established; content:"bootstrap/update.php"; fast_pattern:only; http_uri; content:"User-Agent: NSIS_Inetc"; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/b58fb2ae8307a93da6abca9c96fcde91a1cfb6bacaf56adc110bd8ca1842b1e4/analysis/; classtype:misc-activity; sid:32339; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-ADWARE SoftPulse variant HTTP response attempt"; flow:to_client,established; file_data; content:",|22|installerBehavior|22|:{|22|hideOnInstall|22|:"; fast_pattern:only; content:"{|22|time|22|:"; content:"|22|country|22|"; within:30; content:",|22|countryId|22|:"; within:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/7aa774bffa2eb38c691774c1cc59e0adf6186da62afc417baa6333670e1e3011/analysis/1421687954/; classtype:trojan-activity; sid:33212; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.iBryte variant outbound connection"; flow:to_server,established; content:"/impression.do/?event="; fast_pattern:only; content:"User-Agent: download manager"; http_header; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4799117bbb82df3bee7babb09dca80c3d77899046f89660e25567c3fd18b8092/analysis/; classtype:trojan-activity; sid:33280; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Gamevance variant outbound connection"; flow:to_server,established; content:"/aj/"; fast_pattern; http_uri; content:".php?p="; distance:0; http_uri; content:!"Referer|3A|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/c626804d99195bb0c74e276c49ad48278c8f3723180323c767c60cc8c9f43f7d/analysis/; classtype:trojan-activity; sid:33304; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OptimizerPro variant outbound connection"; flow:to_server,established; content:"/op?sid="; http_uri; content:"&dt="; distance:0; http_uri; content:"&gid="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b0d4c2769dd0841b95b4bbd9f0cc8e36f8aaaf5fbba056a429b402903bc50740/analysis/; classtype:trojan-activity; sid:33311; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE MediaBuzz malvertising browser redirect attempt"; flow:to_server,established; content:"/sync"; depth:5; http_uri; content:"/?q=hfZ"; within:8; http_uri; metadata:service http; reference:url,blogs.cisco.com/security/talos/bad-browser-plug-ins; classtype:misc-activity; sid:33532; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE MediaBuzz malvertising browser redirect attempt"; flow:to_server,established; content:"/amz/a"; depth:6; http_uri; content:".js"; distance:0; http_uri; pcre:"/^\/amz\/a[a-zA-Z0-9]+?\.js$/U"; metadata:service http; reference:url,blogs.cisco.com/security/talos/bad-browser-plug-ins; classtype:misc-activity; sid:33531; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.InstallMonster variant outbound connection"; flow:to_server,established; urilen:4,norm; content:"POST"; http_method; content:"/api"; http_uri; content:"Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; fast_pattern:only; http_header; content:!"Referer|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3069db86885e209e72f4df275dbe34d3ba893ca1a490f121067bfde8d4ec46f9/analysis/; classtype:trojan-activity; sid:33483; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.DownloadGuide variant outbound connection"; flow:to_server,established; content:"/1/dg/3"; fast_pattern:only; http_uri; content:"|22|BuildId|22 3A|"; http_client_body; content:"|22|ProductShown|22|"; http_client_body; content:"|22|TrackBackUrl|22|"; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/0a6335e90bb9e3b5c9551c867b04e71e315734eff2a74d3b37c90c460c5df761/analysis/; classtype:trojan-activity; sid:33480; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.iBryte variant outbound connection"; flow:to_server,established; urilen:>55; content:"/impression.do/?event="; fast_pattern:only; http_uri; content:"&user_id="; nocase; http_uri; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4799117bbb82df3bee7babb09dca80c3d77899046f89660e25567c3fd18b8092/analysis/; classtype:trojan-activity; sid:33553; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperFish adware outbound connection attempt"; flow:to_server,established; content:"/set.php?ID="; fast_pattern:only; http_uri; content:"&Action=1"; http_uri; metadata:service http; reference:url,www.us-cert.gov/ncas/alerts/TA15-051A; classtype:policy-violation; sid:33580; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperFish adware outbound connection attempt"; flow:to_server,established; content:"/set.php?ID="; fast_pattern:only; http_uri; content:"&Action=3"; http_uri; metadata:service http; reference:url,www.us-cert.gov/ncas/alerts/TA15-051A; classtype:policy-violation; sid:33645; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection"; flow:to_server,established; content:"/ping.ashx?action="; fast_pattern:only; http_uri; content:"&usid="; http_uri; content:"&aff="; distance:0; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/bace69ffe133e7693b3b77994a3c81e990288ca4b642cffe12938d705c7019df/analysis/; classtype:misc-activity; sid:33816; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection"; flow:to_server,established; content:"/install.ashx?id="; fast_pattern:only; http_uri; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/bace69ffe133e7693b3b77994a3c81e990288ca4b642cffe12938d705c7019df/analysis/; classtype:misc-activity; sid:33815; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent adware OutBrowse/Amonitize"; flow:to_server,established; content:"User-Agent|3A 20|"; http_header; content:" in my heart of heart.|0D 0A|"; within:150; fast_pattern; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:33835; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent adware OutBrowse/Amonitize"; flow:to_server,established; content:"User-Agent|3A 20|"; http_header; content:" Pi/3.1415926|0D 0A|"; within:150; fast_pattern; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:33834; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent adware OutBrowse/Amonitize"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla"; http_header; content:" Loader|0D 0A|"; within:150; fast_pattern; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:33833; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vitruvian outbound connection"; flow:to_server,established; content:"/inst?"; http_uri; content:"sid="; http_uri; content:"&st="; distance:0; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest."; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34127; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vitruvian outbound connection"; flow:to_server,established; content:"/inst?"; http_uri; content:"hid="; http_uri; content:"&sid="; distance:0; http_uri; content:"&tr="; distance:0; http_uri; content:"&a="; distance:0; http_uri; content:"&adm="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest."; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34126; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent Vitruvian"; flow:to_server,established; content:"User-Agent|3A 20|Vitruvian"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34125; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix reporting fetch offers stage status"; flow:to_server,established; content:"/report.php?"; http_uri; content:"download_id="; distance:0; http_uri; content:"&mode="; distance:0; http_uri; content:"&combo_id="; distance:0; http_uri; content:"&os_name="; distance:0; http_uri; content:"&os_add="; distance:0; http_uri; content:"&os_build="; distance:0; http_uri; content:"&proj_id="; distance:0; http_uri; content:"&offer_id="; distance:0; http_uri; content:!"Connection"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34122; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix reporting binary installation stage status"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"|22|event_type|22|"; offset:1; http_client_body; content:"|22|environment|22|"; distance:0; http_client_body; content:"|22|machine_ID|22|"; distance:0; http_client_body; content:"|22|result|22|"; distance:0; http_client_body; content:"|22|failure_reason|22|"; distance:0; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34121; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix fetch offers stage outbound connection"; flow:to_server,established; content:"/installer_gate_client.php?"; fast_pattern:only; http_uri; content:"download_id="; http_uri; content:"&mode=getcombo"; distance:0; http_uri; content:"&offers="; distance:0; http_uri; content:!"Accept"; http_header; content:!"Connection"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34120; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix precheck stage outbound connection"; flow:to_server,established; content:"/installer_gate_client.php?"; fast_pattern:only; http_uri; content:"download_id="; http_uri; content:"&mode=prechecking"; distance:0; http_uri; content:!"Accept"; http_header; content:!"Connection"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34119; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperOptimizer geolocation request"; flow:to_server,established; content:"/ip/?client=sp"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34146; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperOptimizer encrypted data transmission"; flow:to_server,established; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"|22|encryptedKey|22|"; depth:20; offset:1; http_client_body; content:"|22|encryptedData|22|"; distance:0; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34145; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperOptimizer installation status"; flow:to_server,established; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"|22|event_type|22|"; depth:15; offset:1; http_client_body; content:"|22|installation_session_id|22|"; within:100; http_client_body; content:"|22|environment|22|"; distance:0; http_client_body; content:"|22|command_line|22|"; distance:0; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34144; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SearchProtect user-agent detection"; flow:to_server,established; content:"User-Agent|3A 20|SearchProtect|3B|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/cbddccb934d302497ac60f924088034a1852c378cc51df20c2e53b401ffc4651/analysis/; classtype:misc-activity; sid:34137; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Eorezo get advertisement"; flow:to_server,established; content:"/cgi-bin/advert/getads.cgi?"; http_uri; content:"did="; distance:0; http_uri; content:"User-Agent|3A 20|mpck_"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a31d47e5d6885c32cad2fb5799033982e7f9d070ed350cd2025dd8594d067651/analysis/1426449407/; classtype:misc-activity; sid:34237; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Eorezo outbound connection"; flow:to_server,established; urilen:30<>65; content:"/atJs/v"; fast_pattern; http_uri; content:"/Client/"; within:8; distance:1; http_uri; content:!"Accept"; http_header; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a31d47e5d6885c32cad2fb5799033982e7f9d070ed350cd2025dd8594d067651/analysis/1426449407/; classtype:misc-activity; sid:34236; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE PullUpdate installer outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest."; fast_pattern:only; http_header; content:"/advert/"; nocase; http_uri; content:"x_mode="; distance:0; nocase; http_uri; content:"x_format="; distance:0; nocase; http_uri; content:"x_dp_id="; distance:0; nocase; http_uri; content:"x_pub_id="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/0ea62d52d9206b4eac4e713064afea8db5354441c669e9418d16753a93376b7f/analysis/; classtype:misc-activity; sid:34927; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Sendori user-agent detection"; flow:to_server,established; content:"User-Agent|3A 20|Sendori-Client-Win32"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/26ee215c531b6c50d28ef9b9a48db05b08139e460b997167de1813484beb7a9e/analysis/; classtype:misc-activity; sid:34964; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE DealPly Adware variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/?pcrc="; depth:7; fast_pattern; http_uri; content:"&v="; http_uri; content:!"Referer|3A 20|"; http_header; pcre:"/^\/\?pcrc=\d+&v=[\d\.]{3}$/U"; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/88ca52405945ff5e7bf3ab21bfc8be9e9518d4a2a2e08f0fc666092ef838af85/analysis/; classtype:misc-activity; sid:36825; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Genieo Adware framework User-Agent"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/5.0 (compatible|3B| Genieo"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/30f42d7f42cfdecef88f35f6e7a95e558120de4fc8dc0e1d09018abdb7263310/analysis/; classtype:trojan-activity; sid:37621; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Genieo Adware framework variant outbound connection"; flow:to_server,established; content:"/track?uid="; fast_pattern:only; http_uri; content:"&partner="; depth:75; offset:11; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/30f42d7f42cfdecef88f35f6e7a95e558120de4fc8dc0e1d09018abdb7263310/analysis/; classtype:trojan-activity; sid:37620; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Dealply outbound POST attempt"; flow:to_server,established; content:"POST"; http_method; content:"/?v="; depth:4; fast_pattern; http_uri; content:"&pcrc="; http_uri; content:!"Referer|3A 20|"; http_header; content:!"Accept-"; http_header; pcre:"/^\/\?v=[\d.]+&pcrc=\d+$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/fdb0a6182a3fd6cc96a3b5aea946bd22c6e73e8b264200ef6f78d4bfb4fa5e3c/analysis/1454336512/; classtype:misc-activity; sid:37642; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt"; flow:to_server,established; content:"/info.php?"; http_uri; content:"quant="; fast_pattern:only; content:"f="; http_uri; content:"h="; http_uri; content:"size="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38953; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt"; flow:to_server,established; content:"/optin.php?"; fast_pattern:only; http_uri; content:"f="; content:"quant="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38952; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt"; flow:to_server,established; content:"/installer.php?"; http_uri; content:"CODE="; fast_pattern:only; content:"UID="; http_uri; content:"action="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38951; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.InstallFaster variant outbound connection attempt"; flow:to_server,established; content:"source="; http_uri; content:"uid="; http_uri; content:"uc="; http_uri; content:"ap="; http_uri; content:"i_id="; http_uri; metadata:service http; reference:url,virustotal.com/en/file/7a6c52c189e19f6888465cdddb8a6efdda2c5fdfa0648c65e50626843c745e6f/analysis/1467389266/; classtype:misc-activity; sid:39443; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Antivirus Container.exe referral link attempt"; flow:to_server,established; content:"click-7147843-"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/7f895ed556eda3186b3632c34e7e26302eada5bdc83fe3aba80942fe089cd7e8/analysis/1468260333/; classtype:misc-activity; sid:39587; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Antivirus Container.exe referral link attempt"; flow:to_server,established; content:"image-7147843-"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/7f895ed556eda3186b3632c34e7e26302eada5bdc83fe3aba80942fe089cd7e8/analysis/1468260333/; classtype:misc-activity; sid:39586; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Mizenota outbound connection"; flow:to_server,established; content:"Net1.1="; depth:7; http_client_body; content:"&Net2="; distance:0; http_client_body; content:"&OSversion="; distance:0; http_client_body; content:"browser="; distance:0; http_client_body; metadata:service http; reference:url,virustotal.com/en/file/0B4275FA994A3DD8A534705910EAAF672B4C9D899A5942136BFCD4D11D26C77A/analysis/; classtype:trojan-activity; sid:39633; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.EoRezo outbound ad download attempt"; flow:to_server,established; content:"/cgi-bin/advert/getads?did="; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/a8901a8e2523fdb4c08fb71c0cefe0069532ae9a73209ec732f11724b263bad4/analysis/1469031009/; classtype:trojan-activity; sid:39682; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.StartPage variant outbound connection"; flow:to_server,established; content:"/Userclass"; fast_pattern:only; http_uri; urilen:10; content:!"User-Agent:"; nocase; http_header; content:!"Referer:"; nocase; http_header; content:!"Accept"; nocase; http_header; metadata:service http; reference:url,virustotal.com/en/file/cd1770d4789eb7ec603a25262ab4f70579c881a01e499bcf6ca46738b1926b71/analysis/1469030157/; classtype:misc-activity; sid:39741; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Dowadmin.Adware outbound connection detected"; flow:to_server,established; content:"/install"; fast_pattern:only; http_uri; content:"bc="; nocase; http_uri; content:"brand="; nocase; http_uri; content:"osName="; nocase; http_uri; content:"browserName="; nocase; http_uri; content:"productKey="; nocase; http_uri; metadata:service http; reference:url,virustotal.com/en/file/07D874DB9DE82C1F67D8C83413653304883A72BB82B5F2A16E266F6E99C7D3A2/analysis/; classtype:trojan-activity; sid:39787; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Dowadmin.Adware outbound connection detected"; flow:to_server,established; content:"/products/BM2/"; fast_pattern:only; http_uri; content:".mht"; nocase; http_uri; metadata:service http; reference:url,virustotal.com/en/file/07D874DB9DE82C1F67D8C83413653304883A72BB82B5F2A16E266F6E99C7D3A2/analysis/; classtype:trojan-activity; sid:39786; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Techsnab outbound connection detected"; flow:to_server,established; content:"/api/offer-status"; fast_pattern:only; http_uri; content:"offer_id="; nocase; http_client_body; content:"offer_status="; nocase; http_client_body; content:"uuid="; nocase; http_client_body; content:"user_hash="; nocase; http_client_body; metadata:service http; reference:url,virustotal.com/en/file/18DDB52EA6E7C93C6B480E4EE0A90512B86FE530F4907424A2C9EE7921D21D56/analysis/; classtype:misc-activity; sid:39902; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Techsnab outbound connection detected"; flow:to_server,established; content:"/index.php/api/updater-status"; fast_pattern:only; http_uri; content:"uuid="; nocase; http_client_body; content:"nuuid="; nocase; http_client_body; content:"version="; nocase; http_client_body; metadata:service http; reference:url,virustotal.com/en/file/18DDB52EA6E7C93C6B480E4EE0A90512B86FE530F4907424A2C9EE7921D21D56/analysis/; classtype:misc-activity; sid:39901; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Techsnab outbound connection detected"; flow:to_server,established; content:"/api/install-status"; fast_pattern:only; http_uri; content:"uuid="; nocase; http_client_body; content:"user_os="; nocase; http_client_body; content:"nuuid="; nocase; http_client_body; content:"user_hash="; nocase; http_client_body; metadata:service http; reference:url,virustotal.com/en/file/18DDB52EA6E7C93C6B480E4EE0A90512B86FE530F4907424A2C9EE7921D21D56/analysis/; classtype:misc-activity; sid:39900; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Techsnab outbound connection detected"; flow:to_server,established; content:"/api/get-configs"; fast_pattern:only; http_uri; content:"uuid="; nocase; http_client_body; content:"user_os="; nocase; http_client_body; content:"proc="; nocase; http_client_body; content:"nuuid="; nocase; http_client_body; content:"user_hash="; nocase; http_client_body; metadata:service http; reference:url,virustotal.com/en/file/18DDB52EA6E7C93C6B480E4EE0A90512B86FE530F4907424A2C9EE7921D21D56/analysis/; classtype:misc-activity; sid:39899; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Dorv Adware variant outbound connection"; flow:to_server,established; content:"/ToDownload/"; fast_pattern:only; http_uri; content:"v="; nocase; http_uri; content:"c="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/30C16AA86B92548C125D3ECD9853553F559DDCEF21E62927C88C4BE05175C3EE/analysis/; classtype:trojan-activity; sid:39888; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Google Chrome Google Contacts extension adware"; flow:established,to_server; content:"page?url="; fast_pattern; http_uri; content:"user"; http_uri; content:"iframe="; http_uri; content:!"Referer|3A|"; http_header; metadata:service http; reference:url,virustotal.com/en/file/8f43f60ffd98b58bae5d5d9c7aeb39c919ec38abaeebd70406304a3cb5cd0196/analysis/1472668142/; classtype:trojan-activity; sid:40037; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.EoRezo outbound connection"; flow:to_server,established; content:"/cgi-bin/advert/settags?x_mode="; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/5ba07b1d512f166392bc4b20c5ce27d3f3b6a816e2382b16ad472f105cc61c50/analysis/1473341832/; classtype:misc-activity; sid:40211; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.SupTab external connection attempt"; flow:to_server,established; content:"/v4/"; depth:4; http_uri; content:"?action"; distance:0; http_uri; content:"&update"; distance:0; http_uri; content:","; within:20; http_uri; metadata:service http; reference:url,virustotal.com/en/file/2b6c33611cd7e9533fda4c07d2368717b83f77ee6c2222c2d1430f6f930d9b43/analysis/; classtype:misc-activity; sid:40305; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Downloader.OpenCandy variant outbound connection"; flow:to_server,established; content:"/ie-error.gif"; fast_pattern:only; http_uri; content:"action="; nocase; http_uri; content:"installtime="; nocase; http_uri; content:"os="; nocase; http_uri; content:"browserver="; nocase; http_uri; metadata:service http; reference:url,virustotal.com/en/file/0a17096248c88195941c1680d3e2f396ed4434dc23aa5a6e598b4b0949031884/analysis/; classtype:misc-activity; sid:40457; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.DownloadManager outbound connection"; flow:to_server,established; urilen:16; content:"/taveara?q=setup"; fast_pattern:only; http_uri; metadata:service http; reference:url,virustotal.com/en/file/25ad7de5e24d03faca9f242976a04141a0a906215868311bfbfdca851bbce6fc/analysis/; classtype:misc-activity; sid:40492; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Downloader.Instally variant outbound connection attempt"; flow:to_server,established; content:"stats/getMlOffer"; fast_pattern:only; http_uri; content:"nk="; nocase; http_client_body; content:"data="; nocase; http_client_body; metadata:service http; reference:url,virustotal.com/en/file/672bac1a0dbd10b6904bf2801a3bc329588fddee4b8ed81fffa8aacb5d15efbd/analysis/; classtype:misc-activity; sid:40532; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Downloader.Instally variant outbound connection attempt"; flow:to_server,established; content:"/stats/initDebug"; fast_pattern:only; http_uri; content:"nk="; nocase; http_client_body; content:"data="; nocase; http_client_body; metadata:service http; reference:url,virustotal.com/en/file/672bac1a0dbd10b6904bf2801a3bc329588fddee4b8ed81fffa8aacb5d15efbd/analysis/; classtype:misc-activity; sid:40531; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Downloader.Instally variant outbound connection attempt"; flow:to_server,established; content:"/stats/initialize"; fast_pattern:only; http_uri; content:"nk="; nocase; http_client_body; content:"data="; nocase; http_client_body; metadata:service http; reference:url,virustotal.com/en/file/672bac1a0dbd10b6904bf2801a3bc329588fddee4b8ed81fffa8aacb5d15efbd/analysis/; classtype:misc-activity; sid:40530; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Downloader.Instally variant outbound connection attempt"; flow:to_server,established; content:"/stats/startDebug"; fast_pattern:only; http_uri; content:"|22|ui_loaded|22|:"; nocase; http_client_body; content:"|22|is_admin|22|:"; nocase; http_client_body; content:"|22|session_id|22|:"; nocase; http_client_body; content:"|22|js_enabled|22|:"; nocase; http_client_body; metadata:service http; reference:url,virustotal.com/en/file/672bac1a0dbd10b6904bf2801a3bc329588fddee4b8ed81fffa8aacb5d15efbd/analysis/; classtype:misc-activity; sid:40529; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.CoolMirage outbound ad download attempt"; flow:to_server,established; content:"/ping2.asp"; fast_pattern:only; http_uri; content:"uid="; http_uri; content:"tuid="; http_uri; content:"sref="; http_uri; content:"gid="; http_uri; content:"bundles="; http_uri; content:"fmrp="; http_uri; content:"avdt="; http_uri; content:"grid="; http_uri; content:"tba="; http_uri; content:"yodt="; http_uri; content:"cnt="; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/1168499c5d2b5cb7762cd8ec5ab8899bb9b0993459a2fe0540b1f638271bbddb/analysis/1476294711/; classtype:trojan-activity; sid:40595; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.CoolMirage outbound ad download attempt"; flow:to_server,established; content:"/country.asp"; fast_pattern:only; http_uri; content:"st="; http_uri; content:"uid="; http_uri; content:"tuid="; http_uri; content:"sref="; http_uri; content:"vmdt="; http_uri; content:"bld="; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/1168499c5d2b5cb7762cd8ec5ab8899bb9b0993459a2fe0540b1f638271bbddb/analysis/1476294711/; classtype:trojan-activity; sid:40594; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.CoolMirage outbound ad download attempt"; flow:to_server,established; content:"/ping.php?"; fast_pattern:only; http_uri; content:"partner="; http_uri; content:"product="; http_uri; content:"build="; http_uri; metadata:service http; reference:url,www.virustotal.com/intelligence/search/?query=1168499c5d2b5cb7762cd8ec5ab8899bb9b0993459a2fe0540b1f638271bbddb; classtype:trojan-activity; sid:40593; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Trojan.Miuref variant outbound connection"; flow:to_server,established; content:"pid="; nocase; http_uri; content:"tid="; nocase; http_uri; content:"status="; nocase; http_uri; content:"subid="; fast_pattern:only; http_uri; content:"v="; nocase; http_uri; metadata:policy security-ips drop, service http; reference:url,virustotal.com/en/file/fb0db4bcf2ea296937f9eb2dbbd3fa433b3200703a6b74336c3a99f15bf4d406/analysis/; classtype:misc-activity; sid:40772; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE MindSpark framework installer attempt"; flow:to_server,established; content:"User-Agent|3A 20|Mindspark MIP "; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/9f2cc1688bee96849ced91ade04d4d51e6fd18fa47ab1dc2c12a029aa672f7ce/analysis/; classtype:trojan-activity; sid:40827; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Sokuxuan outbound connection attempt"; flow:to_server,established; content:"/UpgSvr/"; fast_pattern:only; http_uri; content:".xml"; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:trojan-activity; sid:40839; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Xiazai variant outbound connection"; flow:to_server,established; content:"/xml/LinkConfig"; fast_pattern:only; metadata:service http; reference:url,www.virustotal.com/en/file/E9FFDB0EA3D9CD388C39330065E2E368231E633EADA0AD358BCB3B5D598ED180/analysis/; classtype:misc-activity; sid:41664; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Hotbar variant outbound connection"; flow:to_server,established; content:"/InstallUI/AppBundlerIndirect_FMF/222/index.htm"; fast_pattern:only; http_uri; content:"rnd="; nocase; http_uri; metadata:service http; reference:url,virustotal.com/en/file/a470b81dfa1dc57bdccc293ec4a61b08c16d561bbc8686700ff9d7c1964212ca/analysis/; classtype:misc-activity; sid:43219; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Hotbar variant outbound connection"; flow:to_server,established; content:"/trackedevent.aspx"; fast_pattern:only; http_uri; content:"rnd="; nocase; http_uri; content:"ver="; nocase; http_uri; metadata:service http; reference:url,virustotal.com/en/file/a470b81dfa1dc57bdccc293ec4a61b08c16d561bbc8686700ff9d7c1964212ca/analysis/; classtype:misc-activity; sid:43218; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE DealPly Adware variant outbound connection"; flow:to_server,established; content:"|00 08 DC 33 45 AB 51 29 5F 6C 14 79 12 D7 0F 4B|"; fast_pattern:only; http_client_body; content:"Accept|3A| */*"; http_header; content:"Cache-Control|3A| no-cache|0D 0A 0D 0A|"; http_header; content:!"Referer|3A|"; http_header; metadata:service http; reference:url,virustotal.com/#/file/1c77a8af5a93f14172518a130b1c00cdf0abecb546594edbcae80564124060d0/detection; classtype:misc-activity; sid:44358; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Techsnab variant outbound connection detected"; flow:to_server,established; content:"/index.php/api/heartbeat"; fast_pattern:only; http_uri; content:"user_os="; nocase; http_client_body; content:"hdd_serial="; nocase; http_client_body; content:"win_uuid="; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/18DDB52EA6E7C93C6B480E4EE0A90512B86FE530F4907424A2C9EE7921D21D56/analysis/; classtype:misc-activity; sid:44395; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Techsnab variant outbound connection detected"; flow:to_server,established; content:"/index.php/api/update"; fast_pattern:only; http_uri; content:"uuid="; nocase; http_client_body; content:"version="; nocase; http_client_body; content:"channel="; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/18DDB52EA6E7C93C6B480E4EE0A90512B86FE530F4907424A2C9EE7921D21D56/analysis/; classtype:misc-activity; sid:44394; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OutBrowse variant outbound connection detected"; flow:to_server,established; content:"/Installer/Flow"; fast_pattern:only; http_uri; content:"campaignid="; nocase; http_uri; content:"macaddress="; nocase; http_uri; content:"machineguid="; nocase; http_uri; content:"downloadip="; nocase; http_uri; metadata:service http; reference:url,virustotal.com/en/file/F4BAD73F372654826AF7042072C6D3F2DA3C52C42756A7CA5667817B83656303 /analysis/; classtype:misc-activity; sid:44476; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Clover outbound connection"; flow:to_server,established; content:"/install/clover/"; fast_pattern:only; http_uri; content:".dat"; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/ca94b5ba198febac27f3212104110e4f23468f84e9a51664705187be2a1c85f8/analysis/; classtype:misc-activity; sid:44691; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected"; flow:to_server,established; urilen:>1000; content:"/click?h="; fast_pattern:only; http_uri; content:"subid="; http_uri; content:"data_fb="; http_uri; content:"data_rtt="; http_uri; content:"data_proto="; http_uri; content:"data_ic="; http_uri; content:"data_ss="; http_uri; metadata:policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/baed00c6e6b157f3a53c76a200de84927f5c9d448cf76438c55d62c18033ba1b/analysis/; classtype:trojan-activity; sid:45398; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected"; flow:to_server,established; content:"/report/?application="; fast_pattern:only; http_uri; content:"guid="; http_uri; content:"details="; http_uri; content:"action="; http_uri; metadata:policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/baed00c6e6b157f3a53c76a200de84927f5c9d448cf76438c55d62c18033ba1b/analysis/; classtype:trojan-activity; sid:45397; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.Mughthesec outbound connection attempt"; flow:to_server,established; content:"/screens/"; fast_pattern; http_uri; content:"/"; within:1; distance:8; http_uri; content:"=="; within:2; distance:6; http_uri; metadata:ruleset community, service http; reference:url,objective-see.com/blog/blog_0x20.html; classtype:trojan-activity; sid:45545; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Slimware Utilities variant outbound connection"; flow:to_server,established; urilen:>200; content:"/ulc.php?ev="; nocase; http_uri; content:"User-Agent: SLIMHTTP/1.1"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4074d4ba6c319a407539a5e1cb5d0461c6c266636c5099ad49e1042aab91574f/analysis/; classtype:trojan-activity; sid:46486; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Pua.Softonic installer variant outbound connection"; flow:to_server,established; content:"/universaldownloader-prefetch"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/d1e6f7651d6dff96c8c7aa15d68b370fe44384d5fd364f94de62c5e7bf7aab1f/detection; classtype:trojan-activity; sid:46874; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OneSystemCare download attempt"; flow:to_server,established; content:"/331003290/OneSystemCare.exe"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/536148b202ddf00bf76f28bea53399ac16764de8628c71209ea22f5aa31a9681; classtype:trojan-activity; sid:48078; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Wajam variant outbound connection"; flow:to_server,established; content:"/addon/mapping"; fast_pattern:only; http_uri; content:"os_mj="; http_uri; content:"os_bitness="; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/155c30dc0cf262a5222e443f79c26c37ba05035e3a304048f492b10a89fbba61; classtype:trojan-activity; sid:48077; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Wajam variant outbound connection"; flow:to_server,established; content:"Log?"; fast_pattern:only; http_uri; content:"unique_id="; http_uri; content:"affiliate_id="; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/155c30dc0cf262a5222e443f79c26c37ba05035e3a304048f492b10a89fbba61; classtype:trojan-activity; sid:48076; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Magic Downloader BHO variant outbound connection"; flow:to_server,established; content:"/reg_install.php?"; fast_pattern:only; http_uri; content:"param="; nocase; http_uri; content:"aid="; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/32f7e804e233ffea61382a461d50f02d6f3e20a008d099add588b48c99d7cdb3/detection; classtype:trojan-activity; sid:47536; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Magic Downloader BHO variant outbound connection"; flow:to_server,established; content:"/reg_accept.php?"; fast_pattern:only; http_uri; content:"param="; nocase; http_uri; content:"aid="; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/32f7e804e233ffea61382a461d50f02d6f3e20a008d099add588b48c99d7cdb3/detection; classtype:trojan-activity; sid:47535; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Slimware Utilities variant outbound connection"; flow:to_server,established; content:"/installer/init_v"; fast_pattern:only; http_uri; content:"attributes"; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4074d4ba6c319a407539a5e1cb5d0461c6c266636c5099ad49e1042aab91574f/analysis/; classtype:trojan-activity; sid:47418; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Slimware Utilities variant outbound connection"; flow:to_server,established; content:"/api/flow/action"; fast_pattern:only; http_uri; content:"session_id="; nocase; http_client_body; content:"action"; nocase; http_client_body; content:"attributes"; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4074d4ba6c319a407539a5e1cb5d0461c6c266636c5099ad49e1042aab91574f/analysis/; classtype:trojan-activity; sid:47417; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Pbot variant outbound connection"; flow:to_server,established; content:"/installended"; fast_pattern:only; http_uri; content:"de="; nocase; http_uri; content:"_v="; nocase; http_uri; content:"_s="; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47095; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Pbot variant outbound connection"; flow:to_server,established; content:"/collect.php"; fast_pattern:only; http_uri; content:"pid="; http_uri; content:"cid="; http_uri; content:"sid="; http_uri; content:"act="; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47094; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Pbot variant outbound connection"; flow:to_server,established; content:"/installstarted"; fast_pattern:only; http_uri; content:"de="; nocase; http_uri; content:"_v="; nocase; http_uri; content:"_s="; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47093; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.MacSearch variant outbound connection detected"; flow:to_server,established; content:"User-Agent: macsearch/1 CFNetwork/"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/f54bb130f750f77546aebf690ba4b89f0ddb3c27a5e297383d0a30bcaa5f9cb4; classtype:trojan-activity; sid:49044; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.Genieo variant outbound connection detected"; flow:to_server,established; content:"User-Agent: LinqurySearch"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/850b4f620e874ed6117c7e1d15dd1c502d7e38cd4dd872753d502f39e3a5c8d8; classtype:trojan-activity; sid:49043; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.FairyTail variant outbound connection detected"; flow:to_server,established; content:"User-Agent: SpellingChecker/22"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/a9a7a1c48cd1232249336749f4252c845ce68fd9e7da85b6da6ccbcdc21bcf66; classtype:trojan-activity; sid:49042; rev:1;)
--- a/docker/etc/rules/pua-other.rules
+++ b/docker/etc/rules/pua-other.rules
@@ -0,0 +1,69 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------------
+# PUA-OTHER RULES
+#-----------------
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER XMRig cryptocurrency mining pool connection attempt"; flow:to_server,established; content:"|22|method|22|"; nocase; content:"|22|agent|22|"; nocase; content:"|22|XMRig"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,github.com/xmrig/xmrig; classtype:policy-violation; sid:45549; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 8333 (msg:"PUA-OTHER Bitcoin outbound request attempt"; flow:established,to_server; content:"|F9 BE B4 D9|"; depth:4; reference:url,bitcoin.org/en/; classtype:policy-violation; sid:26438; rev:1;)
+# alert tcp $EXTERNAL_NET 8333 -> $HOME_NET any (msg:"PUA-OTHER Bitcoin inbound response attempt"; flow:established,to_client; content:"|F9 BE B4 D9|"; depth:4; reference:url,bitcoin.org/en/; classtype:policy-violation; sid:26437; rev:1;)
+# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"PUA-OTHER Yahoo Messenger iframe injection status change attempt"; flow:to_client,established; content:"YMSG"; depth:4; nocase; content:"SetCustomStatus"; fast_pattern:only; content:"265|C0 80|"; pcre:"/265\xC0\x80[^\xC0]*\x22[^\xC0]*SetCustomStatus/i"; reference:url,www.malwarecity.com/blog/new-yahoo-messenger-0-day-exploit-hijacks-users-status-update-1229.html; classtype:web-application-activity; sid:20655; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-OTHER Skype URI handler input validation exploit attempt"; flow:to_client,established; file_data; content:"skype|3A|"; nocase; pcre:"/\x3Ca\s+[^\x3E]*href\s*\x3D\s*(\x22|\x27)?skype\x3A[^\s\x3E]*[\x01-\x07]/i"; metadata:service http; reference:bugtraq,38699; reference:url,security-assessment.com/files/advisories/Skype_URI_Handling_Vulnerability.pdf; classtype:misc-attack; sid:16718; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-OTHER mIRC IRC URL buffer overflow attempt"; flow:to_client,established; file_data; content:"src='irc|3A|//"; pcre:"/^\S{999}/R"; metadata:service http; reference:bugtraq,8819; reference:cve,2003-1336; classtype:attempted-user; sid:16579; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] (msg:"PUA-OTHER Jive Software Openfire Jabber Server serverdown Authentication bypass attempt"; flow:to_server,established; content:"error-serverdown.jsp"; fast_pattern:only; pcre:"/^[a-zA-Z]+\s+\x2Ferror-serverdown\x2Ejsp.*\x2E\x2E\x2F/mi"; metadata:service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15156; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] (msg:"PUA-OTHER Jive Software Openfire Jabber Server png Authentication bypass attempt"; flow:to_server,established; content:"|2F|.png"; fast_pattern:only; pcre:"/^[a-zA-Z]+\s+\x2F\x2Epng.*\x2E\x2E\x2F/mi"; metadata:service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15155; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] (msg:"PUA-OTHER Jive Software Openfire Jabber Server gif Authentication bypass attempt"; flow:to_server,established; content:"|2F|.gif"; fast_pattern:only; pcre:"/^[a-zA-Z]+\s+\x2F\x2Egif.*\x2E\x2E\x2F/mi"; metadata:service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15154; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] (msg:"PUA-OTHER Jive Software Openfire Jabber Server setup-index Authentication bypass attempt"; flow:to_server,established; content:"setup/index.jsp"; fast_pattern:only; pcre:"/^[a-zA-Z]+\s+\x2Fsetup\x2F\index\x2Ejsp.*\x2E\x2E\x2F/mi"; metadata:service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15152; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] (msg:"PUA-OTHER Jive Software Openfire Jabber Server logout Authentication bypass attempt"; flow:to_server,established; content:"index.jsp?logout=true"; fast_pattern:only; pcre:"/^[a-zA-Z]+\s+\x2Findex\x2Ejsp\x3Flogout\x3Dtrue.*\x2E\x2E\x2F/mi"; metadata:service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15151; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] (msg:"PUA-OTHER Jive Software Openfire Jabber Server login Authentication bypass attempt"; flow:to_server,established; content:"login.jsp"; fast_pattern:only; pcre:"/^[a-zA-Z]+\s+\x2Flogin\x2Ejsp.*\x2E\x2E\x2F/mi"; metadata:service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15150; rev:6;)
+# alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"PUA-OTHER Microsoft MSN Messenger png overflow"; flow:to_client,established; content:"application/x-msnmsgrp2p"; nocase; content:"|89|PNG|0D 0A 1A 0A|"; distance:0; content:"IHDR"; within:4; distance:4; content:"|03|"; within:1; distance:9; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; metadata:ruleset community; reference:bugtraq,10872; reference:cve,2004-0957; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3130; rev:8;)
+# alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"PUA-OTHER PCAnywhere Failed Login"; flow:to_client,established; content:"Invalid login"; depth:16; metadata:ruleset community; classtype:unsuccessful-user; sid:512; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"PUA-OTHER PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; metadata:ruleset community; classtype:attempted-admin; sid:507; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"PUA-OTHER Request for known malware domain pierrejb.agora.eu.org"; flow:to_server,established; content:"Host|3A| pierrejb.agora.eu.org"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32578; rev:1;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5004:65535 (msg:"PUA-OTHER Microsoft MSN Messenger and Windows Live Messenger Code Execution attempt"; flow:to_server; content:"|0E 58|"; depth:2; content:"connected"; within:9; distance:7; flowbits:set,messenger; flowbits:noalert; metadata:policy max-detect-ips drop; reference:bugtraq,25461; reference:cve,2007-2931; classtype:attempted-user; sid:20554; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 5004:65535 (msg:"PUA-OTHER Microsoft MSN Messenger and Windows Live Messenger Code Execution attempt"; flow:to_server; flowbits:isset,messenger; content:"|F3 49|"; depth:2; byte_test:1,>,130,5,relative,little; metadata:policy max-detect-ips drop; reference:bugtraq,25461; reference:cve,2007-2931; classtype:attempted-user; sid:17551; rev:11;)
+# alert tcp $EXTERNAL_NET 5190 -> $HOME_NET any (msg:"PUA-OTHER AOL GAIM AIM-ICQ Protocol Handling buffer overflow attempt"; flow:to_client,established; content:"|2A 02|"; depth:2; content:"|00 02 00 06|"; within:4; distance:4; byte_jump:1,6,relative; content:"|00 03|"; distance:4; content:"text"; within:4; distance:2; content:"|00 04|"; distance:4; byte_test:2,>,0x0100,0,relative; pcre:"/(\x25(n|t|d)\x20){85}/sm"; metadata:policy max-detect-ips drop; reference:bugtraq,14531; reference:cve,2005-2103; classtype:attempted-user; sid:17357; rev:9;)
+# alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"PUA-OTHER mIRC PRIVMSG message processing overflow attempt"; flow:to_client,established; isdataat:317; content:"PRIVMSG"; fast_pattern:only; pcre:"/[^\x3a\s]{309}\sPRIVMSG/i"; metadata:policy max-detect-ips drop, service ircd; reference:bugtraq,31552; reference:cve,2008-4449; classtype:attempted-user; sid:15711; rev:8;)
+# alert tcp $EXTERNAL_NET 5190 -> $HOME_NET any (msg:"PUA-OTHER Cerulean Studios Trillian image filename handling XML tag overflow attempt"; flow:to_client,established; content:"*|02|"; depth:2; content:"|00 04 00 07|"; within:4; distance:4; content:"<IMG "; nocase; pcre:"/\x3cimg[^\x3e]*src\x3d(\x22|\x27)?[^\x22\x27\s]{300}/i"; metadata:policy max-detect-ips drop; reference:cve,2008-5401; classtype:attempted-user; sid:15489; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] (msg:"PUA-OTHER Jive Software Openfire Jabber Server setup Authentication bypass attempt"; flow:to_server,established; content:"setup/setup-"; fast_pattern:only; pcre:"/^[A-Z]+\s+\x2Fsetup\x2Fsetup-.*?\x2E\x2E\x2F/mi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32189; reference:cve,2008-6509; classtype:attempted-admin; sid:15153; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-OTHER Skype skype4com URI handler memory corruption attempt"; flow:to_client,established; file_data; content:"skype4com|3A|"; fast_pattern:only; pcre:"/skype4com\x3A[A-Z\d]{0,6}[^A-Z\d]/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26748; reference:cve,2007-5989; classtype:attempted-user; sid:13292; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER RMS rmansys remote management tool cnc communication"; flow:to_server,established; content:"/utils/inet_id_notify.php"; fast_pattern:only; http_uri; metadata:policy security-ips drop, service http; reference:url,virustotal.com/en/file/25C444D7A7AE59DF4335D55916DFEF97A467C18BA9B0B92E2DBFFBD788206599/analysis/; classtype:misc-activity; sid:39416; rev:1;)
+# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"PUA-OTHER Bitcoin Mining extranonce Stratum protocol subscribe client request attempt"; flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.extranonce.subscribe|22|"; content:"|22|params|22 3A|"; distance:1; metadata:ruleset community; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40842; rev:1;)
+# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"PUA-OTHER Bitcoin Mining authorize Stratum protocol client request attempt"; flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.authorize|22|"; content:"|22|params|22 3A|"; distance:1; metadata:ruleset community; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40841; rev:1;)
+# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"PUA-OTHER Bitcoin Mining subscribe Stratum protocol client request attempt"; flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.subscribe|22|"; content:"|22|params|22 3A|"; distance:1; metadata:ruleset community; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40840; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER CPUMiner-Multi cryptocurrency mining pool connection attempt"; flow:to_server,established; content:"|22|method|22|"; nocase; content:"|22|agent|22|"; nocase; content:"|22|cpuminer-multi"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,github.com/OhGodAPet/cpuminer-multi; classtype:policy-violation; sid:45550; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt"; flow:to_server,established; content:"|22|method|22|"; nocase; content:"|22|agent|22|"; nocase; content:"|22|xmr-stak-cpu"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,github.com/fireice-uk/xmr-stak-cpu; classtype:policy-violation; sid:45825; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER XMRMiner cryptocurrency mining pool connection attempt"; flow:to_server,established; content:"|22|method|22|"; nocase; content:"|22|agent|22|"; nocase; content:"|22|XMRMiner"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,github.com/xmrig/xmrig; classtype:policy-violation; sid:45955; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"PUA-OTHER Authedmine TLS client hello attempt"; flow:to_server,established; file_data; ssl_state:client_hello; content:"authedmine.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:misc-attack; sid:45952; rev:2;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"PUA-OTHER Authedmine TLS server hello attempt"; flow:to_client,established; ssl_state:server_hello; content:"authedmine.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:misc-attack; sid:45951; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"PUA-OTHER Coinhive TLS client hello attempt"; flow:to_server,established; ssl_state:client_hello; content:"coinhive.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:misc-attack; sid:45950; rev:2;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"PUA-OTHER Coinhive TLS server hello attempt"; flow:to_client,established; ssl_state:server_hello; content:"coinhive.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:misc-attack; sid:45949; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER Cryptocurrency Miner outbound connection attempt"; flow:established,to_server; content:"|7B 22|id|22 3A|"; content:"|22|jsonrpc|22 3A|"; content:"|22|method|22 3A 22|login|22 2C 22|params|22 3A 7B 22|login|22 3A|"; content:"|22|pass|22 3A|"; content:"|22|agent|22 3A|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f120/analysis; classtype:policy-violation; sid:46237; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"PUA-OTHER Moonify TLS client hello attempt"; flow:to_server,established; ssl_state:client_hello; content:"moonify.io"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:misc-attack; sid:46372; rev:1;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"PUA-OTHER Moonify TLS server hello attempt"; flow:to_client,established; ssl_state:server_hello; content:"moonify.io"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:misc-attack; sid:46371; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-OTHER Moonify Miner client detected"; flow:to_client,established; file_data; content:"Moonify.start"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,doc.moonify.io; classtype:misc-attack; sid:46370; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-OTHER CryptoNight webassembly download attempt"; flow:to_client,established; flowbits:isset,file.wasm; file_data; content:"cryptonight"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-attack; sid:46366; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-OTHER CoinHive Miner client detected"; flow:to_client,established; file_data; content:"ASMJS_NAME"; fast_pattern:only; content:"LIB_URL"; content:"WEBSOCKET"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,coinhive.com/documentation/miner; classtype:misc-attack; sid:46365; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-OTHER obfuscated cryptomining javascript download attempt"; flow:to_client,established; file_data; content:"new Function(atob(|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/c6c5b88e5b641484c9f50f1abdbebb10e5a48db057e35cb7f556779c5684003b/; classtype:misc-attack; sid:46415; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-OTHER Mineralt JavaScript cryptocurrency mining attempt"; flow:to_client,established; file_data; content:"window._am.start()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,mineralt.io; classtype:misc-attack; sid:46414; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-OTHER Mineralt JavaScript cryptocurrency mining attempt"; flow:to_client,established; file_data; content:"async class"; fast_pattern:only; pcre:"/async\s+class\s*=\s*[\x27\x22]([A-Za-z0-9+\x2f=]+|[^\x22\x27]*?\x3b\d{2,3}\x3b[01])[\x27\x22]/is"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,mineralt.io; classtype:misc-attack; sid:46413; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-OTHER Javascript obfuscated by obfuscator.io download attempt"; flow:to_client,established; file_data; content:"var _0x"; content:"["; within:10; content:"var _0x"; distance:0; content:"function"; within:30; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:46412; rev:2;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"PUA-OTHER Mineralt TLS server hello attempt"; flow:to_client,established; ssl_state:server_hello; isdataat:!1000; content:"mineralt.io"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; classtype:misc-attack; sid:46411; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"PUA-OTHER Mineralt TLS client hello attempt"; flow:to_server,established; ssl_state:client_hello; content:"mineralt.io"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; classtype:misc-attack; sid:46410; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER XMRig cryptocurrency miner download attempt"; flow:to_server,established; content:"/xmrig"; fast_pattern:only; http_uri; urilen:<8; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:policy-violation; sid:49111; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt"; flow:to_server,established; content:"|22|method|22|"; nocase; content:"|22|agent|22|"; nocase; content:"|22|xmr-stak"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,github.com/fireice-uk/xmr-stak; classtype:policy-violation; sid:49194; rev:1;)
--- a/docker/etc/rules/pua-p2p.rules
+++ b/docker/etc/rules/pua-p2p.rules
@@ -0,0 +1,45 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#---------------
+# PUA-P2P RULES
+#---------------
+
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; metadata:ruleset community; classtype:policy-violation; sid:1432; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; metadata:ruleset community; classtype:policy-violation; sid:556; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; metadata:ruleset community; classtype:policy-violation; sid:557; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent announce request"; flow:to_server,established; content:"/announce"; content:"info_hash="; content:"peer_id="; content:"event="; metadata:ruleset community, service http; classtype:policy-violation; sid:2180; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; metadata:ruleset community; classtype:policy-violation; sid:2181; rev:8;)
+# alert tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"PUA-P2P eDonkey server response"; flow:established,to_client; content:"Server|3A| eMule"; fast_pattern:only; metadata:ruleset community; reference:url,www.emule-project.net; classtype:policy-violation; sid:2587; rev:9;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"PUA-P2P Manolito Search Query"; flow:to_server; content:"|01 02 00 14|"; depth:4; offset:16; metadata:ruleset community; reference:url,openlito.sourceforge.net; reference:url,www.blubster.com; classtype:policy-violation; sid:3459; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"PUA-P2P AOL Instant Messenger file receive attempt"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; within:8; distance:4; content:"|09|F|13|CL|7F 11 D1 82 22|DEST|00|"; distance:0; byte_test:2,=,2,-25,relative; classtype:policy-violation; sid:3681; rev:6;)
+# alert tcp $EXTERNAL_NET 5190 -> $HOME_NET any (msg:"PUA-P2P AOL Instant Messenger file send attempt"; flow:to_client,established; content:"*|02|"; depth:2; content:"|00 04 00 07|"; within:8; distance:4; content:"|09|F|13|CL|7F 11 D1 82 22|DEST|00|"; distance:0; byte_test:2,=,2,-25,relative; classtype:policy-violation; sid:3680; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Skype client setup get newest version attempt"; flow:to_server,established; content:"/ui/"; http_uri; content:"/getnewestversion"; http_uri; content:"Host|3A| ui.skype.com"; fast_pattern:only; metadata:service http; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; sid:5694; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Skype client start up get latest version attempt"; flow:to_server,established; content:"/ui/"; http_uri; content:"/getlatestversion?ver="; http_uri; content:"Host|3A| ui.skype.com"; fast_pattern:only; metadata:service http; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; sid:5693; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PUA-P2P Skype client login"; flow:to_client,established; flowbits:isset,skype.login; dsize:5; content:"|17 03 01 00|"; depth:4; classtype:policy-violation; sid:5999; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P Skype client login startup"; flow:to_server,established; dsize:5; content:"|16 03 01 00|"; depth:4; flowbits:set,skype.login; classtype:policy-violation; sid:5998; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"PUA-P2P Outbound Joltid PeerEnabler traffic detected"; flow:established,to_server; content:"User-Agent|3A| PeerEnabler"; nocase; content:"joltid"; within:20; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453078786; reference:url,www.joltid.com; classtype:policy-violation; sid:12691; rev:5;)
+# alert udp $HOME_NET any <> $EXTERNAL_NET any (msg:"PUA-P2P Bittorrent uTP peer request"; content:"info_hash"; content:"get_peers"; fast_pattern:only; reference:url,www.bittorrent.org/beps/bep_0000.html; classtype:policy-violation; sid:16282; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent scrape request"; flow:established,to_server; content:"GET"; depth:4; content:"/scrape"; distance:1; content:"info_hash="; offset:4; reference:url,www.bittorrent.org/beps/bep_0000.html; classtype:policy-violation; sid:16281; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Skype client successful install"; flow:to_server,established; content:"/ui/"; http_uri; content:"/installed"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; sid:5692; rev:12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 16800:17000 (msg:"PUA-P2P P2PTv TVAnts TCP tracker connect traffic detected"; flow:to_server,established; content:"|04 00 07 00|"; depth:4; content:"TVANTS SHARE"; depth:12; offset:8; flowbits:set,tvant.session; classtype:policy-violation; sid:12210; rev:4;)
+alert tcp $EXTERNAL_NET 16800:17000 -> $HOME_NET any (msg:"PUA-P2P P2PTv TVAnts TCP connection traffic detected"; flow:to_client,established; content:"|04 00|"; depth:2; pcre:"/[\x01\x02\x03\x04\x05\x06\x07]\x00.{4}\x43\x00/R"; flowbits:set,tvant.session; classtype:policy-violation; sid:12211; rev:5;)
+alert udp $HOME_NET 16800:17000 -> $EXTERNAL_NET any (msg:"PUA-P2P P2PTv TVAnt udp traffic detected"; content:"|04 00|"; depth:2; pcre:"/[\x05\x06\x07]\x00.{6}[SD]S/R"; flowbits:set,tvant.session; classtype:policy-violation; sid:12209; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"PUA-P2P Ruckus P2P encrypted authentication connection"; flow:to_server,established; content:"|00 00|"; content:"www.ruckus.com"; within:14; distance:7; classtype:policy-violation; sid:12427; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Ruckus P2P client activity"; flow:to_server,established; content:"User-Agent|3A| Ruckus/"; fast_pattern:only; metadata:service http; classtype:policy-violation; sid:12425; rev:7;)
+# alert udp $HOME_NET 5353 -> 224.0.0.251 5353 (msg:"PUA-P2P Ruckus P2P broadcast domain probe"; flow:to_server; content:"ruckus|04|_tcp|05|local"; fast_pattern:only; classtype:policy-violation; sid:12426; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Vuze BitTorrent client outbound connection"; flow:to_server,established; content:"User-Agent|3A| Azureus"; fast_pattern:only; http_header; metadata:service http; reference:url,www.vuze.com; classtype:policy-violation; sid:29357; rev:1;)
--- a/docker/etc/rules/pua-toolbars.rules
+++ b/docker/etc/rules/pua-toolbars.rules
@@ -0,0 +1,199 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#--------------------
+# PUA-TOOLBARS RULES
+#--------------------
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS WidgiToolbar toolbar runtime detection"; flow:to_server,established; content:"User-Agent|3A| WidgiToolbar"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/e5f7e540732bd71e64b22d29a5a1b7bb507be0364b65e31470612f03340a798f/analysis/; classtype:misc-activity; sid:44889; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Google Desktop initial install  - installer request"; flow:to_server,established; content:"/installer?"; fast_pattern; nocase; http_uri; content:"action=install"; http_uri; content:"version="; http_uri; content:"id="; http_uri; content:"brand=GGLD"; http_uri; content:"hl="; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Google"; nocase; http_header; content:"Desktop"; nocase; http_header; metadata:service http; classtype:policy-violation; sid:7859; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Google Desktop search query"; flow:to_server,established; content:"/complete/search?"; fast_pattern; nocase; http_uri; content:"q="; http_uri; content:"output=desktop"; http_uri; content:"sourceid=gd"; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Google"; nocase; http_header; content:"Desktop"; nocase; http_header; metadata:service http; classtype:policy-violation; sid:7860; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Google Desktop initial install - firstuse request"; flow:to_server,established; content:"/firstuse?"; fast_pattern; nocase; http_uri; content:"version="; http_uri; content:"id="; http_uri; content:"brand=GGLD"; http_uri; content:"hl="; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Google"; nocase; http_header; content:"Desktop"; nocase; http_header; metadata:service http; classtype:policy-violation; sid:7858; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker searchfast detection - track user activity & get 'relates links' of the toolbar"; flow:to_server,established; content:"/data?"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"dat=nsa"; nocase; http_uri; content:"ver=visicom"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A| xml.alexa.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1694; classtype:misc-activity; sid:5964; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker isearch runtime detection - toolbar information request"; flow:to_server,established; content:"/xml.php"; nocase; http_uri; content:"tid="; nocase; http_uri; content:"ref="; nocase; http_uri; content:"User-Agent|3A| Toolbar"; fast_pattern:only; pcre:"/tid\x3D\x7B([0-9A-z]+\x2D){4}[0-9A-z]+\x7D/smi"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=732; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082740; classtype:misc-activity; sid:5861; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware hithopper runtime detection - click toolbar buttons"; flow:to_server,established; content:"/xml/toolbar/"; nocase; http_uri; content:"Host|3A| www.hithopper.com"; fast_pattern:only; pcre:"/\x2Fxml\x2Ftoolbar\x2F(sports|news|horoscope2|horoscope|weather2|weather)\.php/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=746; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079079; classtype:misc-activity; sid:5788; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware supreme toolbar runtime detection - track"; flow:to_server,established; content:"/ctx/imptrack.php?"; nocase; http_uri; content:"build="; nocase; http_uri; content:"action="; nocase; http_uri; content:"adv="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"supremetoolbar.com/index.php?tpid="; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097530; classtype:successful-recon-limited; sid:5941; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker copernic meta toolbar runtime detection - pass info to server"; flow:to_server,established; content:"/d/sr/?"; nocase; http_uri; content:"xargs="; nocase; http_uri; content:"yargs="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"metaresults.copernic.com"; nocase; http_header; metadata:service http; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5886; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware wordiq toolbar runtime detection - get link info"; flow:to_server,established; content:"/toolbar/getlinks.php"; nocase; http_uri; content:"User-Agent|3A| Iterenet Explorer"; nocase; http_header; content:"Host|3A| www.wordiq.com"; nocase; http_header; metadata:service http; reference:url,www.softpedia.com/progReportSpyware/12-3-196; classtype:successful-recon-limited; sid:5892; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware wordiq toolbar runtime detection - search keyword"; flow:to_server,established; content:"/toolbar/search_log.php?"; nocase; http_uri; content:"toolbar_id="; nocase; http_uri; content:"se_id="; nocase; http_uri; content:"keywords="; nocase; http_uri; content:"User-Agent|3A| Iterenet Explorer"; fast_pattern:only; metadata:service http; reference:url,www.softpedia.com/progReportSpyware/12-3-196; classtype:successful-recon-limited; sid:5893; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trickler slinkyslate toolbar runtime detection"; flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"Keywords="; nocase; http_uri; content:"Host|3A| www.slinkyslate"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1055; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082746; classtype:misc-activity; sid:6261; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker dotcomtoolbar runtime detection - url hook"; flow:to_server,established; content:"/redirect.asp"; nocase; http_uri; content:"url="; nocase; http_uri; content:"linkid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"click.dotcomtoolbar.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=628; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076986; classtype:misc-activity; sid:6382; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker i-lookup runtime detection"; flow:to_server,established; content:"/bar/links.php?affid="; nocase; http_uri; content:"Host|3A| toolbar.i-lookup.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=518; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074914; classtype:misc-activity; sid:6230; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trickler navexcel search toolbar runtime detection - activate/update"; flow:to_server,established; content:"User-Agent|3A| NavExcel Search Toolbar"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=607; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074928; classtype:misc-activity; sid:6278; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware quicksearch toolbar runtime detection - log user ativity"; flow:to_server,established; content:"/log/log.cgi?"; nocase; http_uri; content:"Host|3A| quick.qsrch.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090680; classtype:successful-recon-limited; sid:6253; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware quicksearch toolbar runtime detection - update"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"version="; nocase; http_uri; content:"tag="; nocase; http_uri; content:"ptr="; nocase; http_uri; content:"source="; nocase; http_uri; content:"User-Agent|3A| ToolBar"; nocase; http_header; content:"Host|3A| upgrade.qsrch.info"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090680; classtype:successful-recon-limited; sid:6255; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker dotcomtoolbar runtime detection - toolbar information retrieve"; flow:to_server,established; content:"/data.asp"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.dotcomtoolbar.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=628; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076986; classtype:misc-activity; sid:6380; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker girafa toolbar - toolbar update"; flow:to_server,established; content:"/srv/c"; nocase; http_uri; content:"i="; nocase; http_uri; content:"t="; nocase; http_uri; content:"v="; nocase; http_uri; content:"s="; nocase; http_uri; content:"rnd="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"GirafaClient"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1135; classtype:misc-activity; sid:6376; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker adbars runtime detection - search in toolbar"; flow:to_server,established; content:"/buscar.php?cadena="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.buscandoamigos.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1331; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079049; classtype:misc-activity; sid:6379; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker starware toolbar runtime detection - smileys"; flow:to_server,established; content:"/pl/shared/smileys/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"files-pl.starware.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2009; classtype:misc-activity; sid:7579; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware hotblox toolbar runtime detection - ie autosearch hijack"; flow:to_server,established; content:"/dns/?url="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"toolbar.hotblox.com"; nocase; http_header; metadata:service http; reference:url,sparkles.nu/spy/proceed-34.html; classtype:successful-recon-limited; sid:7528; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker starware toolbar runtime detection - collect information"; flow:to_server,established; content:"/d/sr/?"; nocase; http_uri; content:"xargs="; nocase; http_uri; content:"yargs="; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"as.starware.com/dp/search?x="; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2009; classtype:misc-activity; sid:7577; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Snoopware 2-seek runtime detection - user info collection"; flow:to_server,established; content:"/go.php?"; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"www.2-seek.com/search/"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"www.2-seek.com"; nocase; http_header; metadata:service http; reference:url,www.2-seek.com/toolbar.php; classtype:successful-recon-limited; sid:7599; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Snoopware 2-seek runtime detection - search in toolbar"; flow:to_server,established; content:"/search/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.2-seek.com"; nocase; http_header; metadata:service http; reference:url,www.2-seek.com/toolbar.php; classtype:successful-recon-limited; sid:7598; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trickler maxsearch runtime detection - toolbar download"; flow:to_server,established; content:"/toolbar.exe"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"tb.freeprod.com"; nocase; http_header; content:"User-Agent|3A|"; nocase; http_header; content:"NSIS_DOWNLOAD"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2248; classtype:misc-activity; sid:7849; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker instafinder initial configuration detection"; flow:to_server,established; content:"/404/update/instafinktb0302.cfg"; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Visicom"; fast_pattern; nocase; http_header; content:"Toolbar"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1130; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090786; classtype:misc-activity; sid:7840; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker sogou runtime detection - search through sogou toolbar"; flow:to_server,established; content:"/web"; nocase; http_uri; content:"query="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.sogou.com"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098380; classtype:misc-activity; sid:9646; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker kuaiso toolbar runtime detection"; flow:to_server,established; content:"/gd_ad.html"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"toolsbar.kuaiso.com"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098930; classtype:misc-activity; sid:10093; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker snap toolbar runtime detection - cookie"; flow:to_server,established; content:"Cookie|3A|"; nocase; http_header; content:"www.snap.com"; nocase; http_header; content:"toolbar_domain_redirect"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094831; classtype:misc-activity; sid:11948; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware lookster toolbar runtime detection - hijack ie search assistant"; flow:to_server,established; content:"/web/search.php"; nocase; content:"keywords="; distance:0; nocase; content:"username="; distance:0; nocase; content:"Host|3A|"; nocase; http_header; content:"www.lookster.net"; nocase; http_header; metadata:service http; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453105797; classtype:successful-recon-limited; sid:12125; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware spynova runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Spynova"; fast_pattern; nocase; http_header; content:"Toolbar"; nocase; http_header; metadata:service http; reference:url,www.symantec.com/en/aa/enterprise/security_response/writeup.jsp?docid=2007-041614-3222-99; classtype:successful-recon-limited; sid:12122; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware snap ultrasearch/desktop toolbar runtime detection - cookie"; flow:to_server,established; content:"Cookie|3A|"; nocase; http_header; content:"source%3Dultrasearch136%26campaign%3Dsnap"; nocase; http_header; metadata:service http; reference:url,www.spynomore.com/toolbar-snap-ultrasearch.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094831; classtype:successful-recon-limited; sid:12228; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker 3search runtime detection - counter"; flow:to_server,established; content:"/counter.php?"; nocase; http_uri; content:"tbid="; nocase; http_uri; content:"do="; nocase; http_uri; content:"User-Agent|3A| Toolbar"; fast_pattern:only; metadata:service http; reference:url,www.downloadfile.org; reference:url,www.softwarerevenue.org; classtype:misc-activity; sid:12294; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker scn toolbar runtime detection - hijack ie searches"; flow:to_server,established; content:"/ResultsExt.aspx?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"ctid="; nocase; http_uri; content:"SearchSource="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"search.conduit.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/spydet_1830_scn_toolbar.html; classtype:misc-activity; sid:12288; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker scn toolbar runtime detection - get updates"; flow:to_server,established; content:"/update/update.xml"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"scn.mystoretoolbar.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/spydet_1830_scn_toolbar.html; classtype:misc-activity; sid:12289; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker proventactics 3.5 runtime detection - toolbar search function"; flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"s="; nocase; http_uri; content:"Host|3A| www.proventactics.com"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=ProvenTactics&threatid=10038; reference:url,www.spywareguide.com/spydet_1826_proventactics.html; classtype:misc-activity; sid:12366; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker imesh mediabar runtime detection - auto update"; flow:to_server,established; content:"/autoupdate/version.txt"; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; fast_pattern; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=imesh&threatid=6994; reference:url,www.spywaredata.com/spyware/malware/mediabar.dll.php; classtype:misc-activity; sid:12370; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker 411web toolbar runtime detection"; flow:to_server,established; content:"/code/engine.cgi?"; nocase; http_uri; content:"toolbar_id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"User-Agent|3A| Toolbar"; fast_pattern:only; metadata:service http; reference:url,www.bleepingcomputer.com/uninstall/16/411web-Toolbar.html; reference:url,www.onetwo.ca/spyware.html; classtype:misc-activity; sid:12481; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker soso toolbar runtime detection - get weather information"; flow:to_server,established; content:"User-Agent|3A| TencentTraveler"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/spydet_3333_soso_toolbar.html; reference:url,www.xblock.com/product_show.php?id=3333; classtype:misc-activity; sid:12486; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware extra toolbar 1.0 runtime detection - file download"; flow:to_server,established; content:"/_vti_bin/owssvr.dll"; nocase; http_uri; content:"Host|3A| www.onlinecasinoextra.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453117295; classtype:successful-recon-limited; sid:12622; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware extra toolbar 1.0 runtime detection"; flow:to_server,established; content:"/toolbarinfo.php?"; nocase; http_uri; content:"url="; nocase; http_uri; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453117295; classtype:successful-recon-limited; sid:12621; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware myway speedbar / mywebsearch toolbar user-agent detection"; flow:to_server,established; content:"User-Agent|3A| MyWaySearchAssistant"; fast_pattern:only; metadata:service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:12679; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware happytofind toolbar runtime detection"; flow:to_server,established; content:"/htftool.php?q="; nocase; http_uri; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453100378; reference:url,www.pctools.com/mrc/infections/id/Adware.Happytofind_Toolbar; reference:url,www.spywareguide.com/spydet_3157_happytofind.html; classtype:successful-recon-limited; sid:12796; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker blue wave adult links toolbar runtime detection"; flow:to_server,established; content:"/cgi-bin/links/search.cgi"; nocase; http_uri; content:"query="; nocase; http_uri; content:"Host|3A| www.bluewavelinks.com"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BlueWave%20Adult%20Links&threatid=95240; reference:url,www.bluewavelinks.com; classtype:misc-activity; sid:13239; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker ditto toolbar runtime detection"; flow:to_server,established; content:"/searchResults.asp"; nocase; http_uri; content:"mainToolbar="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"ss="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Ditto%20Toolbar&threatid=69488; reference:url,www.emsisoft.it/it/malware/?Adware.Win32.Ditto+Toolbar; classtype:misc-activity; sid:13342; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker direct toolbar runtime detection"; flow:to_server,established; content:"/search_total.asp"; nocase; http_uri; content:"recid=directtb"; nocase; http_uri; content:"q="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Direct.Toolbar&threatid=133225; classtype:misc-activity; sid:13339; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker people pal toolbar runtime detection - automatic upgrade"; flow:to_server,established; content:"/peoplepal/upgrade/?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"PeoplePal Version Checker"; fast_pattern; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PeoplePal%20Toolbar&threatid=48411; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.PeoplePal; classtype:misc-activity; sid:13488; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker baidu toolbar runtime detection - updates automatically"; flow:to_server,established; flowbits:isset,BaiduToolbar_detection; content:"User-Agent|3A|"; nocase; http_header; content:"bar-get"; fast_pattern; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=44261; reference:url,www.spywareguide.com/product_show.php?id=1250; classtype:misc-activity; sid:13484; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker dealio toolbar runtime detection user-agent detected"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Dealio Toolbar"; fast_pattern; nocase; http_header; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453113199; reference:url,www.fbmsoftware.com/spyware-net/application/Dealio_Toolbar; classtype:misc-activity; sid:13503; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker kompass toolbar runtime detection - initial connection"; flow:to_server,established; content:"/toolbar/kompasst"; nocase; http_uri; content:".php"; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Kompass&threatid=70475; reference:url,spywaresignatures.com/details/kompasstoolbar.pdf; classtype:misc-activity; sid:13559; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker eclickz toolbar runtime detection - search traffic"; flow:to_server,established; content:"/search/?"; nocase; http_uri; content:"Terms="; nocase; http_uri; metadata:service http; reference:url,spywaresignatures.com/details.php?spyware=eclickztoolbar; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.eClickz+Toolbar; classtype:misc-activity; sid:13641; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker zztoolbar runtime detection - toolbar traffic"; flow:to_server,established; content:"/rank/Info.do?"; nocase; http_uri; content:"url="; nocase; http_uri; metadata:service http; reference:url,www.browserdefender.com/file/404730/site/chinarank.org.cn/; reference:url,www.spywareguide.com/spydet_5949_zztoolbar.html; classtype:misc-activity; sid:13643; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker zztoolbar runtime detection - search traffic"; flow:to_server,established; content:"/s?"; nocase; http_uri; content:"wd="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Chinarank"; nocase; http_header; content:"Toolbar|29|"; nocase; http_header; metadata:service http; reference:url,www.browserdefender.com/file/404730/site/chinarank.org.cn/; reference:url,www.spywareguide.com/spydet_5949_zztoolbar.html; classtype:misc-activity; sid:13644; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker locmag toolbar runtime detection - connection to toolbar"; flow:to_server,established; content:"/contents2.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"cnt="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"toolbar.locmag.com"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Locmag%20Toolbar&threatid=48497; reference:url,www.360zd.com/spyware/433.html; classtype:misc-activity; sid:13639; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker find.fm toolbar runtime detection - automatic updates"; flow:to_server,established; content:"aid="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.find.fm"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2360; reference:url,www.spywaresignatures.com/details.php?spyware=find.fmtoolbar; classtype:misc-activity; sid:13780; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker rediff toolbar runtime detection - get news info"; flow:to_server,established; content:"/toolbar/"; nocase; http_uri; content:"/news.xml"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"server.toolbar.rediff.com"; nocase; http_header; metadata:service http; reference:url,secwatch.org/exploits/2007/03/Rediff.Toolbar_DoS.html.info; reference:url,www.fbmsoftware.com/spyware-net/application/Rediff_Toolbar/; classtype:misc-activity; sid:14056; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker starware toolbar runtime detection - weather request"; flow:to_server,established; content:"/dp/weather?x="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"as.starware.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2009; classtype:misc-activity; sid:7575; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware myway speedbar / mywebsearch toolbar runtime detection - track activity 1"; flow:to_server,established; content:"/tr.js?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"r="; nocase; http_uri; content:"Host|3A| c4.myway.com"; fast_pattern:only; metadata:service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5801; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware try2find detection"; flow:to_server,established; content:"User-Agent|3A| Try2Find Toolbar"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1086; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096392; classtype:successful-recon-limited; sid:6189; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker begin2search runtime detection - ico query"; flow:to_server,established; content:"/toolbar/ico/"; nocase; http_uri; content:".ico"; nocase; http_uri; pcre:"/\x2Ftoolbar\x2Fico\x2F[a-zA-Z0-9_%]*\.ico/Ui"; content:"Host|3A| begin2search.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=924; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175; classtype:misc-activity; sid:5765; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware trellian toolbarbrowser runtime detection"; flow:to_server,established; content:"/add.txt?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"url=http"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"rank.toolbarbrowser.com"; nocase; http_header; metadata:service http; reference:url,www.toolbarbrowser.com; classtype:successful-recon-limited; sid:7593; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker locatorstoolbar runtime detection - toolbar search"; flow:to_server,established; content:"/dir/"; nocase; http_uri; content:"Host|3A| www.locators.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1821; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076978; classtype:misc-activity; sid:5917; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware praizetoolbar runtime detection"; flow:to_server,established; content:"/toolbar/"; nocase; http_uri; content:"Host|3A| www.praize.com"; fast_pattern:only; pcre:"/\x2Ftoolbar\x2F((version\x2Etxt)|(notifytoolbar\x2Ehtml))/smi"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1812; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079048; classtype:misc-activity; sid:5858; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Win.Adware.MyWebSearch Toolbar funwebproducts variant outbound connection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"FunWebProducts"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094235; classtype:successful-recon-limited; sid:7567; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware quicksearch toolbar runtime detection - redirect"; flow:to_server,established; content:"/tbar?"; nocase; http_uri; content:"upartner="; nocase; http_uri; content:"ps="; nocase; http_uri; content:"bidpart="; nocase; http_uri; content:"rank="; nocase; http_uri; content:"query="; nocase; http_uri; content:"redir="; nocase; http_uri; content:"Host|3A| quick.qsrch.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090680; classtype:successful-recon-limited; sid:6254; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware earthlink toolbar runtime detection - get up-to-date news info"; flow:to_server,established; content:"/ta/NEWS/"; nocase; http_uri; content:"/rss"; nocase; http_uri; pcre:"/\x2Fta\x2FNEWS\x2F[^\r\n]*\x2Frss/Ui"; content:"User-Agent|3A|"; nocase; http_header; content:"AsyncHTTP"; fast_pattern; nocase; http_header; metadata:service http; reference:url,castlecops.com/startuplist-1068.html; classtype:successful-recon-limited; sid:7518; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trickler hmtoolbar runtime detection"; flow:to_server,established; content:"/update"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"tool.world2.cn"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096408; classtype:misc-activity; sid:7516; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware anwb toolbar runtime detection - track user ip address"; flow:to_server,established; content:"/nieuws.dtd"; nocase; http_uri; content:"Host|3A| toolbar.anwb.nl"; fast_pattern:only; content:"Cookie"; nocase; content:"anwbtrack="; distance:0; nocase; content:"ANWBWebService="; distance:0; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1139; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078342; classtype:successful-recon-limited; sid:5979; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker makemesearch toolbar runtime detection - get info"; flow:to_server,established; content:"/get/"; nocase; http_uri; content:"pv="; nocase; http_uri; content:"iv="; nocase; http_uri; content:"pn="; nocase; http_uri; content:"id="; nocase; http_uri; content:"Host|3A| toolbarplace.com"; metadata:service http; reference:url,www.spywaredetails.com/index.php?a=spyware&act=read&id=1607; classtype:misc-activity; sid:6482; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker flashbar runtime detection - user-agent"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Flashbar"; fast_pattern; nocase; http_header; content:"Toolbar"; nocase; http_header; content:"X"; nocase; http_header; metadata:service http; reference:url,data.icxo.com/htmlnews/2006/07/10/875297.htm; classtype:misc-activity; sid:7581; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker couponbar runtime detection - download new coupon offers and links"; flow:to_server,established; content:"/CBXml.asp?"; nocase; http_uri; content:"tc="; nocase; http_uri; content:"User-Agent|3A| Toolbar"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079137; classtype:misc-activity; sid:5866; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware supreme toolbar runtime detection - third party information collection"; flow:to_server,established; content:"/d/sr/?"; nocase; http_uri; content:"xargs="; nocase; http_uri; content:"yargs="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"supremetoolbar.com/index.php?tpid="; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:successful-recon-limited; sid:5943; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware anwb toolbar runtime detection - display advertisement"; flow:to_server,established; content:"/weer.xml"; nocase; http_uri; content:"Host|3A| toolbar.anwb.nl"; fast_pattern:only; content:"Cookie"; nocase; content:"anwbtrack="; distance:0; nocase; content:"ANWBWebService="; distance:0; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1139; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078342; classtype:successful-recon-limited; sid:5980; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker makemesearch toolbar runtime detection - search"; flow:to_server,established; content:"said="; nocase; http_uri; content:"qq="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.makemesearch.com"; nocase; http_header; metadata:service http; reference:url,www.spywaredetails.com/index.php?a=spyware&act=read&id=1607; classtype:misc-activity; sid:6484; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker customtoolbar runtime detection"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"YOUR CUSTOM TOOLBAR"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1182; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074937; classtype:misc-activity; sid:6282; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware quicksearch toolbar runtime detection - search request"; flow:to_server,established; content:"/tbar?"; nocase; http_uri; content:"prt="; nocase; http_uri; content:"nnreq="; nocase; http_uri; content:"s="; nocase; http_uri; content:"Host|3A| quick.qsrch.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090680; classtype:successful-recon-limited; sid:6252; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware dogpile runtime detection"; flow:to_server,established; content:"User-Agent|3A| Infospace Toolbar"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=651; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079953; classtype:misc-activity; sid:5750; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware searchnugget toolbar runtime detection - redirect mistyped urls"; flow:to_server,established; content:"/error.php"; nocase; http_uri; content:"type="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"searchnugget"; nocase; http_header; metadata:service http; reference:url,www.symantec.com/avcenter/venc/data/adware.searchnugget.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094349; classtype:misc-activity; sid:6488; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware myway speedbar / mywebsearch toolbar runtime detection - track activity 2"; flow:to_server,established; content:"/__utm.gif?"; nocase; http_uri; content:"utmwv="; nocase; http_uri; content:"utmn="; nocase; http_uri; content:"utmsr="; nocase; http_uri; content:"utmsc="; nocase; http_uri; content:"utmul="; nocase; http_uri; content:"utmhn="; nocase; http_uri; content:"utmp="; nocase; http_uri; content:"Host|3A| utm.trk.myway.com"; fast_pattern:only; metadata:service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5802; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware searchingall toolbar runtime detection - send user url request"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"www.searchingall.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2581; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097487; classtype:successful-recon-limited; sid:6478; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker starware toolbar runtime detection - hijack ie browser"; flow:to_server,established; content:"/dp/search?x="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"as.starware.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2009; classtype:misc-activity; sid:7576; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware alexa runtime detection"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"Alexa Toolbar"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=418; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075454; classtype:successful-recon-limited; sid:5749; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker netguide runtime detection"; flow:to_server,established; content:"/index.cfm"; nocase; http_uri; content:"action="; nocase; http_uri; content:"pc="; nocase; http_uri; content:"Keywords="; nocase; content:"Host|3A|"; nocase; http_header; content:"netguide.grip.com"; nocase; http_header; metadata:service http; reference:url,castlecops.com/tk17754-CursorZone_Grip_Toolbar.html; classtype:misc-activity; sid:7848; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware supreme toolbar runtime detection - search request"; flow:to_server,established; content:"/index.php?tpid="; nocase; http_uri; content:"tspid="; nocase; http_uri; content:"prid="; nocase; http_uri; content:"ttid="; nocase; http_uri; content:"st="; nocase; http_uri; content:"Host|3A| supremetoolbar.com"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097530; classtype:successful-recon-limited; sid:5940; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware onetoolbar runtime detection"; flow:to_server,established; content:"User-Agent|3A| Visicom"; fast_pattern:only; content:"Host|3A| onetoolbar"; nocase; metadata:service http; reference:url,research.sunbelt-software.com/threat_display.cfm?name=Adw.OneToolbar&threatid=43856; reference:url,www.spywareguide.com/product_show.php?id=2746; classtype:successful-recon-limited; sid:6191; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware supreme toolbar runtime detection - pass information to its controlling server"; flow:to_server,established; content:"/r.php?"; nocase; http_uri; content:"apid="; nocase; http_uri; content:"ldid="; nocase; http_uri; content:"tpid="; nocase; http_uri; content:"ttid="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"st="; nocase; http_uri; content:"cdurl="; nocase; http_uri; content:"srurl="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"supremetoolbar.com/index.php?tpid="; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2437; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437; classtype:successful-recon-limited; sid:5942; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker makemesearch toolbar runtime detection - home page hijacker"; flow:to_server,established; content:"said="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.vip-se.com"; nocase; http_header; metadata:service http; reference:url,www.spywaredetails.com/index.php?a=spyware&act=read&id=1607; classtype:misc-activity; sid:6483; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker wishbone runtime detection"; flow:to_server,established; content:"/updates/check_img.php?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"i="; nocase; http_uri; content:"now="; nocase; http_uri; content:"Host|3A| toolbar.wishbone.com"; fast_pattern:only; metadata:service http; reference:url,toolbar.wishbone.com; reference:url,www.spywareguide.com/product_show.php?id=1784; classtype:misc-activity; sid:5987; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware fftoolbar toolbar runtime detection - display advertisement news"; flow:to_server,established; content:"/downloads/toolbar/ticker.xml"; fast_pattern; nocase; http_uri; content:"Host|3A| www.fast-finder.com"; nocase; metadata:service http; reference:url,www.symantec.com/avcenter/venc/data/adware.fftoolbar.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097640; classtype:successful-recon-limited; sid:5922; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware zango toolbar runtime detection"; flow:to_server,established; content:"/smartoffers/so.aspx"; fast_pattern; nocase; http_uri; content:"svc="; nocase; http_uri; content:"opener=rm_zango"; nocase; http_uri; content:"kw="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"resultsmaster.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2298; classtype:misc-activity; sid:8073; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker music of faith toolbar runtime detection - hijacks search engine traffic #2"; flow:to_server,established; content:"/dosearch/search.html?"; fast_pattern; nocase; http_uri; content:"EngineID=musicoffaith"; nocase; http_uri; content:"LinkID="; nocase; http_uri; content:"refer=mof_toolbar"; nocase; http_uri; content:"keywords="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Music%20of%20Faith&threatid=47479; reference:url,www.spywareterminator.com/item/3836/MusicOfFaith.html; classtype:misc-activity; sid:13772; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker seeqtoolbar runtime detection - autosearch hijack or search in toolbar"; flow:to_server,established; content:"/results.jsp"; nocase; http_uri; content:"portal_id="; nocase; http_uri; content:"domain=seeq.com"; fast_pattern; nocase; http_uri; content:"tag=toolbar"; nocase; http_uri; content:"keyword="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1026; classtype:misc-activity; sid:5981; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware proofile toolbar runtime detection"; flow:to_server,established; content:"/xml_toolbar.php"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Proofile%20Toolbar&threatid=127931; classtype:successful-recon-limited; sid:13779; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker dotcomtoolbar runtime detection - search in toolbar"; flow:to_server,established; content:"/search.asp?"; nocase; http_uri; content:"group=searchbar-web"; fast_pattern; nocase; http_uri; content:"keyword="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=628; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076986; classtype:misc-activity; sid:6381; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker baidu toolbar runtime detection - discloses information"; flow:to_server,established; content:"/bdinfo.txt?"; fast_pattern; nocase; http_uri; content:"userip="; nocase; http_uri; content:"url="; nocase; http_uri; content:"navigate="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"bar-get"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=44261; reference:url,www.spywareguide.com/product_show.php?id=1250; classtype:misc-activity; sid:13482; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware hotblox toolbar runtime detection - toolbar find function"; flow:to_server,established; content:"/custom?"; nocase; http_uri; content:"sourceid=toolbar.hotblox.com"; fast_pattern; nocase; http_uri; content:"client="; nocase; http_uri; content:"forid="; nocase; http_uri; content:"ie="; nocase; http_uri; content:"cof="; nocase; http_uri; content:"hl="; nocase; http_uri; metadata:service http; reference:url,sparkles.nu/spy/proceed-34.html; classtype:successful-recon-limited; sid:7527; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker proventactics 3.5 runtime detection - get cfg information"; flow:to_server,established; content:"/toolbaradmin/simt32.shq"; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=ProvenTactics&threatid=10038; reference:url,www.spywareguide.com/spydet_1826_proventactics.html; classtype:misc-activity; sid:12364; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware push toolbar installtime detection - user information collect"; flow:to_server,established; content:"/stats/stats.cgi"; fast_pattern; nocase; http_uri; content:"userFile="; nocase; content:"Host|3A| "; nocase; content:"push.com"; distance:0; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1786; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079100; classtype:successful-recon-limited; sid:5984; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware iggsey toolbar detection - simpleticker.htm request"; flow:to_server,established; content:"/Browser/CT48638/1_Simpleticker.htm"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2463; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094796; classtype:successful-recon-limited; sid:5949; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware 6sq toolbar runtime detection"; flow:to_server,established; content:"/data.aspx?"; nocase; http_uri; content:"pn=sixsigmaToolbar"; fast_pattern; nocase; http_uri; content:"ver="; nocase; http_uri; content:"url="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Asynchronous"; nocase; http_header; content:"WinInet"; nocase; http_header; content:"CLASS"; nocase; http_header; metadata:service http; reference:url,ca.com/fi/securityadvisor/pest/pest.aspx?id=453130697; reference:url,www.spycheck.es/genera.php?processfile=6sqtoolbar.dll&dir=otros&pag=165; classtype:successful-recon-limited; sid:16120; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker scn toolbar runtime detection - ebrss request"; flow:to_server,established; content:"/ebrss.aspx?"; nocase; http_uri; content:"eb_ct_id="; nocase; http_uri; content:"eb_rss_index="; fast_pattern; nocase; http_uri; content:"eb_preview="; nocase; http_uri; content:"eb_color="; nocase; http_uri; content:"eb_forecolor="; nocase; http_uri; content:"eb_speed="; nocase; http_uri; content:"eb_random="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/spydet_1830_scn_toolbar.html; classtype:misc-activity; sid:12287; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker copernic meta toolbar runtime detection - ie autosearch & search assistant hijack"; flow:to_server,established; content:"/copern.light/redirs_all.htm?"; fast_pattern; nocase; http_uri; content:"pgtarg="; nocase; http_uri; content:"qcat="; nocase; http_uri; content:"qkw="; nocase; http_uri; metadata:service http; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5885; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware earthlink toolbar runtime detection - ie autosearch hijack"; flow:to_server,established; content:"/sw/ietb/3/0/rd103.html?"; fast_pattern; nocase; http_uri; content:"d=error_earthlink"; nocase; http_uri; content:"q="; nocase; http_uri; metadata:service http; reference:url,castlecops.com/startuplist-1068.html; classtype:successful-recon-limited; sid:7520; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware hotblox toolbar runtime detection - barad.asp request"; flow:to_server,established; content:"/searchapp/barad.asp?"; fast_pattern; nocase; http_uri; content:"searchkey="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"toolbar.hotblox.com"; nocase; http_header; metadata:service http; reference:url,sparkles.nu/spy/proceed-34.html; classtype:successful-recon-limited; sid:7525; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware snap ultrasearch/desktop toolbar runtime detection - search"; flow:to_server,established; content:"/search.php"; nocase; http_uri; content:"source=ultrasearch136"; fast_pattern; nocase; http_uri; content:"campaign=snap"; nocase; http_uri; metadata:service http; reference:url,www.spynomore.com/toolbar-snap-ultrasearch.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094831; classtype:successful-recon-limited; sid:12227; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker sofa toolbar runtime detection - records search information"; flow:to_server,established; content:"/cm?"; nocase; http_uri; content:"u="; nocase; http_uri; content:"010.eqiso.com"; fast_pattern; nocase; http_uri; content:"i="; nocase; http_uri; content:"w="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Chinese%20Softomate%20Toolbar&threatid=117814; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Softomate.ag; classtype:misc-activity; sid:13486; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker soso toolbar runtime detection - hijack ie auto searches / soso toolbar searches requests"; flow:to_server,established; content:"/q?"; http_uri; content:"w="; nocase; http_uri; content:"sc="; nocase; http_uri; content:"cin="; fast_pattern; nocase; http_uri; content:"cid="; nocase; http_uri; pcre:"/cid=tb\x2e(addr|sb)/Ui"; metadata:service http; reference:url,www.spywareguide.com/spydet_3333_soso_toolbar.html; reference:url,www.xblock.com/product_show.php?id=3333; classtype:misc-activity; sid:12487; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker morpheus toolbar runtime detection - hijack/search"; flow:to_server,established; content:"/jsp/AJmain.jsp?"; fast_pattern; nocase; http_uri; content:"st="; nocase; http_uri; content:"ptnrs="; nocase; http_uri; content:"PG="; nocase; http_uri; content:"SEC="; nocase; http_uri; content:"searchfor="; nocase; http_uri; pcre:"/st=(kwd|dns)/Ui"; metadata:service http; reference:url,www.sophos.com/security/analyses/morpheustoolbar.html; classtype:misc-activity; sid:12292; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker kompass toolbar runtime detection - search traffic"; flow:to_server,established; content:"/kinl/static/index_kitoolbar.php?"; fast_pattern; nocase; http_uri; content:"_Choix="; nocase; http_uri; content:"_Lang="; nocase; http_uri; content:"_Zone="; nocase; http_uri; content:"Kprov=Toolbar"; nocase; http_uri; content:"_Keyword="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Kompass&threatid=70475; reference:url,spywaresignatures.com/details/kompasstoolbar.pdf; classtype:misc-activity; sid:13560; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker starware toolbar runtime detection - update"; flow:to_server,established; content:"/dp/simpleupdate?x="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"as.starware.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2009; classtype:misc-activity; sid:7580; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker couponbar runtime detection - get updates to toolbar buttons"; flow:to_server,established; content:"/CouponBar/CBXmlFiles/"; fast_pattern; nocase; http_uri; content:".bmp"; nocase; http_uri; content:"User-Agent|3A| Toolbar"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079137; classtype:misc-activity; sid:5867; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware jily ie toolbar runtime detection"; flow:to_server,established; content:"/123bar/search.php?"; fast_pattern; nocase; http_uri; content:"sengine="; nocase; http_uri; content:"keyword="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=123Bar&threatid=89993; reference:url,www.www.spywareguide.com/product_show.php?id=2425; classtype:misc-activity; sid:13282; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware zango2007 toolbar runtime detection"; flow:to_server,established; content:"/smartoffers/SmartOffers.aspx"; fast_pattern; nocase; http_uri; content:"HBHintSVC="; nocase; http_uri; content:"SG="; nocase; http_uri; content:"COUNTRY="; nocase; http_uri; content:"Version="; nocase; http_uri; content:"partner=zango"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/spydet_2298_zango_toolbar.html; classtype:misc-activity; sid:12225; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker mxs toolbar runtime detection"; flow:to_server,established; content:"/toolbar/search.php?"; fast_pattern; nocase; http_uri; content:"key="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.mxs.co.kr"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=MXS.Toolbar&threatid=97487; classtype:misc-activity; sid:13645; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker ez-greets toolbar runtime detection"; flow:to_server,established; content:"/toolbar/ezg_serverside.xml"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.ez-greets.com"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Greets%20Toolbar&threatid=47475; classtype:misc-activity; sid:12050; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware hotblox toolbar runtime detection - stat counter"; flow:to_server,established; content:"/t.php?"; nocase; http_uri; content:"sc_project="; nocase; http_uri; content:"resolution="; nocase; http_uri; content:"camefrom="; nocase; http_uri; content:"u="; nocase; http_uri; content:"toolbar.hotblox.com/searchapp/barad.asp"; fast_pattern; nocase; http_uri; content:"t=barad"; nocase; http_uri; content:"java="; nocase; http_uri; content:"security="; nocase; http_uri; content:"sc_random="; nocase; http_uri; metadata:service http; reference:url,sparkles.nu/spy/proceed-34.html; classtype:successful-recon-limited; sid:7526; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker cramtoolbar runtime detection - hijack"; flow:to_server,established; content:"/style/style1_21.css"; fast_pattern; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"www.fuck-portal.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2474; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-091817-2335-99&tabid=1; classtype:misc-activity; sid:16114; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware fftoolbar toolbar runtime detection - send user url request"; flow:to_server,established; content:"/downloads/toolbar/related.asp"; fast_pattern; nocase; http_uri; content:"cli="; nocase; http_uri; content:"dat="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A| www.fast-finder.com"; nocase; metadata:service http; reference:url,www.symantec.com/avcenter/venc/data/adware.fftoolbar.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097640; classtype:successful-recon-limited; sid:5921; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker searchnine toolbar runtime detection - hijacks address bar"; flow:to_server,established; content:"/response.php?"; fast_pattern; nocase; http_uri; content:"search="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"searchnine.cn"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=SearchNine&threatid=117435; reference:url,spywarefiles.prevx.com/spywarefiles.asp?FXC=DJFC24641892; classtype:misc-activity; sid:13769; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware earthlink toolbar runtime detection - search toolbar request 2"; flow:to_server,established; content:"/search?"; nocase; http_uri; content:"area=earthlink-ws-altsearchbox"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; metadata:service http; reference:url,castlecops.com/startuplist-1068.html; classtype:successful-recon-limited; sid:7522; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker swbar runtime detection"; flow:to_server,established; content:"/toolbar/swbartb0110.cfg"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.searchwords.com"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077852; classtype:misc-activity; sid:7590; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware lookster toolbar runtime detection - ads"; flow:to_server,established; content:"/pagead/ads?"; nocase; http_uri; content:"client="; nocase; http_uri; content:"dt="; nocase; http_uri; content:"lmt="; nocase; http_uri; content:"format="; nocase; http_uri; content:"output="; nocase; http_uri; content:"correlator="; nocase; http_uri; content:"url=http"; nocase; http_uri; content:"www.lookster.net"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453105797; classtype:successful-recon-limited; sid:12127; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker freecruise toolbar runtime detection"; flow:to_server,established; content:"User-Agent|3A| FCTB1"; fast_pattern:only; http_header; metadata:service http; classtype:misc-activity; sid:7050; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware supreme toolbar runtime detection - get cfg"; flow:to_server,established; content:"/desktop/"; nocase; http_uri; content:"/toolbar/supremetb"; fast_pattern; nocase; http_uri; content:".cfg"; nocase; http_uri; pcre:"/\x2Fdesktop\x2F\d+\x2Ftoolbar\x2Fsupremetb\d+\.cfg/Ui"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097530; classtype:successful-recon-limited; sid:5939; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker deepdo toolbar runtime detection - redirects search engine"; flow:to_server,established; content:"/baidu?"; nocase; http_uri; content:"word="; nocase; http_uri; content:"tn=deepbar"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Deepdo%20Toolbar&threatid=129378; reference:url,www.spywareguide.com/product_show.php?id=3367; classtype:misc-activity; sid:13492; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker ez-tracks toolbar runtime detection - initial traffic 2"; flow:to_server,established; content:"/ezt/toolbar/"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,www.spywareremove.com/removeEZTracks.html; classtype:misc-activity; sid:13496; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker searchnine toolbar runtime detection - redirects search function"; flow:to_server,established; content:"/s?"; nocase; http_uri; content:"tn=searchnine_dg"; fast_pattern; nocase; http_uri; content:"wd="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=SearchNine&threatid=117435; reference:url,spywarefiles.prevx.com/spywarefiles.asp?FXC=DJFC24641892; classtype:misc-activity; sid:13770; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker alot toolbar runtime detection - weather request"; flow:to_server,established; content:"/widgets/weather/tb"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"widget.alot.com"; nocase; http_header; metadata:service http; reference:url,www.pchell.com/support/alot.shtml; reference:url,www.spywareremove.com/removeALOTToolbar.html; classtype:misc-activity; sid:13853; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware myway speedbar / mywebsearch toolbar runtime detection - collect information"; flow:to_server,established; content:"/images/nocache/tr/gca/m.gif?"; fast_pattern; nocase; http_uri; content:"rand="; nocase; http_uri; content:"a="; nocase; http_uri; content:"u="; nocase; http_uri; content:"r="; nocase; http_uri; content:"w="; nocase; http_uri; content:"myway.com"; nocase; http_uri; metadata:service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5803; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker people pal toolbar runtime detection - traffic for searching"; flow:to_server,established; content:"/search?"; nocase; http_uri; content:"area="; nocase; http_uri; content:"cgid="; nocase; http_uri; content:"category="; fast_pattern; nocase; http_uri; content:"peoplepal"; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PeoplePal%20Toolbar&threatid=48411; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.PeoplePal; classtype:misc-activity; sid:13489; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker find.fm toolbar runtime detection - hijacks address bar"; flow:to_server,established; content:"/search.php?"; fast_pattern; nocase; http_uri; content:"aid="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.find.fm"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2360; reference:url,www.spywaresignatures.com/details.php?spyware=find.fmtoolbar; classtype:misc-activity; sid:13781; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker locmag toolbar runtime detection - hijacks address bar"; flow:to_server,established; content:"/multi_search/"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.locmag.com"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Locmag%20Toolbar&threatid=48497; reference:url,www.360zd.com/spyware/433.html; classtype:misc-activity; sid:13640; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker searchfast detection - get toolbar cfg"; flow:to_server,established; content:"/searchfast/"; nocase; http_uri; content:"/communicatortb"; fast_pattern; nocase; http_uri; content:".cfg"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1694; classtype:misc-activity; sid:5965; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker isearch runtime detection - search in toolbar"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"qry_str="; fast_pattern; nocase; http_uri; content:"src=tbi"; nocase; http_uri; content:"tid="; nocase; http_uri; content:"ref="; nocase; http_uri; pcre:"/tid\x3D\x7B([0-9A-z]+\x2D){4}[0-9A-z]+\x7D/smi"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=732; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082740; classtype:misc-activity; sid:5864; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker locatorstoolbar runtime detection - sidebar search"; flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"sidebar=method"; fast_pattern; nocase; http_uri; content:"que="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1821; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076978; classtype:misc-activity; sid:5916; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker ez-tracks toolbar runtime detection - initial traffic 1"; flow:to_server,established; content:"/toolbar/ezt_serverside.xml"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,www.spywareremove.com/removeEZTracks.html; classtype:misc-activity; sid:13495; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker morpheus toolbar runtime detection - get cfg info"; flow:to_server,established; content:"/ms162cfg.jsp?"; nocase; http_uri; pcre:"/\x2fms162cfg\x2ejsp\x3f([sverlcfan]\x3d[^\x26\s]*\x26){8}/iU"; metadata:service http; reference:url,www.sophos.com/security/analyses/morpheustoolbar.html; classtype:misc-activity; sid:12293; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware lookster toolbar runtime detection - collect user information"; flow:to_server,established; content:"/toolbar/googlerank/get_googlerank.php"; fast_pattern; nocase; http_uri; content:"URL="; nocase; http_uri; content:"act="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; metadata:service http; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453105797; classtype:successful-recon-limited; sid:12126; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker music of faith toolbar runtime detection - hijacks search engine traffic #1"; flow:to_server,established; content:"/search.html?"; fast_pattern; nocase; http_uri; content:"catch="; nocase; http_uri; content:"keywords="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"musicoffaith"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Music%20of%20Faith&threatid=47479; reference:url,www.spywareterminator.com/item/3836/MusicOfFaith.html; classtype:misc-activity; sid:13771; rev:10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker baidu toolbar runtime detection - updates automatically"; flow:to_server,established; content:"/update/barcab/"; fast_pattern; nocase; http_uri; content:"tn="; nocase; http_uri; content:"baiducb"; nocase; http_uri; content:"id="; nocase; http_uri; content:"version="; nocase; http_uri; pcre:"/update\/barcab\/.*?tn=.*id=.*version=/smi"; flowbits:set,BaiduToolbar_detection; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:13483; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware eqiso runtime detection"; flow:to_server,established; content:"/cm"; http_uri; content:"toolbar.eqiso.com"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Eqiso&threatid=88999; classtype:misc-activity; sid:10180; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker girafa toolbar - browser hijack"; flow:to_server,established; content:"/srv/i?i="; fast_pattern; nocase; http_uri; content:"r=http"; nocase; http_uri; content:"m=srch"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1135; classtype:misc-activity; sid:6377; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker locatorstoolbar runtime detection - configuration download"; flow:to_server,established; content:"/download/toolbar/locatorstoolbar"; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1821; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076978; classtype:misc-activity; sid:5914; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker copernic meta toolbar runtime detection - check toolbar & category info"; flow:to_server,established; content:"/software/meta/Update/VersionCheckInfo.ini?c="; nocase; http_uri; metadata:service http; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5884; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker ezcybersearch runtime detection - check toolbar setting"; flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/chk_bar.fcgi?"; fast_pattern; nocase; http_uri; content:"aff_id="; nocase; http_uri; content:"cid="; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Fchk_bar\.fcgi/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=476; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520; classtype:misc-activity; sid:5757; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware push toolbar runtime detection - toolbar information request"; flow:to_server,established; content:"/searchv2tb0200.php"; fast_pattern; nocase; http_uri; content:"barid="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1786; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079100; classtype:successful-recon-limited; sid:5985; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware gophoria toolbar runtime detection"; flow:to_server,established; content:"/application/app_counter/?gopver="; nocase; http_uri; metadata:service http; reference:url,spywaresignatures.com/details.php?spyware=gophoria; reference:url,www.360zd.com/spyware/518.html; reference:url,www.spywareguide.com/spydet_3093_gophoria_toolbar.html; classtype:misc-activity; sid:12791; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker rx toolbar runtime detection"; flow:to_server,established; content:"RX Bar"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3A[^\r\n]*RX Bar\s+(ver=)?/miH"; metadata:service http; reference:url,sarc.com/avcenter/venc/data/adware.rxtoolbar.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094367; classtype:misc-activity; sid:7839; rev:15;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker 3search runtime detection - update"; flow:to_server,established; content:"/toolbar/cab/version.txt"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; metadata:service http; reference:url,www.downloadfile.org; reference:url,www.softwarerevenue.org; classtype:misc-activity; sid:12296; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware vmn toolbar runtime detection"; flow:to_server,established; content:"/data?"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"ver=visicom-vmntoolbar"; fast_pattern; nocase; http_uri; content:"uid="; nocase; http_uri; content:"url="; nocase; http_uri; metadata:service http; reference:url,www.download.com/3000-12777_4-10693292.html; classtype:successful-recon-limited; sid:12291; rev:9;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker sofa toolbar runtime detection - hijacks search engine"; flow:to_server,established; content:"/search.htm?"; fast_pattern; nocase; http_uri; content:"st="; nocase; http_uri; content:"dir="; nocase; http_uri; content:"wd="; nocase; http_uri; content:"wid="; nocase; http_uri; content:"sofa"; nocase; http_uri; content:"version="; nocase; http_uri; content:"soft"; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Chinese%20Softomate%20Toolbar&threatid=117814; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Softomate.ag; classtype:misc-activity; sid:13485; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker cramtoolbar runtime detection - search"; flow:to_server,established; content:"/n4.g?"; nocase; http_uri; content:"login=craxam"; fast_pattern; nocase; http_uri; content:"url="; nocase; http_uri; content:"pv="; nocase; http_uri; content:"jv="; nocase; http_uri; content:"j="; nocase; http_uri; content:"srw="; nocase; http_uri; content:"srb="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2474; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-091817-2335-99&tabid=1; classtype:misc-activity; sid:16115; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker alot toolbar runtime detection - auto update"; flow:to_server,established; content:"/update/update_configs/update_config_11077_0.xml?"; fast_pattern; nocase; http_uri; content:"src_id="; nocase; http_uri; content:"camp_id="; nocase; http_uri; content:"tb_version="; nocase; http_uri; content:"pr=tbar"; nocase; http_uri; content:"client_id="; nocase; http_uri; content:"install_time="; nocase; http_uri; metadata:service http; reference:url,www.pchell.com/support/alot.shtml; reference:url,www.spywareremove.com/removeALOTToolbar.html; classtype:misc-activity; sid:13854; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker linkspider search bar runtime detection - toolbar search"; flow:to_server,established; content:"/cgi-bin/cgsearch/cgsearch.cgi?"; fast_pattern; nocase; http_uri; content:"vid="; nocase; http_uri; content:"category="; nocase; http_uri; content:"lout="; nocase; http_uri; content:"sel="; nocase; http_uri; content:"refer="; nocase; http_uri; content:"query="; nocase; http_uri; content:"match="; nocase; http_uri; content:"where="; nocase; http_uri; content:"sd="; nocase; http_uri; content:"pp="; nocase; http_uri; content:"to="; nocase; http_uri; metadata:service http; reference:url,linkspider.co.uk; classtype:misc-activity; sid:7571; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker deepdo toolbar runtime detection - automatic update"; flow:to_server,established; content:"/download/toolbar.ini"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"DeepdoUpdate"; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Deepdo%20Toolbar&threatid=129378; reference:url,www.spywareguide.com/product_show.php?id=3367; classtype:misc-activity; sid:13493; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware searchnugget toolbar runtime detection - check updates"; flow:to_server,established; content:"/toolbar/sbartb0300.cfg"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"acez"; nocase; http_header; metadata:service http; reference:url,www.symantec.com/avcenter/venc/data/adware.searchnugget.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094349; classtype:misc-activity; sid:6487; rev:14;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker seeqtoolbar runtime detection - email login page"; flow:to_server,established; content:"/lander.jsp"; nocase; http_uri; content:"referrer="; nocase; http_uri; content:"domain=seeqmail.com"; fast_pattern; nocase; http_uri; content:"cm_mmc="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1026; classtype:misc-activity; sid:5982; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker locatorstoolbar runtime detection - autosearch hijack"; flow:to_server,established; content:"/download/toolbar/dnserror.php?"; fast_pattern; nocase; http_uri; content:"type=dns"; nocase; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1821; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076978; classtype:misc-activity; sid:5915; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware searchmiracle elitebar runtime detection - get ads"; flow:to_server,established; content:"/toolbar/"; nocase; http_uri; content:".php?"; nocase; http_uri; content:"acc="; nocase; http_uri; content:"country="; nocase; http_uri; content:"city="; nocase; http_uri; content:"state="; nocase; http_uri; content:"uninstalled="; nocase; http_uri; content:"User-Agent"; nocase; http_header; content:"iebar"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1124; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094053; classtype:successful-recon-limited; sid:12672; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker ez-tracks toolbar runtime detection - tracking traffic"; flow:to_server,established; content:"/TBTracking/TrackLinkClicks.cfm?"; fast_pattern; nocase; http_uri; content:"linkID="; nocase; http_uri; content:"ToolBarID="; nocase; http_uri; content:"TBSearch="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,www.spywareremove.com/removeEZTracks.html; classtype:misc-activity; sid:13497; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware iggsey toolbar detection - search request"; flow:to_server,established; content:"/search.php?keywords="; fast_pattern; nocase; http_uri; content:"Host|3A| www.iggsey.com"; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2463; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094796; classtype:successful-recon-limited; sid:5951; rev:13;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Trackware earthlink toolbar runtime detection - search toolbar request 1"; flow:to_server,established; content:"/sw/toolbar/4/2/rd601.html?"; nocase; http_uri; content:"area=earthlink-ws-altsearchbox"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; metadata:service http; reference:url,castlecops.com/startuplist-1068.html; classtype:successful-recon-limited; sid:7521; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker baidu toolbar runtime detection - hijacks search engine"; flow:to_server,established; content:"/baidu?"; fast_pattern; nocase; http_uri; content:"tn="; nocase; http_uri; content:"baiducb"; nocase; http_uri; content:"word="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=44261; reference:url,www.spywareguide.com/product_show.php?id=1250; classtype:misc-activity; sid:13481; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker rediff toolbar runtime detection - hijack ie auto search"; flow:to_server,established; content:"/dirsrch/default.asp?"; fast_pattern; nocase; http_uri; content:"MT="; nocase; http_uri; content:"mode=toolbar"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"search.rediff.com"; nocase; http_header; metadata:service http; reference:url,secwatch.org/exploits/2007/03/Rediff.Toolbar_DoS.html.info; reference:url,www.fbmsoftware.com/spyware-net/application/Rediff_Toolbar/; classtype:misc-activity; sid:14055; rev:11;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Hijacker starware toolbar runtime detection - reference"; flow:to_server,established; content:"/dp/reference?x="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"as.starware.com"; nocase; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2009; classtype:misc-activity; sid:7578; rev:12;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Adware.Win32.Frosty Goes Skiing Screen Saver 2.2 Runtime Detection"; flow:to_server,established; content:"/toolbar/sbartb0300.cfg"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/ccc3258541762de91147d8c4d51321f7a36a17162bfb9caae986417a1e13a1fb/analysis/; classtype:misc-activity; sid:19897; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS 6SQ Toolbar runtime detection"; flow:to_server, established; content:"/data.aspx?pn=sixsigmaToolbar&ver="; fast_pattern:only; http_uri; content:"User-Agent|3A| Asynchronous WinInet CLASS"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/909ed43dfe0dae19d10ae63d348af5f3480d68ae4b51689994409c352f77d638/analysis/; classtype:misc-activity; sid:19906; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Vittalia adware outbound connection - offers"; flow:to_server,established; content:"/listener.php"; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27917; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Vittalia adware outbound connection - Eazel toolbar install"; flow:to_server,established; content:"/utilsbar/EazelBar.exe"; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27916; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Babylon toolbar outbound connection"; flow:to_server,established; content:"User-Agent|3A| Babylon|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/10eb3a1f0c7f71246e7b938262e1ebc8a2f9358ab9b0fd3a68ec80bf8fd7a2b9/analysis/; classtype:misc-activity; sid:28530; rev:4;)
+# alert udp $HOME_NET any -> any 53 (msg:"PUA-TOOLBARS Babylon toolbar outbound connection"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|stpui|07|babylon|03|com|00|"; fast_pattern:only; metadata:impact_flag red, service dns; reference:url,www.virustotal.com/en/file/E7191CF365D04BFE5C00D0BECF7E1C976DD6A5972449044BE0AA50BCA115D1B0/analysis/; classtype:misc-activity; sid:30038; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Inbox Public Transport Toolbar outbound connection"; flow:to_server,established; content:"/cr_confirm.asmx/GetXMLLog?"; fast_pattern:only; http_uri; content:"TbId="; nocase; http_uri; content:"TUID="; nocase; http_uri; content:"Action_Type="; nocase; http_uri; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1439d4061659a8534435352274b72dc2fe03c3deeb84e32fc90d40380c35cab1/analysis/1322189076/; classtype:misc-activity; sid:30765; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"PUA-TOOLBARS Babylon toolbar download attempt - stat.info-stream.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|stat|0B|info-stream|03|net|00|"; fast_pattern:only; metadata:service dns; reference:url,www.virustotal.com/en/domain/stat.info-stream.net/information/; classtype:misc-activity; sid:31076; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"PUA-TOOLBARS AVG anti-virus toolbar download attempt - mmi.explabs.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|mmi|07|explabs|03|net|00|"; fast_pattern:only; metadata:service dns; reference:url,www.virustotal.com/en/domain/mmi.explabs.net/information/; classtype:misc-activity; sid:31075; rev:1;)
+# alert udp $HOME_NET any -> any 53 (msg:"PUA-TOOLBARS AVG anti-virus toolbar download attempt - download-toolbar.avg.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|download-toolbar|03|avg|03|com|00|"; fast_pattern:only; metadata:service dns; reference:url,www.virustotal.com/en/domain/download-toolbar.avg.com/information/; classtype:misc-activity; sid:31074; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Win.Toolbar.Crossrider variant outbound connection"; flow:to_server,established; content:".gif?action="; http_uri; content:"&browser="; distance:0; http_uri; content:"&osbuild="; distance:0; http_uri; content:"&osprod="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/06f3bd3df0326b5c3c5b03070d9d870507b868ee4e1acff62f0d301c43492709/analysis/; classtype:trojan-activity; sid:33452; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Win.Toolbar.Crossrider variant outbound connection"; flow:to_server,established; content:".gif?report="; http_uri; content:"&f="; distance:0; http_uri; content:"&n="; distance:0; http_uri; content:"&rnd="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/77ecc830641bd5a733a7e49bf132aaa8b1090fd2881df13d2e8f1c1fd69ba3ab/analysis/; classtype:trojan-activity; sid:39189; rev:1;)
--- a/docker/etc/rules/rpc.rules
+++ b/docker/etc/rules/rpc.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------
+# RPC RULES
+#-----------
+
--- a/docker/etc/rules/rservices.rules
+++ b/docker/etc/rules/rservices.rules
@@ -0,0 +1,21 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-----------------
+# RSERVICES RULES
+#-----------------
+
--- a/docker/etc/rules/scada.rules
+++ b/docker/etc/rules/scada.rules
@@ -0,0 +1,22 @@
+# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
+#
+# This file contains (i) proprietary rules that were created, tested and certified by
+# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
+# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
+# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
+# GNU General Public License (GPL), v2.
+# 
+# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
+# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
+# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
+# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
+# list of third party owners and their respective copyrights.
+# 
+# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
+# to the VRT Certified Rules License Agreement (v2.0).
+#
+#-------------
+# SCADA RULES
+#-------------
+
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2537 (msg:"SCADA Schneider Electric Accutech http request overflow attempt"; flow:to_server,established; content:"GET /"; depth:5; isdataat:128,relative; content:!" HTTP/1.1"; within:128; reference:bugtraq,57651; reference:cve,2013-0658; classtype:attempted-admin; sid:39941; rev:1;)
--- a/Ver más
+++ b/Ver más