# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. # # This file contains (i) proprietary rules that were created, tested and certified by # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by # Sourcefire and other third parties (the "GPL Rules") that are distributed under the # GNU General Public License (GPL), v2. # # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a # list of third party owners and their respective copyrights. # # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer # to the VRT Certified Rules License Agreement (v2.0). # #---------------------------- # INDICATOR-COMPROMISE RULES #---------------------------- alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|29|iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service dns; reference:url,www.virustotal.com/en/domain/iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/information/; classtype:trojan-activity; sid:44037; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE .com- potentially malicious hostname"; flow:to_server,established; content:"Host:"; http_header; content:".com-"; within:70; fast_pattern; http_header; content:!"www"; within:3; distance:-8; http_header; pcre:"/Host: [^\x0d\x0a]*?\.com-/Hi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:bad-unknown; sid:32488; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - sql"; flow:to_server,established; content:"act=sql"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16622; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - about"; flow:to_server,established; content:"act=about"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16616; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - eval"; flow:to_server,established; content:"act=eval"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16623; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - cmd"; flow:to_server,established; content:"act=cmd"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16613; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - ps_aux"; flow:to_server,established; content:"act=ps_aux"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16619; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - selfremove"; flow:to_server,established; content:"act=selfremove"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16625; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - ls"; flow:to_server,established; content:"act=ls"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16627; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - ftpquickbrute"; flow:to_server,established; content:"act=ftpquickbrute"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16620; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - encoder"; flow:to_server,established; content:"act=encoder"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16617; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - upload"; flow:to_server,established; urilen:<50; content:"act=upload"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16615; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - search"; flow:to_server,established; urilen:<50; content:"act=search"; fast_pattern:only; http_uri; content:"submit="; nocase; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16614; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - feedback"; flow:to_server,established; content:"act=feedback"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16624; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - fsbuff"; flow:to_server,established; content:"act=fsbuff"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16626; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - phpinfo"; flow:to_server,established; content:"act=phpinfo"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16628; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - bind"; flow:to_server,established; content:"act=bind"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16618; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - security"; flow:to_server,established; urilen:<50; content:"act=security"; fast_pattern:only; http_uri; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:16621; rev:7;) # alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell domain lookup page"; flow:to_client,established; file_data; content:"MulCiShell"; fast_pattern:only; content:"Enter any Domain-name to lookup"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21131; rev:5;) # alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell database parsing page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"Database parser"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21138; rev:5;) # alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE WSO web shell"; flow:to_client,established; file_data; content:"WSO"; content:"toolsTbl"; content:"toolsInp"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21117; rev:5;) # alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE WSO web shell interactive SQL display"; flow:to_client,established; file_data; content:"WSO"; content:"var a_ = 'Sql'"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21121; rev:5;) # alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell password cracking page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"Password crackers"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21135; rev:5;) # alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell enumeration page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"Enumerated shell link:"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21130; rev:5;) # alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE WSO web shell security information display"; flow:to_client,established; file_data; content:"WSO"; content:"var a_ = 'SecInfo'"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21118; rev:5;) # alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell sql interaction page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"Host:"; content:"Username:"; distance:0; content:"Password:"; distance:0; content:"Port:"; distance:0; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21132; rev:5;) # alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell kill shell page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"Do you *really* want to kill the shell?"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21140; rev:5;) # alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell security bypass page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"Security (open_basedir) bypassers"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21136; rev:5;) # alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE WSO web shell interactive console display"; flow:to_client,established; file_data; content:"WSO"; content:"var a_ = 'Console'"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21120; rev:5;) # alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE WSO web shell interactive file system information display"; flow:to_client,established; file_data; content:"WSO"; content:"var a_ = 'FilesMan'"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21119; rev:5;) # alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell encoder page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"Encrypt"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21133; rev:5;) # alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell spread shell page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"[ Kill Shell ]"; content:"This tool will attempt to copy the shell into every writable director"; distance:0; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21139; rev:5;) # alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell tools page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"Port scanner"; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21137; rev:5;) # alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21129; rev:5;) # alert tcp any $HTTP_PORTS -> any any (msg:"INDICATOR-COMPROMISE Mulcishell web shell security information page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; fast_pattern:only; content:"PHP Version"; content:"Safe mode"; distance:0; content:"Magic_Quotes"; distance:0; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21134; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - cmd"; flow:to_server,established; content:"act=cmd"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22917; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - selfremove"; flow:to_server,established; content:"act=selfremove"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22929; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - fsbuff"; flow:to_server,established; content:"act=fsbuff"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22930; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - tools"; flow:to_server,established; content:"act=tools&"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22933; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - encoder"; flow:to_server,established; content:"act=encoder"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22921; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - security"; flow:to_server,established; content:"act=security"; http_client_body; content:!"_"; within:1; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22925; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - search"; flow:to_server,established; content:"act=cmd"; http_uri; content:"act=search"; fast_pattern:only; http_client_body; content:"submit="; nocase; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22918; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - about"; flow:to_server,established; content:"act=about"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22920; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - feedback"; flow:to_server,established; content:"act=feedback"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22928; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - phpinfo"; flow:to_server,established; content:"act=phpinfo"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22932; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - upload"; flow:to_server,established; content:"act=upload"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22919; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - ftpquickbrute"; flow:to_server,established; content:"act=ftpquickbrute"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22924; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - eval"; flow:to_server,established; content:"act=eval"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22927; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - ls"; flow:to_server,established; content:"act=ls"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22931; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - sql"; flow:to_server,established; content:"act=sql"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22926; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - ps_aux"; flow:to_server,established; content:"act=ps_aux"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22923; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE c99shell.php command request - bind"; flow:to_server,established; content:"act=bind"; fast_pattern:only; http_client_body; metadata:service http; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22922; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE base64-encoded c99shell download"; flow:to_client,established; file_data; content:"KioNCioNCioJCQkJCWM5OXNoZWxsLnBocCB2"; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:trojan-activity; sid:23016; rev:5;) # alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Invalid URL"; flow:to_client,established; file_data; content:"Invalid URL"; nocase; metadata:ruleset community, service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-063; classtype:attempted-recon; sid:1200; rev:17;) # alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE index of /cgi-bin/ response"; flow:to_client,established; file_data; content:"Index of /cgi-bin/"; nocase; metadata:ruleset community, service http; reference:nessus,10039; classtype:bad-unknown; sid:1666; rev:11;) # alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE 403 Forbidden"; flow:to_client,established; content:"403"; http_stat_code; metadata:ruleset community, service http; classtype:attempted-recon; sid:1201; rev:13;) # alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE oracle one hour install"; flow:to_client,established; content:"Oracle Applications One-Hour Install"; metadata:ruleset community; reference:nessus,10737; classtype:bad-unknown; sid:1464; rev:10;) # alert tcp $HOME_NET 512 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE rexec username too long response"; flow:to_client,established; content:"username too long"; depth:17; metadata:ruleset community; reference:bugtraq,7459; reference:cve,2003-1097; classtype:unsuccessful-user; sid:2104; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE successful cross site scripting forced download attempt"; flow:to_server,established; content:"|0A|Referer|3A| res|3A|/C|3A|"; metadata:ruleset community; classtype:successful-user; sid:2412; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE directory listing"; flow:established; content:"Volume Serial Number"; metadata:ruleset community; classtype:bad-unknown; sid:1292; rev:12;) # alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE command completed"; flow:established; content:"Command completed"; fast_pattern:only; pcre:"/^Command\s+?completed\b/sm"; metadata:ruleset community, service http; reference:bugtraq,1806; reference:cve,2000-0884; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-078; classtype:bad-unknown; sid:494; rev:20;) # alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE command error"; flow:established; content:"Bad command or filename"; nocase; metadata:ruleset community, service http; classtype:bad-unknown; sid:495; rev:14;) # alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE file copied ok"; flow:to_client,established; file_data; content:"1 file|28|s|29| copied"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:20;) # alert ip any any -> any any (msg:"INDICATOR-COMPROMISE id check returned root"; content:"uid=0|28|root|29|"; metadata:ruleset community; classtype:bad-unknown; sid:498; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:1445; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; distance:1; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:543; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; distance:1; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:544; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'CWD ' possible warez site"; flow:to_server,established; content:"CWD "; depth:5; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:546; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'MKD ' possible warez site"; flow:to_server,established; content:"MKD "; depth:5; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:547; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:548; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; metadata:ruleset community, service ftp; classtype:misc-activity; sid:545; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'MKD / ' possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; metadata:ruleset community, service ftp; classtype:misc-activity; sid:554; rev:10;) # alert udp $HOME_NET any -> $HOME_NET 53 (msg:"INDICATOR-COMPROMISE Suspicious .ru dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru|00|"; distance:0; pcre:"/[\x05-\x20][bcdfghjklmnpqrstvwxyz]{5,32}[^\x00]*?\x02ru\x00/i"; metadata:service dns; classtype:trojan-activity; sid:15168; rev:13;) # alert udp $HOME_NET any -> $HOME_NET 53 (msg:"INDICATOR-COMPROMISE Suspicious .cn dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cn|00|"; distance:0; pcre:"/[\x05-\x20][bcdfghjklmnpqrstvwxyz]{5,32}[^\x00]*?\x02cn\x00/i"; metadata:service dns; classtype:trojan-activity; sid:15167; rev:12;) # alert udp $HOME_NET any -> $HOME_NET 53 (msg:"INDICATOR-COMPROMISE Suspicious .cc dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cc|00|"; distance:0; pcre:"/[\x05-\x20][bcdfghjklmnpqrstvwxyz]{5,32}([\x01-\x20].*?|)\x02cc\x00/i"; metadata:service dns; classtype:trojan-activity; sid:19020; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"INDICATOR-COMPROMISE IRC dns request on non-standard port"; flow:to_server,established; content:"USERHOST "; depth:9; metadata:service irc; classtype:trojan-activity; sid:20095; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"INDICATOR-COMPROMISE IRC channel join on non-standard port"; flow:to_server,established; dsize:<140; content:"JOIN #"; depth:6; metadata:service irc; classtype:trojan-activity; sid:20092; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"INDICATOR-COMPROMISE IRC DCC chat request on non-standard port"; flow:to_server,established; content:"PRIVMSG "; depth:8; nocase; content:" |3A|.DCC CHAT chat"; distance:0; nocase; metadata:service irc; classtype:trojan-activity; sid:20091; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"INDICATOR-COMPROMISE IRC nick change on non-standard port"; flow:to_server,established; dsize:<140; content:"NICK "; depth:5; content:"|0D 0A|USER "; within:100; metadata:service irc; classtype:trojan-activity; sid:20089; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"INDICATOR-COMPROMISE IRC channel notice on non-standard port"; flow:to_server,established; content:"NOTICE "; depth:7; metadata:service irc; classtype:trojan-activity; sid:20093; rev:7;) # alert tcp $HOME_NET any <> $EXTERNAL_NET !6666:7000 (msg:"INDICATOR-COMPROMISE IRC message on non-standard port"; flow:established; dsize:<140; content:"PRIVMSG "; depth:8; metadata:service irc; classtype:trojan-activity; sid:20094; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"INDICATOR-COMPROMISE IRC DCC file transfer request on non-standard port"; flow:to_server,established; content:"PRIVMSG "; depth:8; nocase; content:" |3A|.DCC SEND"; distance:0; nocase; metadata:service irc; classtype:trojan-activity; sid:20090; rev:6;) # alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Win32.Virut web propagation detection"; flow:to_client,established; file_data; content:"<iframe"; content:".pl/rc/"; distance:0; fast_pattern; pcre:"/\x3ciframe[^\x3e]*?src\x3d\x22http\x3a\x2f\x2f[^\x26\x2e]+\x26\x2346\x3b[^\x2e]+\x2epl\x2frc\x2f\x22/"; metadata:impact_flag red, service http; reference:url,securelist.com/en/analysis/204792122/; classtype:trojan-activity; sid:22940; rev:2;) # alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE hex-encoded create_function detected"; flow:to_client,established; file_data; content:"|5C|x63|5C|x72|5C|x65|5C|x61|5C|x74|5C|x65|5C|x5f|5C|x66|5C|x75|5C|x6e|5C|x63|5C|x74|5C|x69|5C|x6f|5C|x6e"; fast_pattern:only; metadata:impact_flag red, service http; classtype:attempted-user; sid:22098; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE potential malware - download of winzf32.dll"; flow:to_server,established; content:"GET"; http_method; content:"/winzf32.dll"; fast_pattern:only; http_uri; pcre:"/\x2fwinzf32\x2edll$/smiU"; metadata:service http; classtype:suspicious-filename-detect; sid:17814; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE potential malware - download of iexplore.exe"; flow:to_server,established; content:"GET"; http_method; content:"/iexplore.exe"; fast_pattern:only; http_uri; pcre:"/\x2fiexplore\x2eexe$/smiU"; metadata:service http; classtype:suspicious-filename-detect; sid:17812; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE potential malware - download of server32.exe"; flow:to_server,established; content:"GET"; http_method; content:"/server32.exe"; fast_pattern:only; http_uri; pcre:"/\x2fserver32\x2eexe$/smiU"; metadata:service http; reference:url,en.wikipedia.org/wiki/Zeus_(trojan_horse); classtype:suspicious-filename-detect; sid:17810; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE potential malware - download of iprinp.dll"; flow:to_server,established; content:"GET"; http_method; content:"/iprinp.dll"; fast_pattern:only; http_uri; pcre:"/\x2fiprinp\x2edll$/smiU"; metadata:service http; classtype:suspicious-filename-detect; sid:17813; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE potential malware - download of svchost.exe"; flow:to_server,established; content:"GET"; http_method; content:"/svchost.exe"; fast_pattern:only; http_uri; pcre:"/\x2fsvchost\x2eexe$/smiU"; metadata:policy max-detect-ips drop, service http; classtype:suspicious-filename-detect; sid:17811; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE script before DOCTYPE possible malicious redirect attempt"; flow:to_client,established; file_data; content:"</script><!DOCTYPE"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:23179; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE iframe before DOCTYPE possible malicious redirect attempt"; flow:to_client,established; file_data; content:"</iframe><!DOCTYPE"; fast_pattern:only; metadata:service http; classtype:web-application-attack; sid:23596; rev:1;) # alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Alsa3ek Web Shell"; flow:to_client,established; content:"<?php /* Cod3d by Mr.Alsa3ek and Al-Swisre"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; classtype:trojan-activity; sid:23830; rev:3;) # alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Loaderz Web Shell"; flow:to_client,established; content:"/* Loader|27|z WEB Shell v"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; classtype:trojan-activity; sid:23829; rev:3;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|s|00|a|00|c|00|s|00|e|00|s|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23926; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|c|00|a|00|c|00|l|00|s|00|r|00|v|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23905; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|n|00|t|00|f|00|r|00|s|00|u|00|t|00|i|00|l|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23918; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|m|00|s|00|i|00|n|00|i|00|t|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23917; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|w|00|c|00|s|00|c|00|r|00|i|00|p|00|t|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23929; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|p|00|o|00|w|00|e|00|r|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23920; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|f|00|i|00|n|00|d|00|f|00|i|00|l|00|e|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23913; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|d|00|f|00|r|00|a|00|g|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23909; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|g|00|p|00|g|00|e|00|t|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23914; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|n|00|e|00|t|00|x|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23931; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|r|00|o|00|u|00|t|00|e|00|m|00|a|00|n|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23924; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|c|00|t|00|r|00|l|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23908; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|f|00|s|00|u|00|t|00|l|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23932; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|e|00|v|00|e|00|n|00|t|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23912; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|s|00|m|00|b|00|i|00|n|00|i|00|t|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23928; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|d|00|v|00|d|00|q|00|u|00|e|00|r|00|y|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23911; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|s|00|i|00|g|00|v|00|e|00|r|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23923; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|i|00|i|00|s|00|s|00|r|00|v|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23916; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|e|00|x|00|t|00|r|00|a|00|c|00|t|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23933; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|s|00|f|00|m|00|s|00|c|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23927; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|c|00|l|00|e|00|a|00|n|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23907; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|d|00|n|00|s|00|l|00|o|00|o|00|k|00|u|00|p|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23910; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|n|00|t|00|d|00|s|00|u|00|t|00|l|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23919; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|r|00|e|00|g|00|s|00|y|00|s|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23922; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|r|00|d|00|s|00|a|00|d|00|m|00|i|00|n|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23921; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|i|00|p|00|s|00|e|00|c|00|u|00|r|00|e|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23915; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|n|00|t|00|n|00|w|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23930; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|c|00|e|00|r|00|t|00|u|00|t|00|l|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23906; rev:2;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file"; flow:to_server,established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b; dce_opnum:0; dce_stub_data; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|r|00|r|00|a|00|s|00|r|00|v|00|.|00|e|00|x|00|e|00|"; nocase; metadata:service netbios-ssn; reference:url,blog.talosintel.com/2012/08/new-threat-disttrack.html; reference:url,www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/; classtype:trojan-activity; sid:23925; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Wordpress Request for html file in fgallery directory"; flow:to_server,established; content:"wp-content/uploads/fgallery"; fast_pattern:only; http_uri; pcre:"/wp-content\/uploads\/fgallery\/.+\x2ehtml?(\?|$)/U"; metadata:service http; classtype:web-application-attack; sid:23171; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Wordpress Request for php file in fgallery directory"; flow:to_server,established; content:"wp-content/uploads/fgallery"; fast_pattern:only; http_uri; pcre:"/wp-content\/uploads\/fgallery\/.+\x2ephp(\?|$)/U"; metadata:service http; classtype:web-application-attack; sid:21941; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE c99shell comment"; flow:to_client,established; file_data; content:"<h2>I'm a man!</h2>"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:23017; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Wordpress Invit0r plugin non-image file upload attempt"; flow:to_server,established; content:"/wp-content/plugins/invit0r/lib/php-ofc-library/ofc_upload_image.php"; fast_pattern:only; http_uri; content:"name="; http_uri; pcre:!"/name=($|[^\x26]+\x2e(jpe?g|bmp|png|gif)($|\x26))/Ui"; metadata:service http; reference:bugtraq,53995; reference:url,www.opensyscom.fr/Actualites/wordpress-plugins-invit0r-arbitrary-file-upload-vulnerability.html; classtype:web-application-attack; sid:23484; rev:5;) # alert tcp any any -> any [139,445] (msg:"INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - QUERY_PATH_INFO csrss.exe"; flow:to_server,established; content:"|FF 53 4D 42 32 00 00 00 00|"; depth:9; offset:4; content:"|00 05 00|"; within:3; distance:51; content:"|5C 00|s|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5C 00|c|00|s|00|r|00|s|00|s|00 2E 00|e|00|x|00|e|00|"; distance:0; nocase; metadata:service netbios-ssn; reference:url,www.symantec.com/connect/blogs/shamoon-attacks-continue; classtype:trojan-activity; sid:24127; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE IP only webpage redirect attempt"; flow:to_client,established; file_data; content:"document.location="; pcre:"/^[^>]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/sR"; metadata:ruleset community, service http; classtype:bad-unknown; sid:24254; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE IP only webpage redirect attempt"; flow:to_client,established; file_data; content:"<html><head><meta http-equiv=|22|refresh"; pcre:"/^[^>]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/sR"; metadata:ruleset community, service http; classtype:bad-unknown; sid:24253; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE itsoknoproblembro write file"; flow:to_server,established; content:"action=stpf"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/file/c5a96f83bed99141a20d31a9b624db8891e475737c2be9a6cdf9cf024e3d2210/analysis/; classtype:policy-violation; sid:24392; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE itsoknoproblembro stop attack"; flow:to_server,established; content:"action=ssttoopp"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/file/c5a96f83bed99141a20d31a9b624db8891e475737c2be9a6cdf9cf024e3d2210/analysis/; classtype:policy-violation; sid:24393; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE itsoknoproblembro file upload"; flow:to_server,established; content:"pass=FgYuD@37"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/file/256fee47ccdf100a1c00e32b9cb2b1d18d5fcdccf4ae90085bc90130daa68c95/analysis/; classtype:policy-violation; sid:24388; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE itsoknoproblembro start perl"; flow:to_server,established; content:"action=start.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/file/c5a96f83bed99141a20d31a9b624db8891e475737c2be9a6cdf9cf024e3d2210/analysis/; classtype:policy-violation; sid:24390; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE itsoknoproblembro start attack"; flow:to_server,established; content:"action=start"; fast_pattern:only; http_uri; content:"time_s="; http_uri; content:"time_e="; http_uri; content:"page="; http_uri; metadata:service http; reference:url,www.virustotal.com/file/573da03a5d0ade02643203b47a6925db43b0d53dfeaf20c31e7700377cd79d15/analysis/; classtype:policy-violation; sid:24394; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE itsoknoproblembro status check"; flow:to_server,established; content:".php?action=status"; fast_pattern:only; http_uri; content:".php?action=status "; metadata:service http; reference:url,www.virustotal.com/file/c5a96f83bed99141a20d31a9b624db8891e475737c2be9a6cdf9cf024e3d2210/analysis/; classtype:policy-violation; sid:24389; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE itsoknoproblembro start php"; flow:to_server,established; content:"action=startphp.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/file/c5a96f83bed99141a20d31a9b624db8891e475737c2be9a6cdf9cf024e3d2210/analysis/; classtype:policy-violation; sid:24391; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE fx29shell.php connection attempt"; flow:to_server,established; content:"/fx29sh"; fast_pattern:only; http_uri; metadata:service http; classtype:policy-violation; sid:24434; rev:2;) # alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS invalid user authentication response"; flow:to_client,established; content:"E Fatal error, aborting."; fast_pattern:only; content:"|3A| no such user"; metadata:ruleset community; classtype:misc-attack; sid:2008; rev:9;) # alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS invalid repository response"; flow:to_client,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; fast_pattern:only; metadata:ruleset community; classtype:misc-attack; sid:2009; rev:7;) # alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS double free exploit attempt response"; flow:to_client,established; content:"free|28 29 3A| warning|3A| chunk is already free"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,6650; reference:cve,2003-0015; reference:nessus,11385; classtype:misc-attack; sid:2010; rev:12;) # alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS invalid directory response"; flow:to_client,established; content:"E protocol error|3A| invalid directory syntax in"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,6650; reference:cve,2003-0015; reference:nessus,11385; classtype:misc-attack; sid:2011; rev:12;) # alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS missing cvsroot response"; flow:to_client,established; content:"E protocol error|3A| Root request missing"; fast_pattern:only; metadata:ruleset community; classtype:misc-attack; sid:2012; rev:7;) # alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS invalid module response"; flow:to_client,established; content:"cvs server|3A| cannot find module"; fast_pattern:only; content:"error"; metadata:ruleset community; classtype:misc-attack; sid:2013; rev:8;) # alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS non-relative path error response"; flow:to_client,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,9178; reference:cve,2003-0977; reference:nessus,11947; classtype:misc-attack; sid:2317; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"INDICATOR-COMPROMISE nimda RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0|00|.|00|D|00|L|00|L"; nocase; metadata:ruleset community; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1295; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE php-shell remote command shell upload attempt"; flow:to_client,established; file_data; content:"debug_msg('<h1>GOTCHA:"; fast_pattern:only; metadata:service http; classtype:attempted-admin; sid:23441; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE php-shell failed remote command injection attempt"; flow:to_client,established; file_data; content:".phpwas not found on this server.</p>"; fast_pattern:only; metadata:service http; classtype:attempted-admin; sid:23443; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE php-shell remote command shell upload attempt"; flow:to_client,established; file_data; content:"stripslashes($_REQUEST[|5C|'"; fast_pattern:only; content:"function"; nocase; content:"debug_msg"; distance:0; nocase; content:"my_exec"; distance:0; nocase; content:"spawn_shell"; distance:0; nocase; metadata:service http; classtype:attempted-admin; sid:23440; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE php-shell remote command shell upload attempt"; flow:to_client,established; file_data; content:"stripslashes($_REQUEST[|5C|'"; fast_pattern:only; pcre:"/global\s+(?P<global>\$\w+)\s*\x3b\s*(?P=global)\s*=.*?\{\s*eval\(\s*stripslashes\(\s*\$_REQUEST\[\x5c'.*?function_exists\(\s*(?P<q>.)(exec|passthru|system|shell_exec|exec_popen)(?P=q)\s*\)/smi"; metadata:service http; classtype:attempted-admin; sid:23439; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE php-shell remote command injection attempt"; flow:to_server,established; content:".php?"; fast_pattern:only; http_uri; pcre:"/\x2f(links|xml|configs|functions|virtual|pointer)\.php?.*?[a-f0-9]{32}=\w+\x28.*?\x29\x3b/iU"; metadata:service http; classtype:attempted-admin; sid:23442; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE php-shell remote command shell initialization attempt"; flow:to_client,established; file_data; content:"|3B|s:4:|22|pass|22 3B|s:32:|22|"; fast_pattern:only; pcre:"/\x3bs\x3a4\x3a\x22pass\x22\x3bs\x3a32\x3a\x22[a-f0-9]{32}\x22/i"; metadata:service http; classtype:attempted-admin; sid:23438; rev:4;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Lame"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|0E 97 88 1C 6C A1 37 96 42 03 BC 45 42 24 75 6C|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25841; rev:2;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 No-Name"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|83 ED 52 2E 5A E0 7B C0|"; within:50; content:"A|40 40|hole"; nocase; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25848; rev:2;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Virtuallythere"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|00 EE 48 13 76 F1 76 4B 6A FE 6D 8C 5E 60 44 19 B1 0A B1 9E BB 63 80 8F C8 43 C8 73 AE 77|"; within:512; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25836; rev:2;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Moon-Night"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|7C 8D 59 39 32 60 9B 8E 45 6B 3F 84 16 92 1F C2|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25847; rev:2;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Email"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|2F 09 DD E0 FF 81 B7 6C BF 2F 17 92 0C D8 BD 57|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25840; rev:2;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Alpha"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|46 37 EA 15 B6 54 96 4C B6 44 2B 7B 06 1A A5 30|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25839; rev:2;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Sur"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|20 82 92 3F 43 2C 8F 75 B7 EF 0F 6A D9 3C 8E 5D|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25844; rev:2;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Yahoo"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|0A 38 C9 27 08 6F 96 4B BE 75 DC 9F C0 1A C6 28|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25846; rev:2;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Webmail"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|4C 0B 1D 19 74 86 A7 66 B4 1A BF 40 27 21 76 28|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25838; rev:2;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 Server"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|52 55 38 16 FB 0D 1A 8A 4B 45 04 CB 06 BC C4 AF|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25843; rev:2;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 NS"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|72 A2 5C 8A B4 18 71 4E BF C6 6F 3F 98 D6 F7 74|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25842; rev:2;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 AOL"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|7C A2 74 D0 FB C3 D1 54 B3 D1 A3 00 62 E3 7E F6|"; within:50; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25845; rev:2;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT1 IBM"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|00 D3 89 1C 10 09 D8 EC 74 2F 5C 1E 24 C0 89 CD 02 2F AD 13 FA 37 EA 9A F9 73 EF 08 DD 3C|"; within:512; metadata:impact_flag red, service ssl; reference:url,intelreport.mandiant.com/; classtype:trojan-activity; sid:25837; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Java user-agent request to svchost.jpg"; flow:to_server,established; content:"/svchost.jpg"; fast_pattern:only; http_uri; content:"Java/1."; http_header; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-1493; classtype:trojan-activity; sid:26025; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to dyndns.org detected"; flow:to_server,established; content:"Host|3A 20|checkip.dyndns.org"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:misc-activity; sid:26353; rev:2;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate for login.yahoo.com detected"; flow:to_client,established; ssl_state:server_hello; content:"login.yahoo.com"; nocase; content:"|3E 75 CE D4 6B 69 30 21 21 88 30 AE 86 A8 2A 71|"; fast_pattern:only; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18569; rev:5;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate from usertrust.com detected"; flow:to_client,established; ssl_state:server_hello; content:"usertrust.com"; nocase; content:"|72 03 21 05 C5 0C 08 57 3D 8E A5 30 4E FE E8 B0|"; fast_pattern:only; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=643056; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18576; rev:5;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate for addons.mozilla.org detected"; flow:to_client,established; ssl_state:server_hello; content:"addons.mozilla.org"; nocase; content:"|92 39 D5 34 8F 40 D1 69 5A 74 54 70 E1 F2 3F 43|"; fast_pattern:only; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18571; rev:5;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate for login.yahoo.com detected"; flow:to_client,established; ssl_state:server_hello; content:"login.yahoo.com"; nocase; content:"|D7 55 8F DA F5 F1 10 5B B2 13 28 2B 70 77 29 A3|"; fast_pattern:only; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18567; rev:5;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate for global trustee detected"; flow:to_client,established; ssl_state:server_hello; content:"global trustee"; nocase; content:"|D8 F3 5F 4E B7 87 2B 2D AB 06 92 E3 15 38 2F B0|"; fast_pattern:only; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18573; rev:5;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate for login.skype.com detected"; flow:to_client,established; ssl_state:server_hello; content:"login.skype.com"; nocase; content:"|E9 02 8B 95 78 E4 15 DC 1A 71 0A 2B 88 15 44 47|"; fast_pattern:only; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18570; rev:5;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate for login.live.com detected"; flow:to_client,established; ssl_state:server_hello; content:"login.live.com"; nocase; content:"|B0 B7 13 3E D0 96 F9 B5 6F AE 91 C8 74 BD 3A C0|"; fast_pattern:only; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18572; rev:5;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate for login.yahoo.com detected"; flow:to_client,established; ssl_state:server_hello; content:"login.yahoo.com"; nocase; content:"|39 2A 43 4F 0E 07 DF 1F 8A A3 05 DE 34 E0 C2 29|"; fast_pattern:only; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18568; rev:5;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate for mail.google.com detected"; flow:to_client,established; ssl_state:server_hello; content:"mail.google.com"; nocase; content:"|04 7E CB E9 FC A5 5F 7B D0 9E AE 36 E1 0C AE 1E|"; fast_pattern:only; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18565; rev:5;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE fraudulent digital certificate for www.google.com detected"; flow:to_client,established; ssl_state:server_hello; content:"www.google.com"; nocase; content:"|F5 C8 6A F3 61 62 F1 3A 64 F5 4F 6D C9 58 7C 06|"; fast_pattern:only; reference:url,technet.microsoft.com/en-us/security/advisory/2524375; reference:url,www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html; classtype:misc-attack; sid:18566; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE BeEF javascript hook.js download attempt"; flow:to_client,established; file_data; content:"beef.onpopstate.push(function(event)"; fast_pattern:only; metadata:service http; classtype:attempted-user; sid:23107; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to myip.dnsomatic.com detected"; flow:to_server,established; content:"Host|3A 20|myip.dnsomatic.com"; fast_pattern:only; http_header; metadata:service http; classtype:misc-activity; sid:26397; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to j.maxmind.com detected"; flow:to_server,established; content:"/app/geoip.js"; http_uri; content:"Host|3A 20|j.maxmind.com"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:misc-activity; sid:26410; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirected URI attempt"; flow:to_server,established; urilen:>150,norm; content:"0aW1lP"; fast_pattern; http_uri; content:"/index.php?"; depth:11; http_uri; base64_decode:bytes 150, offset 10, relative; base64_data; content:"time="; content:"&src="; distance:0; content:"&surl="; distance:0; metadata:impact_flag red, service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26530; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirect attempt"; flow:to_client,established; content:"0aW1lP"; fast_pattern; http_header; content:"/index.php?"; distance:-50; http_header; base64_decode:bytes 150, offset 10, relative; base64_data; content:"time="; content:"&src="; distance:0; content:"&surl="; distance:0; metadata:impact_flag red, ruleset community, service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26528; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE config.inc.php in iframe"; flow:to_client,established; file_data; content:"<iframe"; content:"config.inc.php"; within:100; content:"</iframe>"; distance:0; metadata:ruleset community, service http; reference:url,blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html; classtype:trojan-activity; sid:26585; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Unknown ?1 redirect"; flow:to_server,established; content:"GET /?1 HTTP/1.1"; fast_pattern:only; metadata:ruleset community, service http; classtype:bad-unknown; sid:27047; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Apache auto_prepend_file a.control.bin C2 traffic"; flow:to_server,established; content:"User-Agent|3A| SEX|2F|1"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:27203; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE All Numbers .EXE file name from abnormally ordered HTTP headers - Potential Yakes Trojan Download"; flow:to_server,established; content:"GET"; http_method; content:".exe HTTP/1.1|0D 0A|Cache-Control: "; fast_pattern:only; content:".exe HTTP/1.1"; nocase; content:"|0D 0A|Cache-Control: no-cache|0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D 0A|User-Agent: "; within:76; content:"|3A 20|"; distance:0; content:!"|3A 20|"; distance:0; pcre:"/\x2f\d+\.exe$/Ui"; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6b8b038c98735814834334ccc03e4da3c/analysis/; classtype:trojan-activity; sid:27255; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE request for potential web shell - /jspspy.jsp"; flow:to_server,established; content:"/jspspy.jsp"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.mandiant.com/blog/responding-attacks-apache-struts2/; classtype:misc-activity; sid:27732; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE request for potential web shell - /inback.jsp"; flow:to_server,established; content:"/inback.jsp"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.mandiant.com/blog/responding-attacks-apache-struts2/; classtype:misc-activity; sid:27731; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE request for potential web shell - /css3.jsp"; flow:to_server,established; content:"/css3.jsp"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.mandiant.com/blog/responding-attacks-apache-struts2/; classtype:misc-activity; sid:27730; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE request for potential web shell - /Silic.jsp"; flow:to_server,established; content:"/Silic.jsp"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.mandiant.com/blog/responding-attacks-apache-struts2/; classtype:misc-activity; sid:27729; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .su dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|su|00|"; distance:0; fast_pattern; metadata:service dns; classtype:trojan-activity; sid:27721; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .pw dns query"; flow:to_server; content:!"|01|u|02|pw"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|pw|00|"; distance:0; fast_pattern; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:28039; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .cc dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cc|00|"; distance:0; fast_pattern; metadata:service dns; classtype:trojan-activity; sid:28190; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .nl.ai dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|nl|02|ai|00|"; distance:0; fast_pattern; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:trojan-activity; sid:28284; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE potential malware download - single digit .exe file download"; flow:to_server,established; urilen:6; content:".exe"; fast_pattern:only; pcre:"/\/[a-z0-9]\.exe$/Ui"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2F%5Ba-zA-Z%5D%5C.%5BEe%5D%5BXx%5D%5BEe%5D%24&type=regexp&start=2013-09-07&end=2013-12-06&max=400; classtype:trojan-activity; sid:28806; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE exe.exe download"; flow:to_server,established; urilen:>7; content:"/exe.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2F%5BEe%5D%5BXx%5D%5BEe%5D%5C.%5BEe%5D%5BXx%5D%5BEe%5D%24&type=regexp&start=2013-11-21&end=2013-12-06&max=400; classtype:trojan-activity; sid:28945; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE suspicious test for public IP - iframe.ip138.com"; flow:to_server,established; content:"/ic.asp"; http_uri; content:"Host|3A 20|iframe.ip138.com|0D 0A|"; fast_pattern:only; http_header; content:!"|0D 0A|Accept"; http_header; content:!"|0D 0A|Referer"; http_header; metadata:policy max-detect-ips drop, policy security-ips alert, service http; classtype:successful-recon-limited; sid:29090; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE ZenCart malicious redirect attempt detected"; flow:to_client,established; content:"Set-Cookie|3A 20|USERID=shine-check|3B|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.sucuri.net/2014/02/mysterious-zencart-redirects-leverage-http-headers.html; classtype:trojan-activity; sid:30066; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE ZenCart compromise attempt detected"; flow:to_client,established; content:"Set-Cookie|3A 20|USERID=twotime|3B|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.sucuri.net/2014/02/mysterious-zencart-redirects-leverage-http-headers.html; classtype:trojan-activity; sid:30065; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE suspicious test for public IP - www.dawhois.com"; flow:to_server,established; content:"Host|3A 20|www.dawhois.com|0D 0A|"; fast_pattern:only; http_header; content:!"Accept|3A|"; http_header; content:!"Referer|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/C84FC7BEF4E77E1F913A4BE1A7114D255459F9D808FCC09B0F441E3761E5E4A4/analysis/; classtype:trojan-activity; sid:30230; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".pdf.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31001; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31000; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30999; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".gif.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30998; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".doc.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30997; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE possible TAR file oversize length field"; flow:to_server,established; file_data; content:"ustar"; depth:5; offset:257; byte_test:10,>,100000,124,string,dec; metadata:service smtp; reference:cve,2012-1457; classtype:trojan-activity; sid:30995; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE possible TAR file oversize length field"; flow:to_client,established; file_data; content:"ustar"; depth:5; offset:257; byte_test:10,>,100000,124,string,dec; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-1457; classtype:trojan-activity; sid:30994; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE connection to zeus malware sinkhole"; flow:to_client,established; content:"X-Sinkhole|3A| Malware GameOverZeus sinkhole"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/sinkhole_server; classtype:trojan-activity; sid:31214; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE http POST request smuggling attempt"; flow:to_server,established; content:"POST /"; fast_pattern:only; http_header; content:" HTTP/"; http_header; metadata:service http; reference:cve,2014-0099; classtype:misc-attack; sid:31213; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE http GET request smuggling attempt"; flow:to_server,established; content:"GET /"; fast_pattern:only; http_header; content:" HTTP/"; http_header; metadata:service http; reference:cve,2014-0099; classtype:misc-attack; sid:31212; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Liz0ziM php shell download attempt"; flow:to_server,established; file_data; content:"Liz0ziM"; fast_pattern:only; content:"|24 5F|POST|5B|liz0|5D|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/599a1ec19581cdcc5d268093bd8cbeaf2c6c519390d68820f2a1258297f0d783/analysis/; classtype:attempted-user; sid:31503; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Liz0ziM php shell command and control attempt"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"liz0="; fast_pattern:only; http_client_body; content:"liz0="; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/599a1ec19581cdcc5d268093bd8cbeaf2c6c519390d68820f2a1258297f0d783/analysis/; classtype:attempted-user; sid:31502; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Liz0ziM php shell command and control attempt"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"baba="; fast_pattern:only; http_client_body; content:"baba="; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/599a1ec19581cdcc5d268093bd8cbeaf2c6c519390d68820f2a1258297f0d783/analysis/; classtype:attempted-user; sid:31501; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS (msg:"INDICATOR-COMPROMISE Liz0ziM php shell upload attempt"; flow:to_server,established; file_data; content:"Liz0ziM"; fast_pattern:only; content:"|24 5F|POST|5B|liz0|5D|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/599a1ec19581cdcc5d268093bd8cbeaf2c6c519390d68820f2a1258297f0d783/analysis/; classtype:attempted-user; sid:31500; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Liz0ziM php shell download attempt"; flow:to_client,established; file_data; content:"Liz0ziM"; fast_pattern:only; content:"|24 5F|POST|5B|liz0|5D|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/599a1ec19581cdcc5d268093bd8cbeaf2c6c519390d68820f2a1258297f0d783/analysis/; classtype:attempted-user; sid:31499; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE MinerDeploy monitor request attempt"; flow:to_server,established; content:"/monitor.php?"; fast_pattern; http_uri; content:"myid="; distance:0; http_uri; content:"&ip="; distance:0; http_uri; content:"&cgminer="; distance:0; http_uri; content:"&operatingsystem="; distance:0; http_uri; content:!"Content-Length|3A 20|"; http_header; content:!"Content-Type|3A 20|"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/06033b08afd30b413cce3b9a169cb8396fe34865f3bacd436c652dbb469ced62/analysis/; classtype:trojan-activity; sid:31531; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"INDICATOR-COMPROMISE Keylog string over FTP detected"; flow:to_server,established; content:"|20|KeyLog"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp; reference:url,attack.mitre.org/techniques/T1056; classtype:string-detect; sid:31711; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - _pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"_pdf.exe"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0d68f1d3855543a4732e551e9e4375a2cd85d9ab11a86334f67ad99c5f6990a0/analysis/; classtype:trojan-activity; sid:32646; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Potential Redirect from Compromised WordPress site to Fedex - Spammed Malware Download attempt"; flow:to_server,established; urilen:1; content:"GET"; http_method; content:"/wp-admin/"; fast_pattern:only; http_header; content:"Host: www.fedex.com|0D 0A|"; http_header; pcre:"/Referer\x3a\x20[\x20-\x7E]*?\/wp\x2dadmin\/[a-z\d\x2d]+?\.php\r\n/Hi"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.hybrid-analysis.com/sample/a531bc62b0460eba5b0003b535a2e9cceae0b623aecfdc6f0331743fbee77e56/; classtype:trojan-activity; sid:32888; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Download of executable screensaver file"; flow:to_client,established; file_data; content:"PK|03 04|"; depth:4; content:".scr"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1180; reference:url,www.virustotal.com/en/file/cb7a29d1dec378f94b394ba4df3dc1fe5fe3b8d1d4ca3e70da3a611b67588ae7/analysis/; classtype:policy-violation; sid:32948; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|tor2web|03|org|00|"; fast_pattern:only; metadata:service dns; reference:url,www.virustotal.com/en/file/ce7ed063a777fc597c788ef5a1cfdff7b823f34b8207043a482025e4bcd8db7a/analysis/; classtype:misc-activity; sid:33216; rev:1;) # alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|icanhazip|03|com|00|"; fast_pattern:only; metadata:service dns; reference:url,www.virustotal.com/en/file/ce7ed063a777fc597c788ef5a1cfdff7b823f34b8207043a482025e4bcd8db7a/analysis/; classtype:misc-activity; sid:33215; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Win.Trojan.Blocker variant outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mozilla/5.0 (Windows NT 6.3|3B| WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36|0D 0A|Host: checkip.dyndns.org|0D 0A|"; fast_pattern:only; http_header; content:!"Accept"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/79b75a8564e2e446789e1890f52c025792de919b63719e02630a70d6ae9a3ca4/analysis/1421439683/; classtype:misc-activity; sid:33224; rev:1;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - APT28 Lisuife"; flow:to_client,established; ssl_state:server_hello; content:"SolusVM Slave"; fast_pattern:only; metadata:impact_flag red, service ssl; reference:url,www.virustotal.com/en/file/566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092/analysis/; classtype:trojan-activity; sid:34465; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Windows Internet Explorer EMET check and garbage collection"; flow:to_server,established; file_data; content:"CollectGarbage()"; content:"C:|5C 5C|windows|5C 5C|AppPatch|5C 5C|EMET.DLL"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-7331; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:misc-attack; sid:29822; rev:6;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Windows Internet Explorer EMET check and garbage collection"; flow:to_client,established; file_data; content:"CollectGarbage()"; content:"C:|5C 5C|windows|5C 5C|AppPatch|5C 5C|EMET.DLL"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-7331; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-052; classtype:misc-attack; sid:29821; rev:6;) # alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner Windows Vista"; flow:established; content:"Microsoft Windows"; depth:18; content:"Copyright |28|c|29| 2006"; distance:0; content:"Microsoft Corporation"; distance:0; metadata:policy max-detect-ips drop; reference:nessus,11633; classtype:successful-admin; sid:18757; rev:8;) # alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner Windows 7/Server 2008R2"; flow:established; content:"Microsoft Windows"; depth:18; content:"Copyright |28|c|29| 2009"; distance:0; content:"Microsoft Corporation"; distance:0; metadata:policy max-detect-ips drop; reference:nessus,11633; classtype:successful-admin; sid:18756; rev:9;) # alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; depth:18; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; metadata:policy max-detect-ips drop, ruleset community; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:12;) # alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE id check returned userid"; content:"uid="; nocase; content:" gid="; distance:0; pcre:"/uid=\d{1,5}\S+\s+gid=\d{1,5}/smi"; metadata:policy max-detect-ips drop, ruleset community; classtype:bad-unknown; sid:1882; rev:20;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established; content:"|16 03 03|"; content:"|0B|"; within:1; distance:2; content:"|30 82|"; within:2; distance:9; content:"|30 82|"; within:2; distance:2; content:"|A0 03 02 01 02 02|"; within:6; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|"; within:22; content:"|31|"; within:1; distance:5; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30|"; within:10; distance:3; content:"|17 0D|"; within:2; distance:1; content:"Z|17 0D|"; within:3; distance:12; content:"Z|30|"; within:2; distance:12; content:"|31|"; within:1; distance:1; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30 82|"; within:9; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; distance:2; content:"|30 82|"; within:2; distance:3; content:"|02 82|"; within:2; distance:2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; fast_pattern:only; metadata:ruleset community, service ssl; reference:url,blog.didierstevens.com; classtype:misc-activity; sid:34864; rev:2;) alert tcp $EXTERNAL_NET 448 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE known malicious SSL certificate - Win.Trojan.Dridex"; flow:to_client,established; content:"koalabride"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/5aad7720c0bb9848d540705943999d4e90908ba40a9d38e20018e53eb741dcb8/analysis/; classtype:trojan-activity; sid:35222; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Wild Neutron potential exploit attempt"; flow:to_server,established; urilen:>25; content:".swf?"; http_uri; content:"styleid="; distance:0; http_uri; content:"&langid="; distance:0; http_uri; content:"&sid="; distance:0; http_uri; content:"&d="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:trojan-activity; sid:35745; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established; content:"|16 03 02|"; content:"|0B|"; within:1; distance:2; content:"|30 82|"; within:2; distance:9; content:"|30 82|"; within:2; distance:2; content:"|A0 03 02 01 02 02|"; within:6; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|"; within:22; content:"|31|"; within:1; distance:5; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30|"; within:10; distance:3; content:"|17 0D|"; within:2; distance:1; content:"Z|17 0D|"; within:3; distance:12; content:"Z|30|"; within:2; distance:12; content:"|31|"; within:1; distance:1; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30 82|"; within:9; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; distance:2; content:"|30 82|"; within:2; distance:3; content:"|02 82|"; within:2; distance:2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; fast_pattern:only; metadata:ruleset community, service ssl; reference:url,blog.didierstevens.com; classtype:misc-activity; sid:36612; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|0B|"; within:1; distance:2; content:"|30 82|"; within:2; distance:9; content:"|30 82|"; within:2; distance:2; content:"|A0 03 02 01 02 02|"; within:6; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|"; within:22; content:"|31|"; within:1; distance:5; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; byte_extract:1,0,string_size,relative; content:"|30|"; within:1; distance:string_size; content:"|17 0D|"; within:2; distance:1; content:"Z|17 0D|"; within:3; distance:12; content:"Z|30|"; within:2; distance:12; content:"|31|"; within:1; distance:1; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; byte_extract:1,0,string_size,relative; content:"|30 82|"; within:2; distance:string_size; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; distance:2; content:"|30 82|"; within:2; distance:3; content:"|02 82|"; within:2; distance:2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; fast_pattern:only; metadata:ruleset community, service ssl; reference:url,blog.didierstevens.com; classtype:misc-activity; sid:36611; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt"; flow:to_server,established; file_data; content:"setAttributeNS"; content:"required"; within:100; pcre:"/setAttributeNS\s*\x28[^,]*,[^,]*required(Features|Extensions)[^,]*,[^\x29]+[\x22\x27]([\0\s]|\\([vfbtnsr0]|x(20|0[\da-f])))+[\x22\x27]/im"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-6086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:misc-activity; sid:36760; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt"; flow:to_client,established; file_data; content:"setAttributeNS"; content:"required"; within:100; pcre:"/setAttributeNS\s*\x28[^,]*,[^,]*required(Features|Extensions)[^,]*,[^\x29]+[\x22\x27]([\0\s]|\\([vfbtnsr0]|x(20|0[\da-f])))+[\x22\x27]/im"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-6086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-112; classtype:misc-activity; sid:36759; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE download of a Office document with embedded PowerShell"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"powershell.exe"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1086; classtype:trojan-activity; sid:37244; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE download of a Office document with embedded PowerShell"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"powershell.exe"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips alert, service smtp; reference:url,attack.mitre.org/techniques/T1086; classtype:trojan-activity; sid:37243; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE malicious file download attempt"; flow:to_server,established; content:"|2F 70 6F 63|"; http_uri; pcre:"/\x2f\x70\x6f\x63(\d*|\x5f[\x61-\x7a]+)\x2e(\x68\x74\x6d\x6c|\x78(\x6c\x73|\x73\x6c|\x6d\x6c)|\x6a(\x73|\x61\x76a)|\x61\x73\x70|\x70(\x64f|\x70\x74|\x48\x70|\x73\x64)|\x66\x6c\x76|\x73\x77\x66|\x64\x6fc|\x74\x74\x66|\x62\x6d\x70|\x6d(\x70\x33|\x33\x75))/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:misc-activity; sid:37963; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Content-Type text/plain containing Portable Executable data"; flow:to_client,established; content:"Content-Type|3A 20|text/plain"; http_header; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy max-detect-ips drop, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/fc25709c4e05dbfbcc6ae0cf8a7c06e80156ae05179203021838259aeda9801a/analysis/1461600547/; classtype:trojan-activity; sid:38619; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE potential abuse of originating page privileges by new tab"; flow:to_client; file_data; content:"window.opener.location"; fast_pattern:only; metadata:service http; reference:url,www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/; classtype:policy-violation; sid:38767; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"INDICATOR-COMPROMISE IRC nick change on non-standard port"; flow:to_server,established; dsize:<100; content:"NICK "; depth:5; metadata:service irc; classtype:trojan-activity; sid:38933; rev:1;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Netgear D6000 or D3600 password recovery page access attempt"; flow:to_server,established; content:"/cgi-bin/passrec.asp"; fast_pattern:only; nocase; http_uri; metadata:service http; reference:cve,2015-8289; reference:url,www.kb.cert.org/vuls/id/778696; classtype:misc-activity; sid:39444; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Content-Type image containing Portable Executable data"; flow:to_client,established; content:"Content-Type|3A 20|image/"; fast_pattern:only; http_header; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/2dc752d12baa8c8441b82dd52abfd51c25abd28ba42344b22869ba7ae5a9a877/analysis/1469197722/; classtype:trojan-activity; sid:39729; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Oracle E-Business Suite arbitrary node deletion"; flow:to_server,established; content:"/pls/"; http_uri; content:"/fnd_document_management.Dm_Nodes_Delete?"; fast_pattern:only; http_uri; content:"p_node_id="; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,23532; reference:cve,2007-2170; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html; classtype:misc-activity; sid:39870; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .tk dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|tk|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:url,en.wikipedia.org/wiki/.tk; classtype:misc-activity; sid:39867; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .ml dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|ml|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:url,en.wikipedia.org/wiki/.ml; classtype:misc-activity; sid:39866; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Connection to malware sinkhole - CERT.PL"; flow:to_client,established; content:"Content-Length: 24|0D 0A|"; http_header; content:"Sinkholed by CERT.PL<br>"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:39851; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Meteocontrol WEBlog config containing passwords download attempt"; flow:to_server,established; content:"/html/en/confAccessProt.html"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-2296; classtype:web-application-attack; sid:39881; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"INDICATOR-COMPROMISE Cisco IOS commandline overflow attempt."; flow:to_server,established; content:"|16 50 16 60 16 B8 16 82 16 AA 16 AA 16 AA 16 35 16 AA 16 AA 16 AA 16 AA 16 BF 16 14 16 B3 16|"; fast_pattern:only; reference:cve,2016-6367; classtype:attempted-admin; sid:39987; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"INDICATOR-COMPROMISE Cisco IOS commandline overflow attempt"; flow:to_server,established; content:"|16 08 16 08 16 08 16 08 16 08 16 08 16 08 16 08 16 08 16 08 16 08 16 08 16 08 16 08 16 08 16 08|"; fast_pattern:only; reference:cve,2016-6367; classtype:attempted-admin; sid:39986; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"INDICATOR-COMPROMISE Cisco IOS commandline overflow attempt."; flow:to_server,established; content:"|16 50 16 60 16 B8 16 82 16 AA 16 AA 16 AA 16 35 16 AA 16 AA 16 AA 16 AA 16 BF 16 20 16 E6 16|"; fast_pattern:only; reference:cve,2016-6367; classtype:attempted-admin; sid:39985; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"INDICATOR-COMPROMISE Cisco IOS commandline overflow attempt."; flow:to_server,established; content:"|16 01 16 01 16 01 16 01 16 01 16 01 16 01 16 01 16 01 16 01 16 01 16 01 16 01 16 01 16 01 16 01|"; fast_pattern:only; reference:cve,2016-6367; classtype:attempted-admin; sid:39984; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"INDICATOR-COMPROMISE Cisco IOS commandline overflow attempt"; flow:to_server,established; content:"|16|"; fast_pattern; content:"|16|"; within:1; distance:1; content:"|16|"; within:1; distance:1; content:"|16|"; within:1; distance:1; content:"|16|"; within:1; distance:1; content:"|16|"; within:1; distance:1; content:"|16|"; within:1; distance:1; content:"|16|"; within:1; distance:1; reference:cve,2016-6367; classtype:attempted-admin; sid:39983; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE TextDecorationLineUnderline property use"; flow:to_server,established; file_data; content:"TextDecorationLineUnderline"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service smtp; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40093; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE TextDecorationLineThrough property use"; flow:to_server,established; file_data; content:"TextDecorationLineThrough"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service smtp; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40092; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE TextDecorationLineOverline property use"; flow:to_server,established; file_data; content:"TextDecorationLineOverline"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service smtp; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40091; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE TextDecorationLineNone property use"; flow:to_server,established; file_data; content:"TextDecorationLineNone"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service smtp; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40090; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE TextDecorationBlink property use"; flow:to_server,established; file_data; content:"TextDecorationBlink"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service smtp; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40089; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE TextDecorationLineUnderline property use"; flow:to_client,established; file_data; content:"TextDecorationLineUnderline"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40088; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE TextDecorationLineThrough property use"; flow:to_client,established; file_data; content:"TextDecorationLineThrough"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40087; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE TextDecorationLineOverline property use"; flow:to_client,established; file_data; content:"TextDecorationLineOverline"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40086; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE TextDecorationLineNone property use"; flow:to_client,established; file_data; content:"TextDecorationLineNone"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40085; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE TextDecorationBlink property use"; flow:to_client,established; file_data; content:"TextDecorationBlink"; fast_pattern:only; content:".createElement"; nocase; content:".setAttribute"; nocase; content:".removeAttribute"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3324; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-104; classtype:attempted-recon; sid:40084; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE wsf inside zip potential malicious file download attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"PK|03 04|"; depth:4; content:".wsf"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:url,bleepingcomputer.com/news/security/zepto-ransomware-locky-variant-being-distributed-via-wsf-attachments/; classtype:attempted-user; sid:40568; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE shell script download with curl from external source"; flow:to_server,established; content:"User-Agent: curl"; fast_pattern:only; http_header; content:".sh"; nocase; http_uri; pcre:"/\x2Esh$/Ui"; metadata:service http; classtype:suspicious-filename-detect; sid:40598; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE shell script download with wget from external source"; flow:to_server,established; content:"User-Agent: Wget"; fast_pattern:only; http_header; content:".sh"; nocase; http_uri; pcre:"/\x2Esh$/Ui"; metadata:service http; classtype:suspicious-filename-detect; sid:40597; rev:3;) # alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE DNS response points to sinkholed domain"; flow:to_client,established; content:"|00 02 00 01|"; content:"honeybot|02|us"; fast_pattern:only; metadata:service dns; reference:url,whois.domaintools.com/honeybot.us; classtype:trojan-activity; sid:40610; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Malicious script redirect attempt"; flow:to_client, established; file_data; content:"<script"; nocase; content:"username=yelang88888"; within:200; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:40828; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE potential Squiblydoo application whitelisting bypass attempt"; flow:to_server,established; file_data; content:"<scriptlet>"; fast_pattern:only; content:"<registration"; nocase; content:"progid"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,msdn.microsoft.com/en-us/library/ms974602.aspx; classtype:attempted-user; sid:40830; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE potential Squiblydoo application whitelisting bypass attempt"; flow:to_client,established; file_data; content:"<scriptlet>"; fast_pattern:only; content:"<registration"; nocase; content:"progid"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,msdn.microsoft.com/en-us/library/ms974602.aspx; classtype:attempted-user; sid:40829; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"(*THEN"; fast_pattern:only; content:"|06|RegExp"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7868; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41009; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"(*THEN"; fast_pattern:only; content:"|06|RegExp"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7868; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41008; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"(*SKIP"; fast_pattern:only; content:"|06|RegExp"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7870; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41007; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"(*SKIP"; fast_pattern:only; content:"|06|RegExp"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7870; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41006; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"(*PRUNE"; fast_pattern:only; content:"|06|RegExp"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7869; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41001; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"(*PRUNE"; fast_pattern:only; content:"|06|RegExp"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7869; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:41000; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|07 28 2A|MARK|3A|"; fast_pattern:only; content:"|06|RegExp"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-7867; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:40997; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|07 28 2A|MARK|3A|"; fast_pattern:only; content:"|06|RegExp"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-7867; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-39.html; classtype:attempted-user; sid:40996; rev:2;) # alert tcp $HOME_NET [1024:] -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port"; flow:to_client,established; content:"|05 FF|"; depth:2; dsize:2; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41534; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port"; flow:to_server,established; content:"|05 03 00 04|"; depth:4; dsize:<30; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41533; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port"; flow:to_server,established; content:"|05 03 00 03|"; depth:4; dsize:<100; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41532; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port"; flow:to_server,established; content:"|05 03 00 01|"; depth:4; dsize:<100; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41531; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port"; flow:to_server,established; content:"|05 02 00 04|"; depth:4; dsize:<30; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41530; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port"; flow:to_server,established; content:"|05 02 00 03|"; depth:4; dsize:<100; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41529; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port"; flow:to_server,established; content:"|05 02 00 01|"; depth:4; dsize:<100; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41528; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port"; flow:to_server,established; content:"|05 01 00 04|"; depth:4; dsize:<30; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41527; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port"; flow:to_server,established; content:"|05 01 00 03|"; depth:4; dsize:<100; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41526; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port"; flow:to_server,established; content:"|05 01 00 01|"; depth:4; dsize:<100; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41525; rev:2;) # alert tcp $HOME_NET [1024:] -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port"; flow:to_client,established; content:"|05 00|"; depth:2; dsize:2; reference:url,news.drweb.com/show/?i=11115&c=5&lng=en&p=0; classtype:trojan-activity; sid:41524; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"INDICATOR-COMPROMISE Writable SQL directories discovery attempt"; flow:to_server, established; content:"SELECT"; nocase; content:"INTO DUMPFILE"; distance:0; nocase; content:"SELECT"; distance:0; nocase; content:"INTO DUMPFILE"; distance:0; nocase; metadata:service mysql; reference:url,dev.mysql.com/doc/refman/5.7/en/select-into.html; classtype:attempted-recon; sid:41637; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Binary file download request from internationalized domain name using Microsoft BITS"; flow:to_server,established; content:"User-Agent|3A| Microsoft BITS"; http_header; content:"Host|3A 20|xn--"; fast_pattern:only; http_header; pcre:"/(\x2ebat|\x2eexe)$/smiU"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:41710; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"INDICATOR-COMPROMISE d-link sharecenter dns-320 denial of service attempt"; flow:to_server,established; content:"/cgi-bin/system_mgr.cgi"; fast_pattern:only; nocase; http_uri; content:"cmd=cgi_restart"; nocase; http_client_body; metadata:service http; reference:url,sharecenter.dlink.com/products/DNS-320; classtype:web-application-attack; sid:41758; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"INDICATOR-COMPROMISE d-link sharecenter dns-320 denial of service attempt"; flow:to_server,established; content:"/cgi-bin/system_mgr.cgi"; fast_pattern:only; nocase; http_uri; content:"cmd=cgi_shutdown"; nocase; http_client_body; metadata:service http; reference:url,sharecenter.dlink.com/products/DNS-320; classtype:web-application-attack; sid:41757; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"INDICATOR-COMPROMISE d-link sharecenter dns-320 denial of service attempt"; flow:to_server,established; content:"/cgi-bin/wizard_mgr.cgi"; fast_pattern:only; nocase; http_uri; content:"cmd=cgi_wizard"; nocase; http_client_body; metadata:service http; reference:url,sharecenter.dlink.com/products/DNS-320; classtype:web-application-attack; sid:41756; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"INDICATOR-COMPROMISE d-link sharecenter dns-320 denial of service attempt"; flow:to_server,established; content:"/cgi-bin/dks_mgr.cgi"; fast_pattern:only; nocase; http_uri; content:"cmd=FMT_restart"; nocase; http_client_body; metadata:service http; reference:url,sharecenter.dlink.com/products/DNS-320; classtype:web-application-attack; sid:41755; rev:1;) # alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE clorius controls information gathering attempt"; flow:to_client, established; content:"Server|3A| ISC SCADA Service HTTPserv|3A|00001"; fast_pattern:only; http_header; file_data; content:"Firmware Version"; nocase; content:"Script Version"; distance:0; nocase; content:"IP-adresse"; distance:0; nocase; content:"AI"; distance:0; nocase; content:"AO"; distance:0; nocase; content:"DI"; distance:0; nocase; content:"DO"; distance:0; nocase; content:"MAC-adresse"; distance:0; nocase; reference:url,ics-cert.us-cert.gov/alerts/ICS-ALERT-13-091-02; classtype:attempted-recon; sid:41784; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Request for external IP address detected"; flow:to_server,established; content:"Host: myexternalip.com"; fast_pattern:only; http_header; content:"/raw"; http_uri; content:!"User-Agent|3A|"; http_header; metadata:service http; reference:url,virustotal.com/en/file/9a8d73cb7069832b9523c55224ae4153ea529ecc50392fef59da5b5d1db1c740/analysis/; classtype:trojan-activity; sid:42082; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE RTF url moniker COM file download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"0e0c9ea79f9bace118c8200aa004ba90b"; content:"68007400740070003a002f002f00"; within:50; metadata:service smtp; reference:cve,2017-0199; classtype:misc-activity; sid:42230; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE RTF url moniker COM file download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"0e0c9ea79f9bace118c8200aa004ba90b"; content:"68007400740070003a002f002f00"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-0199; classtype:misc-activity; sid:42229; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE malicious javascript obfuscation detected"; flow:to_client,established; file_data; content:"tpircsbv"; content:"epyt"; within:20; content:"tpircs"; within:20; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:42292; rev:2;) # alert tcp $EXTERNAL_NET 10051 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Zabbix Proxy configuration containing script detected"; flow:to_client,established; content:"ZBXD|01|"; depth:5; fast_pattern; content:"scripts"; content:"fields"; distance:0; content:"scriptid"; distance:0; content:"command"; distance:0; content:"description"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-2825; reference:url,talosintelligence.com/reports/TALOS-2017-0326; classtype:attempted-user; sid:42337; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Image"; content:"/FlateDecode"; within:100; content:"stream|0D 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:200; metadata:service smtp; reference:cve,2016-1088; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; classtype:misc-activity; sid:42460; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Image"; content:"/FlateDecode"; within:100; content:"stream|0D 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-1088; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; classtype:misc-activity; sid:42459; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Office with embedded EPS download attempt "; flow:to_server,established; flowbits:isset,file.docx; file_data; content:"PK|03 04|"; byte_extract:2,22,nameLen,relative,little; content:".eps"; within:nameLen; distance:2; fast_pattern; metadata:service smtp; reference:cve,2017-0262; classtype:attempted-admin; sid:42928; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft Office with embedded EPS download attempt "; flow:to_client,established; flowbits:isset,file.docx; file_data; content:"PK|03 04|"; byte_extract:2,22,nameLen,relative,little; content:".eps"; within:nameLen; distance:2; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-0262; classtype:attempted-admin; sid:42927; rev:1;) # alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .top dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|top|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:url,en.wikipedia.org/wiki/.top; classtype:misc-activity; sid:43687; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE possible Samsung DVR authentication bypass attempt"; flow:to_server,established; content:"/cgi-bin/"; fast_pattern:only; http_uri; content:"DATA"; http_cookie; content:"="; within:1; distance:1; http_cookie; metadata:service http; reference:cve,2013-3585; reference:cve,2013-3586; classtype:attempted-admin; sid:43576; rev:1;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Juniper vSRX Application Firewall IPv6 REJECT buffer overflow attempt"; dsize:>200; icode:1; itype:1; content:"|90 90 90 90|"; fast_pattern:only; classtype:attempted-admin; sid:43546; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Symantec Endpoint Protection potential binary planting RCE attempt"; flow:to_client,established; file_data; flowbits:isset, file.zip; content:"PK"; content:"UxTheme.dll"; within:30; distance:30; fast_pattern; content:"PK"; content:"packlist.xml"; within:30; distance:30; nocase; metadata:service http; reference:cve,2015-1492; reference:url,symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150730_00; classtype:attempted-user; sid:43389; rev:1;) # alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Wing FTP Server potentially malicious admin user creation attempt"; flow:to_client,established; file_data; content:"form"; nocase; content:"action"; nocase; content:"/admin_addadmin.html"; within:100; fast_pattern; nocase; content:"method"; within:50; content:"post"; within:25; nocase; content:"domainlist"; nocase; content:"ipmasks"; nocase; content:"mydirectory"; nocase; metadata:service smtp; reference:url,www.wftpserver.com/serverhistory.htm; classtype:attempted-admin; sid:43385; rev:1;) # alert tcp $HOME_NET $FILE_DATA_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Wing FTP Server potentially malicious admin user creation attempt"; flow:to_client,established; file_data; content:"form"; nocase; content:"action"; nocase; content:"/admin_addadmin.html"; within:100; fast_pattern; nocase; content:"method"; within:50; content:"post"; within:25; nocase; content:"domainlist"; nocase; content:"ipmasks"; nocase; content:"mydirectory"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.wftpserver.com/serverhistory.htm; classtype:attempted-admin; sid:43384; rev:1;) # alert udp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"INDICATOR-COMPROMISE OptoMMP FTP Username read or write attempt"; content:"|FF FF F0 3D 00 00|"; depth:6; offset:6; reference:url,blog.exodusintel.com/2016/09/08/firmware-updates-made-easy/; classtype:attempted-admin; sid:43126; rev:1;) # alert udp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"INDICATOR-COMPROMISE OptoMMP FTP Password read or write attempt"; content:"|FF FF F0 3D 00 40|"; depth:6; offset:6; reference:url,blog.exodusintel.com/2016/09/08/firmware-updates-made-easy/; classtype:attempted-admin; sid:43125; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"INDICATOR-COMPROMISE OptoMMP FTP Username read or write attempt"; flow:established, to_server; content:"|FF FF F0 3D 00 00|"; depth:6; offset:6; reference:url,blog.exodusintel.com/2016/09/08/firmware-updates-made-easy/; classtype:attempted-admin; sid:43124; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"INDICATOR-COMPROMISE OptoMMP FTP Password read or write attempt"; flow:established, to_server; content:"|FF FF F0 3D 00 40|"; depth:6; offset:6; reference:url,blog.exodusintel.com/2016/09/08/firmware-updates-made-easy/; classtype:attempted-admin; sid:43123; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE OLE attachment with embedded PICT attempt"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:"R|00|o|00|o|00|t|00| |00|E|00|n|00|t|00|r|00|y|00|"; distance:0; content:"TCIP"; distance:0; metadata:service smtp; reference:cve,2017-8487; classtype:misc-activity; sid:43092; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1450 (msg:"INDICATOR-COMPROMISE SysAid mssql potentially malicious user permissions creation"; flow:established, to_server; content:"|00|I|00|N|00|S|00|E|00|R|00|T|00| |00|I|00|N|00|T|00|O|00| |00|i|00|l|00|i|00|e|00|n|00|t|00|.|00|d|00|b|00|o|00|.|00|s|00|y|00|s|00|a|00|i|00|d|00|_|00|u|00|s|00|e|00|r|00|_|00|p|00|e|00|r|00|m|00|i|00|s|00|s|00|i|00|o|00|n|00|s|00|"; fast_pattern:only; reference:cve,2015-3001; classtype:attempted-admin; sid:43075; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1450 (msg:"INDICATOR-COMPROMISE SysAid mssql potentially malicious new user creation attempt"; flow:established, to_server; content:"|00|I|00|N|00|S|00|E|00|R|00|T|00| |00|I|00|N|00|T|00|O|00| |00|i|00|l|00|i|00|e|00|n|00|t|00|.|00|d|00|b|00|o|00|.|00|s|00|y|00|s|00|a|00|i|00|d|00|_|00|u|00|s|00|e|00|r|00|"; fast_pattern:only; reference:cve,2015-3001; classtype:attempted-admin; sid:43074; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Trend Micro Control Manager WFINFOR cookie authentication bypass attempt"; flow:established, to_server; content:"/modTMCM"; fast_pattern:only; http_uri; content:"WFINFOR"; http_cookie; metadata:service http; reference:url,docs.trendmicro.com/all/ent/tmcm/v6.0-sp3/en-us/tmcm_6.0-sp3_readme.html; classtype:attempted-user; sid:43065; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE backwards executable download"; flow:to_client,established; file_data; content:"edom SOD ni nur eb tonnac margorp sihT"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:43839; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Adobe Flash file contains reference to kernel32.dll"; flow:to_client,established; file_data; content:"|0C|kernel32.dll"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:43838; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE VBScript accessing scripting API for WMI"; flow:to_client,established; file_data; content:"<script"; content:"vbscript"; within:25; content:"GetObject|28|"; content:"winmgmts|3A|"; within:15; fast_pattern; content:".InstancesOf"; within:15; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:43933; rev:1;) # alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .win dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|win|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:44077; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .trade dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|trade|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:44076; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE png file attachment without matching file magic"; flow:established,to_client; content:"Content-Type: image/png"; http_header; file_data; content:!"|89|PNG"; depth:4; metadata:service http; classtype:misc-activity; sid:44416; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE VBscript downloader detected"; flow:to_server,established; file_data; content:"SLShare"; fast_pattern:only; content:"CreateObject("; nocase; content:"split"; nocase; content:"replace"; within:10; nocase; content:"shell"; nocase; metadata:policy max-detect-ips drop, service smtp; reference:url,virustotal.com/#/file/83a7891731aacbe25bb5f5e2ba0c8dabed379be8c6fbc25db78c0d771a20a432/detection; classtype:trojan-activity; sid:44613; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE VBscript downloader detected"; flow:to_client,established; file_data; content:"SLShare"; fast_pattern:only; content:"CreateObject("; nocase; content:"split"; nocase; content:"replace"; within:10; nocase; content:"shell"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/83a7891731aacbe25bb5f5e2ba0c8dabed379be8c6fbc25db78c0d771a20a432/detection; classtype:trojan-activity; sid:44612; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Meterpreter payload download attempt"; flow:to_client,established; content:"packet_call_completion_handlers"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop; classtype:trojan-activity; sid:44728; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Apache HTTP Server possible mod_dav.c remote denial of service vulnerability attempt"; flow:to_server,established; content:":merge"; fast_pattern:only; content:"MERGE"; http_method; content:"DAV:"; content:":href"; within:100; metadata:service http; reference:bugtraq,100872; reference:cve,2013-1896; classtype:attempted-dos; sid:44808; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Malicious VBA script detected"; flow:to_client,established; content:"<script"; nocase; content:"VBScript"; within:50; nocase; content:"StrReverse"; nocase; content:"Chr"; within:20; nocase; content:"StrReverse"; within:30; nocase; content:"Chr"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-admin; sid:44875; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Internet Explorer OLE auto-open attempt"; flow:to_server,established; file_data; content:"ms-word:ofe|7C|u|7C|"; fast_pattern:only; metadata:service smtp; classtype:misc-activity; sid:44865; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft Internet Explorer OLE auto-open attempt"; flow:to_client,established; file_data; content:"ms-word:ofe|7C|u|7C|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:44864; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft MsMpEng shrink compressed zip code execution attempt"; flow:to_server,established; file_data; content:"PK|03 04|"; content:"|01 00|"; within:2; distance:4; metadata:service smtp; reference:cve,2017-11937; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11937; classtype:attempted-admin; sid:45153; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft MsMpEng shrink compressed zip code execution attempt"; flow:to_client,established; file_data; content:"PK|03 04|"; content:"|01 00|"; within:2; distance:4; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11937; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11937; classtype:attempted-admin; sid:45152; rev:1;) alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit run hidden powershell attempt"; flow:to_client,established; file_data; content:"|5C|v1.0|5C|powershell.exe"; content:"New-Object System.Diagnostics.ProcessStartInfo"; fast_pattern:only; content:".FileName="; content:".Arguments="; content:".UseShellExecute="; content:".RedirectStandardOutput="; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1086; classtype:attempted-user; sid:45137; rev:3;) alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit PowerShell CLI Download and Run attempt"; flow:to_client,established; file_data; content:"<?XML"; depth:5; content:"powershell.exe"; content:"new-object Net.WebClient|29|.DownloadString"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1086; classtype:attempted-user; sid:45136; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt"; flow:to_server,established; file_data; flowbits:isset,file.doc|file.rtf; content:"|5C|objautlink"; content:"|5C|objupdate"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0199; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-0199; classtype:attempted-user; sid:45520; rev:2;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt"; flow:to_client,established; file_data; flowbits:isset,file.doc|file.rtf; content:"|5C|objautlink"; content:"|5C|objupdate"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0199; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-0199; classtype:attempted-user; sid:45519; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Adobe Flash potential exploit download attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00 00 00 45 78 70 6C 6F 69 74 00 40 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:45742; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Adobe Flash potential exploit download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00 00 00 70 6F 63 00 40 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:45741; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Adobe Flash potential exploit download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|00 00 00 45 78 70 6C 6F 69 74 00 40 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:45740; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Adobe Flash potential exploit download attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|00 00 00 70 6F 63 00 40 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:45739; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE PHP shell_exec command execution attempt"; flow:to_server,established; content:"php"; nocase; http_client_body; content:"shell_exec"; within:150; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; classtype:web-application-attack; sid:45916; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE PHP obfuscated eval command execution attempt"; flow:to_server,established; content:"php"; nocase; http_client_body; content:"eval"; within:100; nocase; http_client_body; content:"base64_decode"; within:100; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:web-application-attack; sid:45915; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE PHP phpinfo command execution attempt"; flow:to_server,established; content:"php"; nocase; http_client_body; content:"phpinfo"; within:150; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; classtype:web-application-attack; sid:45914; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Potential data exfiltration through Google form submission"; flow:to_server,established; content:"/forms/d/e/"; depth:11; nocase; http_uri; content:"/viewform?entry."; fast_pattern; nocase; http_uri; content:"="; within:15; http_uri; content:"entry."; within:50; nocase; http_uri; content:"="; within:15; http_uri; content:"Host|3A| docs.google.com|0D 0A|"; nocase; http_header; pcre:"/entry\.\d+=\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/Ui"; metadata:service http; reference:url,attack.mitre.org/techniques/T1020; classtype:misc-activity; sid:46381; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Request for external IP address detected"; flow:to_server,established; content:"Host: ifconfig.co"; fast_pattern:only; http_header; content:"/ip"; http_uri; content:!"User-Agent|3A|"; http_header; metadata:service http; classtype:trojan-activity; sid:46679; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Outbound freegeoip.net geo-IP location connection attempt"; flow:to_server,established; content:"/xml/"; http_uri; content:"Host|3A| freegeoip.net"; fast_pattern:only; http_header; content:!"Referer|3A|"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file-scan/report.html?id=5d6691a4345258ce7de5002c322be83a3c0c94cffdfd1309ccc0bf593616f31e; classtype:trojan-activity; sid:46664; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Outbound telize.com geo-IP location connection attempt"; flow:to_server,established; content:"/geoip"; http_uri; content:"Host|3A| www.telize.com"; fast_pattern:only; http_header; content:!"Referer|3A|"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file-scan/report.html?id=5d6691a4345258ce7de5002c322be83a3c0c94cffdfd1309ccc0bf593616f31e; classtype:trojan-activity; sid:46663; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt"; flow:to_server,established; content:"WS1/cgi/x.cgi"; fast_pattern:only; http_uri; content:"NAVG="; http_uri; content:"username=dudxwd"; http_uri; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:url,www.virustotal.com/en/file/9b504da9e77ec067b0577b557443f76e84717cb00455ce39138eeaf344f3d2e3/analysis/; classtype:trojan-activity; sid:46641; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt"; flow:to_server,established; content:"/Arts/"; http_uri; content:"inf22.css"; within:50; http_uri; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:url,www.virustotal.com/en/file/9b504da9e77ec067b0577b557443f76e84717cb00455ce39138eeaf344f3d2e3/analysis/; classtype:trojan-activity; sid:46640; rev:2;) # alert udp $EXTERNAL_NET 53 -> $HOME_NET 53 (msg:"INDICATOR-COMPROMISE Possible Samba internal DNS forged response"; flow:to_server; content:"|81 20 00 01 00 00 00 00 00 00|"; depth:10; offset:2; reference:cve,2014-0239; classtype:denial-of-service; sid:46848; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Windows Interrupt Service Routine stack rollback attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|8B 14 24|"; content:"|8D|"; within:15; content:"|24 08|"; within:2; distance:1; content:"|89|"; within:15; content:"|89|"; within:15; content:"|8B|"; within:15; content:"|48 CF|"; within:2; distance:1; metadata:service smtp; reference:cve,2018-8897; classtype:attempted-user; sid:46910; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft Windows Interrupt Service Routine stack rollback attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|8B 14 24|"; content:"|8D|"; within:15; content:"|24 08|"; within:2; distance:1; content:"|89|"; within:15; content:"|89|"; within:15; content:"|8B|"; within:15; content:"|48 CF|"; within:2; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-8897; classtype:attempted-user; sid:46909; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft Windows processor modification return to user-mode attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|0F 22|"; content:"|FB|"; within:30; content:"|0F 22|"; within:30; content:"|48 CF|"; within:30; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-8897; classtype:attempted-user; sid:46908; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Windows processor modification return to user-mode attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|0F 22|"; content:"|FB|"; within:30; content:"|0F 22|"; within:30; content:"|48 CF|"; within:30; metadata:service smtp; reference:cve,2018-8897; classtype:attempted-user; sid:46907; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Windows malicious CONTEXT structure creation attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|A0 01|"; content:"|05 00 BF 00|"; within:50; content:"|10 00 10 00|"; within:50; metadata:service smtp; reference:cve,2018-8897; classtype:attempted-user; sid:46906; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft Windows malicious CONTEXT structure creation attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|A0 01|"; content:"|05 00 BF 00|"; within:50; content:"|10 00 10 00|"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-8897; classtype:attempted-user; sid:46905; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Windows SYSTEM token stealing attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|FF 15|"; content:"|FF 15|"; within:50; content:"|FF 15|"; within:50; content:"|83|"; within:50; content:"|08|"; within:2; distance:1; content:"|81|"; within:30; content:"|83 E0 F0|"; within:100; metadata:service smtp; reference:cve,2018-8897; classtype:attempted-user; sid:46904; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft Windows SYSTEM token stealing attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|FF 15|"; content:"|FF 15|"; within:50; content:"|FF 15|"; within:50; content:"|83|"; within:50; content:"|08|"; within:2; distance:1; content:"|81|"; within:30; content:"|83 E0 F0|"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-8897; classtype:attempted-user; sid:46903; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1099 (msg:"INDICATOR-COMPROMISE Java ysoserial payload deserialization exploit attempt"; flow:to_server,established; content:"ysoserial"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service java_rmi; reference:cve,2017-11284; classtype:attempted-user; sid:46937; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE dynamic Excel web query file download attempt"; flow:to_client,established; file_data; content:"WEB|0D 0A|1"; depth:6; content:"http"; within:25; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/a0b80b57879ef437709bae7e2896efb7be9bd57291e64bc58d7cd13bd1de9f27/analysis; classtype:attempted-admin; sid:46932; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE dynamic Excel web query file download attempt"; flow:to_server,established; file_data; content:"WEB|0D 0A|1"; depth:6; content:"http"; within:25; nocase; metadata:service smtp; reference:url,virustotal.com/en/file/a0b80b57879ef437709bae7e2896efb7be9bd57291e64bc58d7cd13bd1de9f27/analysis; classtype:attempted-admin; sid:46931; rev:1;) # alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; depth:18; content:"Microsoft Corp"; within:250; metadata:policy max-detect-ips drop, ruleset community; reference:nessus,11633; classtype:successful-admin; sid:46983; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service"; flow:to_server,established; urilen:<10; content:"Host: "; http_header; content:"|0D 0A|"; within:14; http_header; content:"HEAD"; http_method; content:"User-Agent: Microsoft Office "; http_header; content:"Discovery|0D 0A|"; within:25; http_header; content:!"Accept"; http_header; content:!"Content-"; http_header; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; metadata:ruleset community, service http; reference:url,virustotal.com/en/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/analysis/; classtype:misc-activity; sid:46980; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service"; flow:to_server,established; urilen:<10; content:"Host: "; http_header; content:"|0D 0A|"; within:14; http_header; content:"OPTIONS"; http_method; content:"User-Agent: Microsoft Office "; http_header; content:"Discovery|0D 0A|"; within:25; http_header; content:!"Accept"; http_header; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; metadata:ruleset community, service http; reference:url,virustotal.com/en/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/analysis/; classtype:misc-activity; sid:46979; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE SettingContent-ms file type download attempt"; flow:to_client,established; file_data; content:"<DeepLink>"; nocase; content:"</ApplicationInformation"; distance:0; nocase; content:"</PCSettings>"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:47002; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE SettingContent-ms file type download attempt"; flow:to_server,established; file_data; content:"<DeepLink>"; nocase; content:"</ApplicationInformation"; distance:0; nocase; content:"</PCSettings>"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service imap, service pop3, service smtp; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:47001; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE SettingContent-ms file type download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objdata"; content:"3c504353657474696e67733e"; distance:0; content:"3c4170706c69636174696f6e496e666f726d6174696f6e3e"; distance:0; content:"3c446565704c696e6b3e"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:47000; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE SettingContent-ms file type download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objdata"; content:"3c504353657474696e67733e"; distance:0; content:"3c4170706c69636174696f6e496e666f726d6174696f6e3e"; distance:0; content:"3c446565704c696e6b3e"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:46999; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Request for external IP address detected"; flow:to_server,established; content:"Host: ipecho.net"; fast_pattern:only; http_header; content:"/plain"; http_uri; content:!"User-Agent|3A|"; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/a036279e3c27f0e716b8fa4b5c7378805b9788c7ce3f4eada9367a4f0738967f/detection; classtype:policy-violation; sid:47024; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 4840 (msg:"INDICATOR-COMPROMISE Atvise SCADA privilege escalation attempt"; flow:to_server,established; content:"|01 00 C8 02|"; content:"SYSTEM"; distance:0; content:"AGENT.OPCUA.METHODS.setUserPassword"; distance:0; reference:url,atvise.com/en/products-solutions/atvise-scada; classtype:attempted-admin; sid:47044; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 4840 (msg:"INDICATOR-COMPROMISE Atvise SCADA user enumeration attempt"; flow:to_server,established; content:"|01 00 0F 02|"; content:"SYSTEM.SECURITY.USERS"; distance:0; reference:url,atvise.com/en/products-solutions/atvise-scada; classtype:attempted-recon; sid:47043; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE SettingContent-ms file type download attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Type"; content:"/Filespec"; within:75; content:"/F"; within:75; content:"SettingContent-ms"; within:150; nocase; pcre:"/\x2fF[^>]+?SettingContent-ms/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:47654; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE SettingContent-ms file type download attempt"; flow:to_server,established; file_data; content:"|21 4A 6B B9 B2 3D 76 D5 D8 79 DB 08 48 65 41 1F 9E 25 13 4E CB C2 A4 F5 95 ED 54 66 B8 22 75 FE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:47653; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE SettingContent-ms file type download attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Type"; content:"/Filespec"; within:75; content:"/F"; within:75; content:"SettingContent-ms"; within:150; nocase; pcre:"/\x2fF[^>]+?SettingContent-ms/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:47652; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE SettingContent-ms file type download attempt"; flow:to_client,established; file_data; content:"|21 4A 6B B9 B2 3D 76 D5 D8 79 DB 08 48 65 41 1F 9E 25 13 4E CB C2 A4 F5 95 ED 54 66 B8 22 75 FE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8414; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414; classtype:attempted-user; sid:47651; rev:1;) # alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt"; content:"Windows PowerShell"; depth:18; metadata:policy max-detect-ips drop; reference:url,attack.mitre.org/techniques/T1086; reference:url,attack.mitre.org/wiki/Technique/T1059; classtype:attempted-user; sid:47400; rev:2;) # alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt"; content:"Microsoft Windows XP [Version"; depth:29; metadata:policy max-detect-ips drop; reference:url,attack.mitre.org/wiki/Technique/T1059; classtype:attempted-user; sid:47399; rev:1;) # alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt"; content:"Microsoft Windows [Version"; depth:26; metadata:policy max-detect-ips drop; reference:url,attack.mitre.org/wiki/Technique/T1059; classtype:attempted-user; sid:47398; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Request for external IP address/location detected"; flow:to_server,established; content:"Host: ip138.com"; fast_pattern:only; http_header; content:"/ic.asp"; http_uri; content:!"User-Agent|3A|"; http_header; metadata:service http; classtype:trojan-activity; sid:48439; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE malicious jquery.js load attempt"; flow:to_server,established; content:"/jquery.js"; http_uri; content:"Host|3A|"; http_header; content:"wp.org"; within:6; distance:7; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,labs.sucuri.net/?note=2018-10-30; classtype:attempted-user; sid:48575; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE malicious jquery.js load attempt"; flow:to_client,established; file_data; content:"script"; content:"src"; within:75; content:"wp.org/jquery.js"; within:100; fast_pattern; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,labs.sucuri.net/?note=2018-10-30; classtype:attempted-user; sid:48574; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE User-Agent blank user-agent string"; flow:to_server,established; content:"User-Agent: |0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/63dc515aa44a48a31191b8f905b40ce8883bc864d4784a0bf84edf102ddffaf3/analysis/; classtype:misc-activity; sid:39362; rev:6;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .fur dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|fur|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48688; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .fur tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|03|fur|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48687; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .lib dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|lib|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48686; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .lib tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|03|lib|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48685; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .emc dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|emc|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48684; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .emc tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|03|emc|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48683; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .coin dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|coin|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48682; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .coin tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|04|coin|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48681; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .bazar dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|bazar|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48680; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .bazar tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|05|bazar|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48679; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .free dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|free|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48678; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .free tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|04|free|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48677; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .pirate dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|pirate|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48676; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .pirate tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|06|pirate|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48675; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .parody dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|parody|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48674; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .parody tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|06|parody|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48673; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .oz dns A query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|oz|00 00 01 00 01|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48672; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .oz tcp dns A query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|02|oz|00 00 01 00 01|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48671; rev:4;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .oss dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|oss|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48670; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .oss tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|03|oss|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48669; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .o dns A query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|o|00 00 01 00 01|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48668; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .o tcp dns A query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|01|o|00 00 01 00 01|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48667; rev:4;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .null dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|null|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48666; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .null tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|04|null|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48665; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .neo dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|neo|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48664; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .neo tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|03|neo|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48663; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .libre dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|libre|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48662; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .libre tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|05|libre|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48661; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .indy dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|indy|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48660; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .indy tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|04|indy|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48659; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .gopher dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|gopher|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48658; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .gopher tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|06|gopher|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48657; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .geek dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|geek|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48656; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .geek tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|04|geek|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48655; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .dyn dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|dyn|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48654; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .dyn tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|03|dyn|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48653; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .cyb dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|cyb|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48652; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .cyb tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|03|cyb|00|"; offset:13; fast_pattern; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48651; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .chan dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|chan|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48650; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .chan tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|04|chan|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48649; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .bbs dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bbs|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48648; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .bbs tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|03|bbs|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48647; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .glue tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|04|glue|00|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48714; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .glue dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|glue|00|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48713; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .oz dns TXT query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|oz|00 00 10 00 01|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48836; rev:1;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .oz dns AAAA query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|oz|00 00 1C 00 01|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48835; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .oz tcp dns TXT query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|02|oz|00 00 10 00 01|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48834; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .oz tcp dns AAAA query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|02|oz|00 00 1C 00 01|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48833; rev:1;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .o dns TXT query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|o|00 00 10 00 01|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48832; rev:1;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .o dns AAAA query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|o|00 00 1C 00 01|"; offset:11; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48831; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .o tcp dns TXT query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|01|o|00 00 10 00 01|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48830; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"INDICATOR-COMPROMISE suspicious .o tcp dns AAAA query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|01|o|00 00 1C 00 01|"; offset:13; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; classtype:misc-activity; sid:48829; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PEAR Archive_Tar PHP object injection attempt"; flow:to_client,established; content:"class Archive_Tar"; fast_pattern; content:"$_temp_tarname"; distance:1; content:"new Phar"; content:"new Archive_Tar"; content:"->"; content:"_temp_tarname"; within:14; metadata:policy max-detect-ips drop, service http; reference:cve,2018-1000888; reference:url,www.exploit-db.com/exploits/46108; classtype:web-application-attack; sid:49185; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE PEAR Archive_Tar PHP object injection attempt"; flow:to_client,established; file_data; content:"require"; content:"'Archive/Tar.php'"; within:25; distance:1; content:"new Archive_Tar"; fast_pattern:only; content:"extract()"; metadata:policy max-detect-ips drop, service http; reference:cve,2018-1000888; reference:url,www.exploit-db.com/exploits/46108; classtype:web-application-attack; sid:49184; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Windows NtTraceControl function use"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"NtTraceControl"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:misc-activity; sid:49164; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Microsoft Windows NtTraceControl function use"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"NtTraceControl"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:49163; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE avi file without matching file magic"; flow:to_server,established; content:"Content-Type: video/x-msvideo"; file_data; content:!"RIFF"; depth:4; content:!"AVI|20|"; depth:4; offset:7; metadata:service smtp; classtype:misc-activity; sid:49288; rev:1;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE avi file without matching file magic"; flow:to_client,established; content:"Content-Type: video/x-msvideo"; http_header; file_data; content:!"RIFF"; depth:4; content:!"AVI|20|"; depth:4; offset:7; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:49287; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"INDICATOR-COMPROMISE Windows SMBv2 information disclosure attempt"; flow:to_server,established; content:"|FE|SMB"; depth:8; offset:4; content:"|01 06|"; within:2; distance:62; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2019-0703; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0703; classtype:attempted-recon; sid:49367; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"INDICATOR-COMPROMISE Windows SMBv1 information disclosure attempt"; flow:to_server,established; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; content:"|07 00|"; within:2; distance:52; content:"|EE 03|"; distance:2; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2019-0703; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0703; classtype:attempted-recon; sid:49366; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt"; flow:to_client,established; file_data; content:"Programm,BEGIN,"; content:".exe"; distance:0; content:"Programm,END,"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.autobase.biz; classtype:attempted-user; sid:49556; rev:1;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt"; flow:to_server,established; file_data; content:"Programm,BEGIN,"; content:".exe"; distance:0; content:"Programm,END,"; distance:0; metadata:service smtp; reference:url,www.autobase.biz; classtype:attempted-user; sid:49555; rev:1;) alert tcp any $FILE_DATA_PORTS -> any any (msg:"INDICATOR-COMPROMISE Responder poisoner download attempt"; flow:to_client,established; file_data; content:"#|21|/usr/bin/env python|0A|# This file is part of Responder"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1187/; classtype:misc-attack; sid:49532; rev:1;) alert tcp any any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Responder poisoner download attempt"; flow:to_server,established; file_data; content:"#|21|/usr/bin/env python|0A|# This file is part of Responder"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1187/; classtype:misc-attack; sid:49531; rev:1;) alert tcp any any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Responder poisoner download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"poisoners.NBTNS"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1187/; classtype:misc-attack; sid:49530; rev:1;) alert tcp any $FILE_DATA_PORTS -> any any (msg:"INDICATOR-COMPROMISE Responder poisoner download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"poisoners.NBTNS"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1187/; classtype:misc-attack; sid:49529; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Script execution from TOR attempt"; flow:to_client,established; file_data; content:"wget"; content:"--no-check-certificate"; within:50; content:"-qU-"; within:60; distance:-40; content:"curl -fsSLkA-"; pcre:"/.+\.(tor2web\.(io|fyi|me)|onion\.(nz|pet|sh|si|to|ws|in\.net))/R"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/e6d1b5e5f6e1536fe619bec30caa1ac75aa008a05f5ecdb31960a1eb8c53731a; classtype:attempted-admin; sid:49671; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE php web shell upload attempt"; flow:to_server,established; content:"php $action = $_GET[|27|"; http_uri; content:"|27|]|3B|system($action)|3B|"; within:40; fast_pattern; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:49657; rev:1;)